Automatically redacting credit card numbers from tickets (Professional and Enterprise) Follow

professional enterprise plans

Users sometimes enter sensitive information such as credit card numbers in tickets when they shouldn't. In addition to being visible to anybody with access to the ticket, the credit card number automatically gets stored in a database with the rest of the ticket.

If you're on the Professional or Enterprise plan, you can use a feature called Automatic Redaction to redact, or remove, digits from credit card numbers found in ticket comments or custom fields so that the numbers are no longer useful. The data is redacted when the ticket is incoming to prevent the full credit card number from being stored with Zendesk. This helps keep confidential information out of Zendesk.

Note: Redacting credit card numbers already in the system is not supported.

Credit card numbers are identified in incoming tickets by using the Luhn algorithm and by looking for the prefixes and lengths of common credit card types. The checks don't guarantee that all credit card numbers will be identified. They also don't guarantee that some numbers that aren't credit card numbers will be skipped. The system does check for phone number and URL patterns and skips them. For example, some international phone numbers may pass the Luhn check -- though if the numbers start with a +, they won't be redacted.

Numbers that appear to be valid credit card numbers are redacted by replacing some digits with a replacement character, leaving the first 6 digits and the last 4 digits intact. Example:

  • String in incoming ticket: "I want a refund. My card number is 12 345123 451234 8."
  • String stored in Zendesk: "I want a refund. My card number is 12345 1▇▇▇▇ ▇2348."

Numbers are redacted if they're between 12 and 19 digits long. Most bank card numbers are within this range.

The original credit card number isn't simply masked in the UI but completely redacted from logs and database entries. It's kept in memory only long enough to check it. The only exceptions to this are MIME-encoded emails and custom ticket fields in suspended tickets, but these two exceptions will be removed in the near future.

A tag is automatically added to tickets with redacted credit card numbers. You can create a view to see all tickets with this tag in one place.

Note: Redacting the first 6 and last 4 digits satisfies Payment Card Industry Data Security Standards (PCI DSS) requirements. The redacted number is no longer considered cardholder data for PCI purposes. See the FAQ on the PCI Council website. To learn more, see this white paper from Zendesk.

To start redacting credit card numbers

  1. Click the Admin icon (admin), then select Security > Global.
  2. Select the Enabled checkbox in the Automatic Redaction section.

To list the tickets with redacted credit card numbers

  • Create a view of tickets that contain the tag '"system_credit_card_redaction." 

    For information about creating views, see Adding views.

Have more questions? Submit a request

Please sign in to leave a comment.

Powered by Zendesk