Maker of the site here! Our servers don't touch any of this data, it goes straight to Very Good Security and lives in a PCI compliant vault ... We ourselves are building a new kind of bank so we take security very seriously and are not phishing.
Happy to talk through in more details but the FAQs do a pretty good job of that too!
With a better understanding of how VGS works I really just fall back to my weakest link in the chain questions:
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content (it appears they do)? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
What stops you from scraping this data from Lob's API?
---
Original comment below.
I'm confused on how this data lands at Lob with an account number if you never get it.
Correct me if I'm wrong but the letter you send includes the account number and not the VGS token?
All of my following questions assumes an affirmative answer.
How is the account number landed in Lob? It appears something must be calling the Lob API with an unencrypted account number? What is making that call?
Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?
Does Lob provide any interface that shows sent mail and the content? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?
As they mentioned checkout the FAQ where it outlines that process under the aptly named, "How does this site work?" and they also offer a template for you to mail yourself if your prefer.
