DLP: Preventing credit card false positives

%3CLINGO-SUB%20id%3D%22lingo-sub-1847346%22%20slang%3D%22en-US%22%3EDLP%3A%20Preventing%20credit%20card%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1847346%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20organisation%20uses%20a%20loyalty%20card%20scheme%20which%20has%20a%20card%20number%20format%20similar%20to%20credit%20card.%20Business%20users%20can%20share%20data%20and%20send%20emails%20enclosing%20the%20loyalty%20card%20numbers%20but%20they%20are%20blocked%20from%20sharing%20credit%20card%20data.%20Due%20to%20loyalty%20card%20number%20being%20of%20same%20format%20as%20credit%20cards%2C%20our%20DLP%26nbsp%3B%20is%20causing%20lots%20of%20false%20positives.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELoyalty%20card%20numbers%20start%20with%20specific%20four%20digits%20e.g%2C.%207860%20XXXX%20XXXX%20XXXX.%26nbsp%3BIs%20there%20any%20way%20to%20configure%20the%20DLP%20policy%20so%20it%20excludes%20any%20card%20number%20that%20begins%20with%207860%20but%20still%20matches%20valid%20credit%20cards%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20tried%20creating%20a%20sensitive%20info%20type%20for%20loyalty%20card%20number%20and%20then%20configured%20the%20policy%20to%20match%20credit%20card%20sensitive%20info%20type%20but%20exclude%20the%20loyalty%20card%20info%20type.%20However%2C%20this%20has%20a%20serious%20hole%20in%20that%20if%20an%20email%20has%20both%20the%20loyalty%20card%20and%20the%20credit%20card%20then%20rule%20will%20not%20match%20due%20to%20the%20exclude%20clause%2C%20allowing%20the%20user%20to%20share%20which%20we%20don't%20want.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1847346%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1857001%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%3A%20Preventing%20credit%20card%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1857001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79705%22%20target%3D%22_blank%22%3E%40Gurdev%20Singh%3C%2FA%3E%26nbsp%3Bcould%20you%20try%20to%20create%20another%20rule%20and%20select%20%22Create%20group%22%3F%3C%2FP%3E%3CP%3EThen%20you%20can%20add%20an%20%22AND%22%20statement%20so%20the%20rule%20will%20only%20match%20when%20both%20the%20loyalty%20number%20AND%20the%20credit%20card%20number%20are%20in%20there.%3C%2FP%3E%3CP%3EPlease%20see%20the%20attached%20files%20for%20reference.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Our organisation uses a loyalty card scheme which has a card number format similar to credit card. Business users can share data and send emails enclosing the loyalty card numbers but they are blocked from sharing credit card data. Due to loyalty card number being of same format as credit cards, our DLP  is causing lots of false positives. 

 

Loyalty card numbers start with specific four digits e.g,. 7860 XXXX XXXX XXXX. Is there any way to configure the DLP policy so it excludes any card number that begins with 7860 but still matches valid credit cards?

 

I have already tried creating a sensitive info type for loyalty card number and then configured the policy to match credit card sensitive info type but exclude the loyalty card info type. However, this has a serious hole in that if an email has both the loyalty card and the credit card then rule will not match due to the exclude clause, allowing the user to share which we don't want.

 

Any ideas???

2 Replies

@Gurdev Singh could you try to create another rule and select "Create group"?

Then you can add an "AND" statement so the rule will only match when both the loyalty number AND the credit card number are in there.

Please see the attached files for reference.

Thanks...@BemmelenPatrick. I did try that and problem is this rule will still return false positive as both conditions will evaluate as true - a loyalty card is present is true and a loyalty card matching as credit card is present true.