Zendesk acts as both merchant and service provider. As a merchant, Zendesk is PCI DSS compliant. As a cloud-based service provider, Zendesk does not play a role in the payment card processing lifecycle. While customers have the ability to use their Zendesk instance in ways that meet their business needs, Zendesk is not intended to be used as a billing system or to transmit and/or store credit card data.
As a service provider, Zendesk provides a feature that allows businesses to put a Personal Account Number (PAN) into a custom ticket field (via the PCI Compliant Ticket Field) in the Zendesk agent interface. Payment card numbers entered into the PCI Compliant Ticket Field are redacted to the last 4 digits prior to the data being submitted to the Zendesk platform. This field and its related controls are PCI compliant. Please note that Zendesk PCI DSS compliance only applies to the Support product.
Request a copy of the Attestation of Compliance (AoC) (under ‘Artifacts’).
A Zendesk approach to Security and Compliance
Zendesk employs industry-accepted security controls and privacy frameworks to maintain the security of the platform and compliance with industry regulations such as PCI DSS. This includes the following:
Zendesk hosts Service Data primarily in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.
Data Hosting Locations
Zendesk uses AWS data centers located around the globe. Learn about Data Hosting Locations for your Zendesk Service Data.
We also provide data locality choices in certain areas. For more information on product, plan, and regional offerings please see our Regional Data Hosting Policy.
Our network is protected through the use of key AWS security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
All communications with Zendesk UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. Additionally for email, our product leverages opportunistic Transport Layer Security (TLS) by default. Service Data is encrypted at rest in AWS using AES-256 key encryption.
To help our customers meet their PCI obligations, we created a feature called “Automatic Redaction.” This feature applies a Luhn check algorithm when a PAN enters your Zendesk instance. When the tool identifies a card number match, it truncates the number (to the first 6 and last 4 characters), and tags it the data indicating the change occurred. This masks the data in the UI, redacts it from log and database entries and only stores it in long enough to perform the Luhn check.
The “automatic redaction” feature only redacts new data starting from the moment it has been turned on. It does not apply to the Help Center, Zendesk Chat nor other Zendesk products.
To receive the benefits of our Attestation of Compliance (AoC), you will need to enable the credit card custom field. Without activating this field, your instance may not benefit from the AoC or a PCI compliant environment.
Note: Storage exceptions include MIME encoded emails and custom ticket fields in suspended tickets, but we anticipate soon releasing functionality to remove these two exceptions.
If your Agent Workspace is activated, payment card information will automatically be redacted in Messaging. This internal redaction feature can be controlled using the app setting maskCreditCardNumbers. For more information, see the SunCo API documentation.
What’s the difference between the PCI Compliant Ticket Field and Automatic Redaction?
The key difference between the two features involves when the redaction process takes place, and what PCI compliance obligations Zendesk has as a result of that. With the PCI Compliant Ticket Field, the redaction function takes place prior to the PAN entering the Zendesk platform. This feature has been audited and certified as PCI compliant, and is designed to handle payment card numbers. On the other hand, automatic redaction identifies and redacts payment card data after the information enters our systems.
Automatic redaction isn’t designed to enable you to accept PAN information. It’s a PCI compliant feature that is there to aid you in managing your PCI responsibilities and ensure that you have the means to redact payment card information wherever it comes into your Zendesk. To learn more about how to make your instance PCI complaint see 'What Do I Need to Do to Comply with PCI DDS?'.
Zendesk maintains a Payment Card Industry Attestation of Compliance (“AoC”) for subscribers using the Credit Card Field for the Zendesk Help Desk and Help Center services only and does not include any other services or products offered by Zendesk. The AoC demonstrates Zendesk's compliance with the Payment Card Industry Data Security Standard ("PCI DSS") version 3.1, as formulated by the Payment Card Industry Security Standards Council. Zendesk subscribers who are on the Enterprise Subscription Plan can benefit from Zendesk's AoC by following the processes set forth in this article. Upon following the procedures set forth in this article, it may take up to 5 business days for your Zendesk account to be moved into a Zendesk PCI-compliant environment.
This article should not be used as a substitute for obtaining advice from a professional licensed or authorized to practice in your jurisdiction. You should always consult a suitably qualified professional regarding any specific legal or compliance issue. Nothing in this article is intended to constitute legal advice.
Glossary of Terms
Acquirer – Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards. The acquirer is typically responsible for monitoring PCI compliance with their merchants’ account.
AoC – Acronym for Attestation of Compliance. This is the audit report that shows if and how an organization is PCI compliant.
Cardholder data – At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
CDE – Cardholder Data Environment.The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
DLP – Data Loss Prevention. Data loss prevention software is designed to detect potential data breach or data loss events.
Encryption – Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Luhn check – Also known as the “Mod 10” algorithm, it is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers. Most credit cards use the algorithm as a simple method of distinguishing valid numbers from mistyped or otherwise incorrect numbers.
Masking – A method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed.
PCI Compliant Ticket Field – This field is designed to accept credit card numbers from agents, where it will automatically redact the credit card number to the last 4 digits prior to the data being submitted to the Zendesk platform. This field is required to be enabled to benefit from Zendesk’s AoC.
PCI-SSC – Acronym for Payment Card Industry Security Standards Council. This council was established in 2006 by the five credit card brands (Visa, MasterCard, American Express, Discover, JCB).
PCI-DSS – The Payment Card Industry Data Security Standard. The PCI SSC created a unified standard by which all merchants and service providers would be subject.
PAN – Primary Account Number. Also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder.
Service provider – Business entity (not a payment card issuer) that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
QSA – Qualified Security Assessor. The PCI SSC has certified firms to perform PCI assessments and to assist with PCI validation; the designation is a QSA firm, or similarly an individual at a QSA firm can be certified as an individual QSA.
Redact – The process of removing sensitive information, such as PAN, where it is not needed.
SAQ – Self Assessment Questionnaire. An entity validating PCI compliance will either undergo an external assessment by a QSA, or complete an SAQ and submit it to the card brands or their merchant bank.
Tokenize – The process of breaking a stream of meaningful text, such as credit card number, into data elements called tokens that represent the actual data, but alone are meaningless. Tokenization is a method to remove credit card data from systems or databases, thereby reducing the scope of the CDE.
Truncation – Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc.