Adding a PCI-compliant credit card field (Enterprise) Follow

If your agents or end users enter credit card numbers in tickets, you can add a credit card field to the ticket form that meets the Payment Card Industry (PCI) Data Security Standard (DSS) requirements.

Note: The credit card number field is the only PCI-compliant offering in the Zendesk Support interface and Help Center at this time.

In addition to describing how to add a PCI-compliant credit card field, this article makes additional recommendations to make your Zendesk more secure. The recommendations won’t make your Zendesk PCI-compliant, but they will help make it more secure.

Topics covered:

Adding the credit card number field to your ticket form

You can use the PCI-compliant ticket field for credit card numbers. End users and agents can enter a full credit card number in the field and everything except the last 4 digits will be redacted automatically.

Note: The PCI compliance report does not cover updating of the credit card field when using the Zendesk API.

Once you enable the field, your account will be moved into a PCI-compliant part of the Zendesk Support infrastructure. The move can take up to 5 business days.

This section describes how to add the field and outlines its limitations.

To add the credit card number field

  1. Sign in to your Zendesk account as an administrator.
  2. Click the Admin icon (), then select Manage > Ticket Fields.
  3. Click add custom field on the right side.
  4. Find the credit card number field and click select.
  5. Set the following field properties and click Add field.
    Field property Values
    Title Any name
    For end users > Visible Unchecked (see note below)
    For end users > Editable Unchecked
    Required Strongly recommend leaving unchecked for agents and end users
Note: If you want your account to be in a PCI-compliant part of the infrastructure, you must add the Credit Card field. To hide this field from end users, “For End Users > Visible” must be unchecked.

Limitations

The following are the known limitations with the credit card number field.

Product limitations

  • Zendesk Support Mobile App - The field is read-only.
  • Web Widget - The field is not supported.
  • Mobile SDK - The field only accepts 4 digits.
  • App framework apps - If the field is built into an app installed from the Apps Marketplace. Apps could view the outgoing field contents in the browser console before it’s redacted by Zendesk. Evaluate any apps for this vulnerability before activating them.
  • Ticket sharing - The field can’t be shared between Zendesk accounts.

Other limitations

  • Zendesk Support doesn’t store a full credit card number.
  • PCI allows storing the first 6 and last 4 digits of a credit card, but Zendesk Support can retain only the last 4.
  • Out-of-the-box functionality to support other fields related to credit card authentication data is not available. This includes but isn’t limited to expiration date, card verification value (CVV), or personal identification number (PIN) fields. To use Zendesk Support in a PCI-compliant manner, you should not request this information from your end users in the comments of support tickets. PCI DSS only allows this information to be used during the credit card authorization process, and Zendesk Support is not a payment processing application
  • Additional features enabled by the administrator may affect the security of the PCI-compliant credit card field. While Zendesk Support never receives or stores the credit card number when the PCI-compliant field is used correctly, third-party apps, browser extensions or add-ons, Talk, or email may result in the end users’ cardholder data being intercepted

Implementing strict password requirements

The PCI Data Security Standard requires your company’s agents and admins to meet the password requirements described in this section. If your organization’s policies impose stronger requirements, implement the stronger requirements.

If you're using Zendesk sign-in for your agents and admins, follow the steps below. If you're using Google sign-in or single sign-on (SSO) for agents and admins, verify that your Google account or your single sign-on server meets the PCI DSS password requirements described in this section.

  1. Sign in to your Zendesk instance as an administrator.
  2. Click the Admin icon, then select Security > Admins & Agents.
  3. Select the Zendesk radio button, then the Custom radio button.
  4. Set the following requirements:
    Setting Minimum requirement
    must be different than at least this many passwords 4 previous passwords
    must be at least this many characters 7
    must include numbers and special characters numbers only
    must include letters in mixed case yes
    expires after how many days 90
    number of failed attempts until lockout 6
    sessions expire after how many minutes 15 (see note)
    Note: The session expiry requirement is optional if your workstations are configured to lock after 15 minutes, and IP restrictions are configured so only devices from your trusted network have timeout settings enforced.
  5. Click Save.

Your settings should look as follows:

The password requirements above apply to agents and administrators. For end users, the following recommendation is encouraged to prevent end users from having their accounts compromised.  This is not required by PCI DSS but should be considered to protect your customer’s support accounts. Zendesk recommends selecting the High option for end users on the Security > End-users page. Example:

Making sure SSL is enabled

PCI requires that any communications over public networks that may include cardholder data be encrypted.

To configure your Zendesk instance to enable TLS encryption

  1. Sign in to your Zendesk account as an administrator.
  2. Click the Admin icon (), then select Security > SSL.
  3. If you're using hosted SSL, make sure your SSL certificate is valid. Otherwise, make sure the Enabled checkbox in the Regular SSL section is selected.

Zendesk uses TLS because SSL is no longer considered sufficient by the PCI DSS. Zendesk defaults to TLS 1.2, but also has TLS 1.1 and TLS 1.0 enabled as fallback options for systems that aren't capable of handling TLS 1.2.

Recommendation: Enable automatic redaction for other fields

There’s no guarantee end users or agents will always use the credit card number field. They might enter a credit card number in the ticket comments or in another custom ticket field. To redact these numbers as well, see Automatically redacting credit card numbers from tickets in Help Center.

Note: This feature is not PCI-compliant at this time. It’s offered as an additional layer of security to prevent cardholder data from spreading in your Zendesk account and email notifications.

Legal notice

Zendesk maintains a Payment Card Industry Attestation of Compliance (“AoC”) for subscribers using the Credit Card Field for the Zendesk Help Desk and Help Center services only and does not include any other services or products offered by Zendesk. The AoC demonstrates Zendesk's compliance with the Payment Card Industry Data Security Standard ("PCI DSS") version 3.1, as formulated by the Payment Card Industry Security Standards Council. Zendesk subscribers who are on the Enterprise Subscription Plan can benefit from Zendesk's AoC by following the processes set forth in this article.  Upon following the procedures set forth in this article, It may take up to 5 business days for your Zendesk account to be moved into a Zendesk PCI-compliant environment.

This article should not be used as a substitute for obtaining advice from a professional licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified professional regarding any specific legal or compliance issue. Nothing in this article is intended to constitute legal advice.

Have more questions? Submit a request

Please sign in to leave a comment.

Powered by Zendesk