1. Can the header fields be stripped in the HTTP requests?
    • We can switch on transparent mode for you. In this mode, VGS-request-id and x-forwarded- headers will be excluded from the requests you make.
  2. How quickly do new or updated vault rules take effect?
    • Edits to the rules require several minutes to take effect.
  3. Can regular expressions be used for Pathinfo?
    • Yes, you can use regular expressions for Pathinfo field. If you use regex, please ensure that you use matches option from the drop-down menu.
  4. How does Host matching work compared to Rule Condition and Transformer Config matching?
    • If the request doesn’t match any defined Host, the proxy will respond with Invalid Proxy Configuration exception. If Host matches but PathInfo or other Rule Conditions does not match and/or Transformer Config doesn’t have matching payload parts, the requests will be passed as is without any modifications or errors reported.
  5. Do I require the name of a card or can I just pass cc number, exp. date and security code?
    • You can redact whatever you need, we support all kinds of message formats like JSON, payment form, XML, HTML, PDF.


  1. We are working on integration with a third party service that will reach through the VGS forward proxy. This service can only accept connections from a predefined list of whitelisted IP addresses. Can you provide us with the range of proxy IP addresses to whitelist?
    • The following IP addresses can be used for both sandboxes and live environments -,,
  2. Do you have an API to push all rules at once?
    • We do not have a public API for this purpose.
  3. Can we use our own vault?
    • Yes, this is an enterprise feature. Contact our sales team to discuss this.
  4. Do we have to send all of our traffic through the Proxy?
    • No, you can segment traffic by assigning a custom CNAME such as vault.company.com and then only sending secure traffic to it.
  5. What is the cost of a single SSL certificate?
    • $19.99
  6. Are the wildcard certificates supported, in the current release?
    • Wildcard certificates are currently not supported. Cost per CNAME record equals to $19.99. Support for wildcard certificates may become available in the upcoming feature releases.
  7. How do we configure our client library using Selenium web driver to work with VGS Forward Proxy?
  8. How do we use POSTMAN instead of curl to tokenize data? (how to specify proxy -x)


  1. What are UUID and FPE 6_T_4 Token Generator values?
    • These are different token formats. UUID is the default format that can be used for any kind of data. With UUID, tokens will look like tok_live_fgiC3Jx2abPUOPETFMvXuT. This format helps to quickly distinguish tokens from regular data and to distinguish production tokens from those used in sandboxes.FPE 6_T_4 is the format-preserving format for card numbers. With this format, the token will look like a card number and will be a valid card number with the same first 6 and the last 4 digits. This can be useful when tokens need to be valid card numbers (e.g. to pass validation). In cases when you don’t have such requirements, you would prefer default UUID token format.
  2. What are Persistent and Volatile Token Manager values?
    • The Token Manager value controls how tokens are persisted.With the default, Persistent mode tokens will be stored on the database infinitely, just as you may expect.With Volatile mode tokens will be stored only for 30 minutes - that is the default value and can be configured. It is useful when you cannot keep some information in your system due to compliance but still need to use it for a series of requests. One example would be getting the PIN from a client and using it as a request to third-party service.One important note is that you can reveal tokens only with rules of the same persistent mode they were created with. E.g. if you have the rule to redact PIN value with Volatile storage, a revealing rule with Volatile storage will work for that token but Persistent won’t and vice versa.
  3. Do values always resolve to the same redaction token (e.g. will 123 always be the same token)?
    • Provided the fingerprinting feature is turned on, the values always resolve to the same redaction token. Fingerprinting can be turned on or off. The fingerprinting is enabled, by default.
  4. What is the typical message flow?
    • Here you can see our common flow common flow
  5. How many IP addresses are we now using via IP anonymization?
    • We have approximately 2,000 ip addresses available.
  6. I am getting following response: Invalid Proxy Configuration. How do I fix this?.
    • This occurs when the request doesn’t match any defined Host, the proxy responds with Invalid Proxy Configuration exception.
  7. Can the tokens be removed from the expired cards?
    • Yes, tokens can be removed upon request.
  8. What protective measure have been put in place against the possibility of a DDoS attack?
    • Typical measures include WAF, powered by AWS, and DDoS mitigation at the Layer 3.


  1. Which compliance certifications does VGS have?
    • PCI DSS Level 1, See the Visa PCI service Provider List here.

Public IP addresses for forward proxy


  1. What to do if a customer loses their MFA and gets locked out of their account:
    • The customer contacts support;
    • The support team resets their MFA;
    • Next time the customer logs in, they are shown the set-up QR code.
  2. What to do if MFA password is constantly incorrect
    • Sync time on your mobile phone