If your agents or end users enter credit card numbers in tickets, you can add a credit card field to the ticket form that meets the Payment Card Industry (PCI) Data Security Standard (DSS) requirements.
In addition to describing how to add a PCI-compliant credit card field, this article makes additional recommendations to make your Zendesk more secure. The recommendations won’t make your Zendesk PCI-compliant, but they will help make it more secure.
Adding the credit card number field to your ticket form
You can use the PCI-compliant ticket field for credit card numbers. End users and agents can enter a full credit card number in the field and everything except the last 4 digits will be redacted automatically.
Once you enable the field, your account will be moved into a PCI-compliant part of the Zendesk Support infrastructure. The move can take up to 5 business days.
This section describes how to add the field and outlines its limitations.
To add the credit card number field
- Sign in to your Zendesk account as an administrator.
- Click the Admin icon (), then select Manage > Ticket Fields.
- Click add custom field on the right side.
- Find the credit card number field and click select.
- Set the following field properties and click Add field.
Field property Values Title Any name For end users > Visible Unchecked (see note below) For end users > Editable Unchecked Required Strongly recommend leaving unchecked for agents and end users
The following are the known limitations with the credit card number field.
- Zendesk Support Mobile App - The field is read-only.
- Web Widget - The field is not supported.
- Mobile SDK - The field only accepts 4 digits.
- App framework apps - If the field is built into an app installed from the Zendesk Marketplace. Apps could view the outgoing field contents in the browser console before it’s redacted by Zendesk. Evaluate any apps for this vulnerability before activating them.
- Ticket sharing - The field can’t be shared between Zendesk accounts.
- Zendesk Support doesn’t store a full credit card number.
- PCI allows storing the first 6 and last 4 digits of a credit card, but Zendesk Support can retain only the last 4.
- Only credit card numbers can be stored in the credit card number field. All other characters entered into the field are removed when the input is saved.
- Out-of-the-box functionality to support other fields related to credit card authentication data is not available. This includes but isn’t limited to expiration date, card verification value (CVV), or personal identification number (PIN) fields. To use Zendesk Support in a PCI-compliant manner, you should not request this information from your end users in the comments of support tickets. PCI DSS only allows this information to be used during the credit card authorization process, and Zendesk Support is not a payment processing application.
- Additional features enabled by the administrator may affect the security of the PCI-compliant credit card field. While Zendesk Support never receives or stores the credit card number when the PCI-compliant field is used correctly, third-party apps, browser extensions or add-ons, Talk, or email may result in the end users’ cardholder data being intercepted.
Implementing strict password requirements
The PCI Data Security Standard requires your company’s agents and admins to meet the password requirements described in this section. If your organization’s policies impose stronger requirements, implement the stronger requirements.
If you're using Zendesk sign-in for your agents and admins, follow the steps below. If you're using Google sign-in or single sign-on (SSO) for agents and admins, verify that your Google account or your single sign-on server meets the PCI DSS password requirements described in this section.
- Sign in to your Zendesk instance as an administrator.
- In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
- In Admin Center, click the Security icon () in the left sidebar.
- Click Staff members, then select Custom from the Password level menu.
- Click Edit.
- Set the following requirements:
Setting Minimum requirement Number of previous passwords to reject 4 previous passwords Minimum length 7 Must include numbers and special characters numbers only Must include letters in mixed case yes Password expiration 90 Failed attempts until lockout 6 Sessions expire after how many minutes 15 (see note)Note: The session expiry requirement is optional if your workstations are configured to lock after 15 minutes, and IP restrictions are configured so only devices from your trusted network have timeout settings enforced.
- Click Set to save your changes.
The password requirements above apply to agents and administrators. For end users, the following recommendation is encouraged to prevent end users from having their accounts compromised. This is not required by PCI DSS but should be considered to protect your customer’s support accounts. Zendesk recommends selecting the High option for end users on the Security > End users page.
Making sure SSL is enabled
PCI requires that any communications over public networks that may include cardholder data be encrypted.
To configure your Zendesk instance to enable TLS encryption
- Sign in to your Zendesk account as an administrator.
- Click the Admin icon (), then select Security > SSL.
- If you're using hosted SSL, make sure your SSL certificate is valid. Otherwise, make sure the Enabled checkbox in the Regular SSL section is selected.
Zendesk uses TLS because SSL is no longer considered sufficient by the PCI DSS. Zendesk defaults to TLS 1.2, but also has TLS 1.1 and TLS 1.0 enabled as fallback options for systems that aren't capable of handling TLS 1.2.
Recommendation: Enable automatic redaction for other fields
There’s no guarantee end users or agents will always use the credit card number field. They might enter a credit card number in the ticket comments or in another custom ticket field. To redact these numbers as well, see Automatically redacting credit card numbers from tickets in Help Center.
Zendesk maintains a Payment Card Industry Attestation of Compliance (“AoC”) for subscribers using the Credit Card Field for the Zendesk Help Desk and Help Center services only and does not include any other services or products offered by Zendesk. The AoC demonstrates Zendesk's compliance with the Payment Card Industry Data Security Standard ("PCI DSS") version 3.1, as formulated by the Payment Card Industry Security Standards Council. Zendesk subscribers who are on the Enterprise Subscription Plan can benefit from Zendesk's AoC by following the processes set forth in this article. Upon following the procedures set forth in this article, It may take up to 5 business days for your Zendesk account to be moved into a Zendesk PCI-compliant environment.
This article should not be used as a substitute for obtaining advice from a professional licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified professional regarding any specific legal or compliance issue. Nothing in this article is intended to constitute legal advice.