Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

DLP PCI Functionality Inquiry.


Provided Information:

-  WebGateway Ver 7.3.2 & 7.4.0

-  Mode Op:  Proxy

- Ruleset:  PCI

We are trying to block credit card numbers as per PCI Compliant so we are  using the PCI Classification Template on a ruleset that should prevent  from leaving our internal network  via "Posting them" or "Uploading them inside a file", we have performed the following tests:

-  Posting on a forum a credit card number - NOT BLOCKING.

-  Uploading a txt file with a credit card number inside - NOT BLOCKING.

-  Uploading a txt file with a credit card number and appending the words "CREDIT CARD" - BLOCKED.

As far i understand the DLP Functionality should analize and block any information related to credit card when we use the PCI Template so....... is it true or not??  Do i'm missing something ??



3 Replies

Re: DLP PCI Functionality Inquiry.

DLP on the Web Gateway is kind of a black box.  We know what rules there are, but we don't get any visibility into how the rules work.

I see two credit card number classifications in the default PCI checks for DLP; (A)Credit Card Number Violations and (B)Bulk Credit Card Number Violations.  While we are not able to see exactly how these work, based on past experience I would go with the following:

(A) Looks for credit card numbers that match a Luhn check, but also have a proximity to certain keywords (such as "credit card") to reduce false positives.

(B) Looks for credit card numbers that match a Luhn check, without the proximity check, but requires there be more than a certain large number number of them.

The Network DLP (Prevent) system allows you to see and adjust the policies as you need, so we can get an example of what the values may be.  (A) has a proximity requirement for the keywords of 500 bytes.  (B) still has the proximity (now within 2500 bytes), and requires that there be at least 100 matching numbers.  There is nothing to say that these match up exactly, but I know that they use similar engines to do the work, and would assume therefore similar rules.

Support or sales may have more insight into how exactly the built-in DLP classifications work, but if you want to tune things or have better control your best bet is to use a NDLP product.  That would also give you the option of seeing what items have triggered and properly review them.

Level 7
Report Inappropriate Content
Message 3 of 4

Re: DLP PCI Functionality Inquiry.

Thanks for your feedback! So, have you tried NDLP under my sceneario(Block only credit card numbers)??

Re: DLP PCI Functionality Inquiry.

I haven't set it up *only* for credit card numbers, usually I have several policies that we are interested in.  That beind said, yes, I have been able to block a variety of things.

If I wanted a policy to block the numbers without the keyword proximity check, that would be very easy to set up, but generally not advised.  There would be a lot of false positives.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community