You can use the PCI-compliant ticket field for credit card numbers. End users and agents can enter a full credit card number in the field and everything except the last 4 digits will be redacted automatically.

Once you enable the field, your account will be moved into a PCI-compliant part of the Zendesk Support infrastructure. The move can take up to 5 business days.

This section describes how to add the field and outlines its limitations.

To add the credit card number field

1. Sign in to your Zendesk account as an administrator.
2. In Admin Center, click Objects and rules in the sidebar, then select Tickets > Fields.
3. Click Add field on the right side.
4. Click the Credit card field.
5. Set the following field properties and click Save.

   Field property	Values
   Title	Any name
   Read-only for end users	Unchecked (see note below)
   Editable for end users	Unchecked
   Required	Strongly recommend leaving unchecked for agents and end users

The PCI Data Security Standard requires your company’s agents and admins to meet the password requirements described in this section. If your organization’s policies impose stronger requirements, implement the stronger requirements.

If you're using Zendesk sign-in for your agents and admins, follow the steps below. If you're using Google sign-in or single sign-on (SSO) for agents and admins, verify that your Google account or your single sign-on server meets the PCI DSS password requirements described in this section.

1. Sign in to your Zendesk instance as an administrator.
2. In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
3. Select Custom from the  Password level menu.
4. Click Edit.
5. Set the following requirements:

   Setting	Minimum requirement
   Number of previous passwords to reject	4 previous passwords
   Minimum length	7
   Must include numbers and special characters	Numbers only
   Must include letters in mixed case	Yes
   Password expiration	90 days
   Failed attempts until lockout	6
   Sessions expire after how many minutes	15 (see note)

   Note: The session expiry requirement is optional if your workstations are configured to lock after 15 minutes, and IP restrictions are configured so only devices from your trusted network have timeout settings enforced.
6. Click Set to save your changes.

The password requirements above apply to agents and administrators. For end users, the following recommendation is encouraged to prevent end users from having their accounts compromised.  This is not required by PCI DSS but should be considered to protect your customer’s support accounts. Zendesk recommends selecting the High option for end users on the Admin Center > Account > Security > End user authenticationEnd users page.

PCI requires that any communications over public networks that may include cardholder data be encrypted.

To configure your Zendesk instance to enable TLS encryption

1. Sign in to your Zendesk account as an administrator.
2. In Admin Center, click Account in the sidebar, then select Security > More settings.
3. Click the SSL tab.
4. If you're using hosted SSL, make sure your SSL certificate is valid. Otherwise, make sure the Enabled checkbox in the Regular SSL section is selected.

Zendesk uses TLS because SSL is no longer considered sufficient by the PCI DSS. Zendesk defaults to TLS 1.2, but also has TLS 1.1 and TLS 1.0 enabled as fallback options for systems that aren't capable of handling TLS 1.2.

There’s no guarantee end users or agents will always use the credit card number field. They might enter a credit card number in the ticket comments or in another custom ticket field. To redact these numbers as well, see Automatically redacting credit card numbers from tickets in Help Center.

Zendesk maintains a Payment Card Industry Attestation of Compliance (AoC) for subscribers using the Credit Card Field for the Zendesk Help Desk and Help Center services only and does not include any other services or products offered by Zendesk. Request a copy of the AoC under Artifacts > Direct Download Resources (non-NDA) > Get resources. The AoC demonstrates Zendesk's compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 4.0, as formulated by the Payment Card Industry Security Standards Council. Zendesk subscribers who are on the Enterprise Plan can benefit from Zendesk's AoC by following the processes set forth in this article.  Upon following the procedures set forth in this article, it may take up to 5 business days for your Zendesk account to be moved into a Zendesk PCI-compliant environment.

This article should not be used as a substitute for obtaining advice from a professional licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified professional regarding any specific legal or compliance issue. Nothing in this article is intended to constitute legal advice.