Content & Policy Template for Credit Cards

Description

The Content & Policy settings include a credit card template in the Sensitive Data tab. The template can be applied to email that is inbound, outbound, or both. Increased regulations and compliance rules demand that sensitive information is protected, and the credit card template provides a quick option to take action on detection of credit card numbers in an email.

The credit card template evaluates the raw body content of a message for credit card matches. The rule has some intelligence to look for valid credit card numbers rather than just a digit count or pattern. However, this means the rule is not perfect, and there is a possibility of card numbers being missed or having false positives due to code in the raw body content.

IMPORTANT NOTE: If you are managing a domain with credit card templates that have been enabled prior to December 11, 2017, please disable and immediately enable the policy template to ensure the latest template is applied.

Applies to:

Console, Content & Policy, CloudFilter, SafeSend, Bracket

Using the Template

Requirements

The credit card template can be applied to the domain, user group, and individual user levels. Some of the template's features have requirements to make actions available.

  • Inbound Email
    • Available with CloudFilter
    • Template is not turned on by default
  • Outbound Email
    • Requires a user group enabled with SafeSend
    • Template is not turned on by default
  • Encrypt Email
    • Requires a user group enabled with Bracket encryption
    • Template is not turned on by default
    • Default template action is to quarantine outbound email

Enabling the Template

To enable the credit card template, go to the Content & Policy settings page for the domain or a user group. If setting the rule at the domain level, find the link in the right-hand navigation as shown in Figure 1.

Fig. 1
Domains.png

The credit card templates are turned off by default. If the domain or user group you are managing has SafeSend enabled, you will see two credit card templates. One template is the inbound email rule, and the other is the outbound rule, as shown in Figure 2.

Fig. 2
CC_Template.png

Changing the Action with Bracket Encryption

Managing a user group with Bracket encryption enabled will provide the additional setting option to change the action taken when an outbound email matches the credit card template rule. By default, the response will be to quarantine the outbound message to the policy quarantine. The action can be changed to Encrypt which will send the message through Bracket encryption regardless of the subject line's content. The setting for outbound email to be encrypted when matching the credit card template is shown in Figure 3.

Fig. 3
Content_Filtering.png

Template Criteria

Matching the Rule

Credit card numbers are not a random set of digits in a particular pattern. Each bank or card issuer has a set of numbers that identify the bank, called an Issuer Identification Number (IIN). The credit card template looks for valid card issuer numbers to reduce the false positives that would otherwise occur.

For detailed information about IINs, please visit the Wikipedia page on Issuer Identification Numbers.

The credit card template looks for and recognizes the following credit card issuers:

  • American Express
  • Discover Card
  • JCB
  • MasterCard (including the new 2221 - 2739 range)
  • Visa

The rule will evaluate a number if it begins with whitespace or on a new line. The rule will recognize 15- or 16-digit strings of numbers as well as spaces or dashes in the appropriate places traditionally found with credit card numbers.

False Positives and Misses

The rule attempts to be inclusive of the common ways users send credit card information while reducing false positives by checking for valid card issuer numbers. However, a "perfect credit card" rule does not exist, and users can type in numbers that may create a false positive or missed match situation.

Also, keep in mind, the rule evaluates emails on the raw body content which can include HTML, MIME, and other encoding information that can trigger a false positive. The rule attempts to reduce those false positives by looking for white space before the beginning of the number and possible punctuation at the end.

Despite best efforts and the possibility that card issuers make a change, please be aware the credit card template should not be considered "fool-proof."

If you have additional questions about the credit card template and how it may or may not have matched on a particular email, please contact Mailprotector Support.

 

Have more questions? Submit a request

Comments