Why your business needs a Credit Card DLP Rule

One misplaced card number can trigger PCI-DSS penalties and cyber-insurance exclusions. Microsoft 365 already ships with everything you need to stop that risk. Below you’ll create two Microsoft Purview DLP policies—one for Exchange Online and one for SharePoint/OneDrive

Licensing & role prerequisites

• Microsoft Entra ID P1 (or any suite that includes it).

• Compliance Administrator or Global Admin role.

Policy A – Block credit-card data in Exchange email

Imagine the daily workflow in a finance department:

• Any email that holds a credit-card number must be blocked for everyone.

• One exception: messages sent by anyone on the Finance Team to externaluser@domain.com are allowed.

• When a block happens, the Compliance Admin gets an alert, the sender sees a policy-tip, and no one can override the block.

• Every incident is logged in detail so it can be investigated later.

The Exchange-only policy below is built precisely to meet that requirement—without third-party tools or manual inbox audits.

1. Purview portal > Data loss prevention > Policies > Create policy.

2. Templates > Financial > U.S. Financial Data > Next.

3. Name the policy PCI-Email – Credit Card DLP Rule.

4. Locations: turn on Exchange email only. Click Next.

5. Choose Next.

6. On the Define policy settings page the Create or customize advanced DLP rules option should already be selected.

7. Select Next.

8. Select Create rule. Name the rule and provide a description.

9. Under Conditions select Add condition > Content contains

10. (Optional) Enter a Group name.

11. (Optional) Select a Group operator

12. Select Add > Sensitive info types > Credit Card Number.

13. Choose Add.

14. Next, beneath the Content contains section, choose Add group.

15. Leave the Boolean operator set to AND, then set the toggle to NOT.

16. Select Add condition.

17. Select Sender is a member of.

18. Select Add or remove distribution groups.

19. Select Finance Team and then choose Add.

20. Choose Add condition > Recipient is.

21. In the email field, enter "externaluser@domain.com" and select Add .

22. Under Actions, select Add an action > Restrict access or encrypt the content in Microsoft 365 locations

23. Select Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files, and then select Block everyone.

24. Set the User notifications toggle to On.

25. Select Email notifications > Notify the person who sent, shared, or last modified the content.

26. Choose whether or not to Attach matching email message to the notification.

27. Choose whether or not to add Policy tips.

28. Under User ovverides, make sure that Allow overrides from Microsoft 365 apps and services ... is NOT selected.

29. Under Incident reports, set Use this severity level in admin alerts and reports to High.

30. Set Send alert every time an activity matches the rule toggle to On..

31. Choose Save.

32. Choose Next, then choose Run the policy in simulation mode.

33. Choose Next and then choose Submit.

34. Choose Done.

Test: Send an email containing 4111 1111 1111 1111 + “Visa.” The message is blocked and a policy-tip explains why.

Policy B – Block external sharing of card data in SharePoint & OneDrive

Imagine you want to stop staff from sending sensitive files outside the company, but only when those files contain credit-card numbers, U.S. Social Security numbers. HR needs to keep working with their own data, so they’re exempt. Whenever a block happens, both the user and the security team should know immediately—no overrides allowed, and every event must appear in Purview audit logs.

1. Create another policy (same path as above), choose Custom policy.

2. Select Next.

3. Accept the default Full directory on the Assign admin units page.

4. Choose Next.

5. Choose where to apply the policy.

   1. Ensure that the the SharePoint sites and OneDrive accounts locations are selected.

   2. Deselect all other locations.

   3. Select Edit in the Actions column next to OneDrive accounts.

   4. Select All users and groups and then select Exclude users and groups.

   5. Choose +Exclude and then Exclude groups.

   6. Select Human Resources.

6. Choose Done and then choose Next.

7. On the Define policy settings page, the Create or customize advanced DLP rules option should already be selected. Choose Next.

8. On the Customize advanced DLP rules page, select + Create rule.

9. Give the rule a Name and a description.

10. Select Add condition and use these values:

    1. Choose Content is shared from Microsoft 365.

    2. Select with people outside my organization.

11. Under Actions, add an action with these values:

    1. Restrict access or encrypt the content in Microsoft 365 locations.

    2. Block only people outside your organization.

12. Set the User Notifications toggle to On.

13. Select Notify users in Office 365 services with a policy tip and then select Notify the user who sent, shared, or last modified the content.

14. Under User overrides, make sure that Allow override from M365 services is NOT selected.

15. Under Incident reports:

    1. Set Use this severity level in admin alerts and reports to Low.

    2. Set the toggle for Send an alert to admins when a rule match occurs to On.

16. Under Send email alerts to these people (optional), choose + Add or remove users and then add the email address of the security team.

17. Choose Save and then choose Next.

18. On the Policy mode page, choose Run the policy in simulation mode and Show policy tips while in simulation mode.

19. Choose Next and then choose Submit.

20. Choose Done.

Test: Upload a spreadsheet with card numbers to a SharePoint site and try to create an external sharing link—link creation should be blocked.

Result

With two coordinated policies you now have a Microsoft 365 Credit Card DLP Rule that stops card data in email and prevents external file sharing—covering the core PCI-DSS use-cases without third-party tools.

How PlexHosted can help

PlexHosted’s engineers map every PCI control to native Microsoft 365 settings, craft user-friendly policy-tip wording, automate roll-outs, and deliver quarterly reports your auditors (and insurers) will love. Book a 30-minute call and claim our free 12-point PCI readiness checklist to see where you stand.