The Credit Card Data Identifier is generating false positive incidents for a csv file.
search cancel

The Credit Card Data Identifier is generating false positive incidents for a csv file.

book

Article ID: 383518

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Discover Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email

Issue/Introduction

The system-defined Data Identifier "Credit Card Number" is returning false positives where 4 digits full stop 4 digits comma 4 digits full stop 4 digits is being picked up by the following pattern:

22[3-9]\d[ -.]\d{4}[ -.]\d{4}[ -.]\d{4}

This is causing two different cells in a CSV which each contain 4 digits full stop 4 digits to match as 4 sets of four digits.

For example: 

Cause

If we run the DLP filter.exe tool on the csv file to output the content seen during detection, we have this result:  

During detection, the comma separator is removed, and we have only the dot present in each number. 

Some patterns that are checked against the Luhn check are then being recognised as a potential credit card number which triggers an incident. 

Resolution

Create a custom Data Identifier with the pattern [0-9]{4}\.[0-9]{4},[0-9]{4}\.[0-9]{4} that looks only for those patterns and add it as a policy exception to the policy which is generating false positives.

Additional Information