Passing Credit Card Number into LP

Messaging

Updated: Feb 29, 2024

Project Summary

This Document outlines the project scope related to the Citi - PCI Compliance issue with sending CCN (Credit Card Number) project.

Business Requirements

Today, Citi passes the full credit card number (CCN) via an authenticated token as part of the JWT, and it gets displayed on the Customer Info widget. However, Citi can no longer send and display the CC number in this way due to PCI compliance regulations.

Nevertheless, agents still need to access this information by copying and pasting it into Eclipse, UCD, and Olympus. Implementing a secure form requesting an account number for all of these chats is not feasible.

High-Level Requirements

Find a way to show the CCN to the agent without disrupting PCI compliance on the account.

Option #1 - Decryption with Citi API

Citi to create a symmetric key (Secret key) or asymmetric keys pair (RSA private/public keys).
Citi to use a symmetric key or asymmetric public key to encrypt CCN in JWT.
Citi to expose API endpoint for CCN decryption:
- API endpoint should be accessible externally;
- API endpoint should accept encrypted version of CCM and respond with decrypted;
- API endpoint should implement authentication.
Create a FaaS function of type “Conversational Command” with similar functionality:

javascript:

const { Toolbelt, ConversationContentTypes, LpServices } = require("lp-faas-toolbelt");
const lpClient = Toolbelt.LpClient();
const httpClient = Toolbelt.httpClient();
const accountId = process.env.BRAND_ID;

async function lambda(input, callback) {
    try {
        const { conversationId } = input.payload;
        const record = await getMessageHistory(conversationId);
        if(record && record.sdes && record.sdes.events) {
            console.info(JSON.stringify(record.sdes.events));
            const customerInfo = record.sdes.events.find((sde) => sde.sdeType === 'CUSTOMER_INFO');
            if(customerInfo) {
                const encryptedCCN = customerInfo.customerInfo.customerInfo.accountName;
                const decryptedCCN = decryptStringFromEndpoint(encryptedCCN);
                console.info("DECRYPTED_CCN: " + decryptedCCN);
                callback(null, decryptedCCN);
            } else {
                callback(null, "No SDEs found");
            }
        } else {
            callback(null, "No record found");
        }
    } catch(e) {
        callback(e, null);
    }

}

async function getMessageHistory(convId) {
  try {
    const messagingHistory = await lpClient(LpServices.MSG_HIST, `/messaging_history/api/account/${accountId}/conversations/conversation/search?v=2`, {
      method: "POST",
      json: true,
      body: {
        conversationId: convId,
        contentToRetrieve: [ConversationContentTypes.SDES],
        cappingConfiguration: "CustomerInfoEvent:1:desc,PersonalInfoEvent:1:desc,CustomerInfoEventEnriched:1:desc,PersonalInfoEventEnriched:1:desc,ConversationSummaryEvent:1:desc,CartStatusEvent:1:desc,ServiceActivityEvent:1:desc,MarketingCampaignInfoEvent:1:desc,PurchaseEvent:1:desc,ViewedProductEvent:1:desc,VisitorErrorEvent:1:desc,LeadEvent:1:desc,SearchContentEvent:1:desc"
      },
    });

    if (!messagingHistory || !messagingHistory.conversationHistoryRecords || !messagingHistory.conversationHistoryRecords[0]) {
      console.info(convId, "Conversation not exist");
      return null;
    }
    return messagingHistory.conversationHistoryRecords[0];
  } catch (err) {
    throw err;
  }
}

const decryptStringFromEndpoint = function(toDecrypt) {
    const request = {
      url: process.env.DECRYPTION_URL,
      method: "POST"
    };

    const data = {
      toDecrypt
    }

    let response = await httpClient(request.url, {
      method: request.method,
      headers: {
        "Content-Type": "application/json",
        "Authorization": "..."
      },
      body: JSON.stringify(data),
      simple: false,
      resolveWithFullResponse: true
    });

    switch (response.statusCode) {
      case 200, 201:
        return JSON.parse(response.body);
      default:
        throw `Recieved unexpected status code ${
          response.statusCode
        } during request`;
    }
};

Modify authenticated SDE, where encrypted CCN is sent in JWT. In the example of the function above, it is sent in CustomerInfo.AccountName SDE.
Deploy FaaS function.
Repeat the steps above for each env, where the solution should be deployed.

Option #3 - Decryption with Citi custom widget

Citi to create a symmetric key (Secret key) or asymmetric keys pair (RSA private/public keys).
Citi to use a symmetric key or asymmetric public key to encrypt CCN in JWT.
Citi to utilize any existing or to create a new custom widget to decrypt CCN and present it in the widget
- Custom widget to store a symmetric key (Secret key) or RSA private key.
- Custom widget to read encrypted CCN from authenticated SDEs.
- Custom widget to perform decryption of CCN and present in the widget.

Option #4 - CCN lookup with Citi custom widget

Citi to utilize any existing or to create a new custom widget to lookup CCN info in the Citi CRM/other system, based on other customer-related data points (email, customer ID, etc.)

Option #5 - CCN mapping with other customer-specific attributes and manual lookup

Citi to define any customer-related attribute in the auth JWT (email, customer ID, etc.);
Agent to manually copy it from the Customer Info widget;
Agent to manually make a lookup in Citi CRM by attribute to find CCN;
Agent CCN for their needs;

Agent UX (for Option #1 and Option #2)

The CCN is stored in encrypted way on LP side;
The agent starts typing something like “/Decrypt” (the command is tied to the function name) and will be offered with available commands:

Selecting of the command will execute the FaaS function and provide the CCN to the agent.
Provided CCN:
- is not recorded anywhere
- presented only once
- only to the agent, which executed the command.

Hours

Component	Capabilities Included	Hours
LivePerson Professional Services Engagement	FaaS Function Dev and QA	10-15 hours

Example of a Private Key