Search This Blog

Friday, 19 August 2011

Blocking Credit Card numbers with Exchange 2007/2010

As part of the PCI compliance legislation in the UK we have been asked to block all incoming emails that contain credit card numbers to one of our customers. We cannot receive any emails that contain numbers so we knew we had to block them before they were delivered to the server and not filter them once they had been accepted.

This can be achieved with the Exchange Transport Rules.

Transport Rules allow for pattern matches on certain characters on messages that are routed through Exchange, full details of this can be read here

Credit card numbers have a certain format, Visa and Mastercard use 16 digits in blocks of 4 starting with a 4 and 5 respectively so

4xxx xxxx xxxx xxxx
5xxx xxxx xxxx xxxx

Discovery uses 16 digits in a block of 4 starting with 6011 so

6011 xxxx xxxx xxxx

AMEX uses 15 digits in blocks of 5,6 then 4 starting with a 3 so

3xxxx xxxxxx xxxx

To match these with a rule we need to use several pattern matches.


The matches here are \d for any numeric character, \s for a white space so these match for the following


This is great but we need to match for people using spaces, periods or hyphens so we need to increase the pattern match to account for this.


This match uses the parenthesis () to distinguish choices that can be made mid match so if we need to match four numbers and then a space, period or hyphen we can see this as

\d\d\d\d - Match 4 numbers
(\s|.|-) - Match either a space, period or hyphen

Note the use of the pipe character | here this is used as an OR in the match statement to choose the different type of character.

Now using this we can match for any variation of character that distinguish 16 digits and then add different matches for the 15 digit cards from AMEX.


All you need to do now is take some action when the match occurs, in our case we reject the email with a custom message and the SMTP code 5.7.1

No comments:

Post a Comment