How Stackchat keeps Personally Identifiable Information private on Facebook Messenger
For risk-averse industries such as finance and insurance, there is an inherent tension between meeting customers on their preferred platforms and maintaining the integrity of Personally Identifiable Information (PII). For many users throughout the world, Facebook Messenger is the premier platform for connecting with users, but the risk of PII being shared and therefore persisted through Facebook servers raises red flags with legal, security and IT teams. At the same time, creating a functional user experience on Messenger that precludes the transmission of PII is simply not possible.
How can we use Facebook Messenger while maintaining strong security?
The question then becomes, how can we meet users where they are while still providing robust user protection? It requires a two-pronged approach that both minimizes the threat of users entering PII on insecure channels and provides a secure portal to provide that data when it is necessary to enable functionality.
Minimize the risk of PII transmission
The first step is to proactively signal to your users that the transmission of PII should never be done through the chat experience. In clear and precise but unalarming language, remind your users that such data should not be sent through the bot. We can't completely stop users from sending their credit card, passport or ID numbers, but we can mitigate risk through timely and specific messaging.
In the image below, you can see a initial message sent by the Logitech Support Bot that meets these criteria.
A chatbot with a warning about submitting PII
Establish a secure channel for user data
To tackle the second part of the equation, the Stackchat PII Capture API is the answer for collecting the data you need while only allowing user input on a secure platform that you control.
Here's how it works:
When the user comes to a point in the flow where the collection of PII becomes necessary for the furtherance of the conversation, the PII Capture API creates a button tied to the specific bot and user IDs with a time-sensitive authentication token.
The user can then tap or click the button, which will open a webview pointing to a PII-compliant black box on your own web server secured behind HTTPS/SSL.
The user inputs the required data into the secure form which is transmitted directly to your web servers, bypassing Facebook's entirely.
The PII Capture API identifies the bot and user using the authentication token to provide the PII necessary for the rendering of the desired service, limiting communication to Stackchat's secure private or hybrid cloud and your servers.
The conversation resumes in Facebook Messenger.
You can see a visual representation of this flow below.
The Stackchat Secure PII API flow
While the chart above specifically describes how the API works through a PII-compliant black box on an Adobe Experience Manager installation, it will also work with the web server of your choosing.
With the Secure PII API, you don't have to choose between information security and establishing a presence on the most popular platforms.