Our organisation uses a loyalty card scheme which has a card number format similar to credit card. Business users can share data and send emails enclosing the loyalty card numbers but they are blocked from sharing credit card data. Due to loyalty card number being of same format as credit cards, our DLP is causing lots of false positives.
Loyalty card numbers start with specific four digits e.g,. 7860 XXXX XXXX XXXX. Is there any way to configure the DLP policy so it excludes any card number that begins with 7860 but still matches valid credit cards?
I have already tried creating a sensitive info type for loyalty card number and then configured the policy to match credit card sensitive info type but exclude the loyalty card info type. However, this has a serious hole in that if an email has both the loyalty card and the credit card then rule will not match due to the exclude clause, allowing the user to share which we don't want.
Any ideas???
