FATQ's: Frequently Asked Technical Questions

Masking

Q: Can you mask other objects like Contact and Account or custom objects?
A: Yes! You simply need to add these objects to Blackthorn Compliance configuration. Follow these helpful steps.

Q: Can you mask other Personally Identifiable Information (PII) data like social security numbers, driver's licenses, and IP addresses?
A: Yes! You will need to create your own PII patterns in the Compliance configuration. Follow these helpful steps.

Q: Can you mask mixed PII data that has a combination of letters and numbers?
A: Yes! Compliance supports matching mixed data types that include alpha, numeric, and special characters.

Q: Can you unmask data if you need to still see the underlying information?
A: Masking is a permanent alteration of the data. That means the underlying data is not accessible and therefore not editable, viewable, or searchable.

However, you can still do two things:
* Partial Masking: Mask everything but the last 4 characters so you can still verify SSNs, etc
* Report PII & Mask Later: Set Compliance to "flag" the records that are detected with PII, and then automatically mask them later either with a scheduled mass update after your team has verified the information, or mask individual records from a report generated by Compliance.

Q: I'm testing Compliance, and it's not masking my credit card. What's going on?
A: See My Credit Card Didn't Get Masked! for more details.

Detection Patterns

Q: The user guide indicates that we must use Java Regular Expression. Do you have any documentation on this?
A: Yes, Regular Expressions are powerful but complicated.

Q: Can we scan and identify attachments containing medical and driving license details?
A: Yes, both Compliance and SecureAttachment support matching your custom PII. You will need to create custom detection patterns with REGEX based on the format of PII.

False Positives

Q: Does flagging False Positives prevent similar records from being caught in audits, or is this just used for crowdsourcing? Is turning off detection for that pattern or creating a negative pattern the only way to control false positives?
A: It is only used for crowdsourcing information, and will show up in the Analytics tab. We have a help site section about mitigating false positives, but the main method is negative patterns. Also, if you don't receive any Instapayment credit cards, for example, then patterns like this are worth turning off to avoid any accidental false positives.

Logs

Q: Is deleting Logs the only way to remove them from the system after we have masked or deleted the related record? Is there a best practice for when to delete logs?
A: The best practice here depends on whether you care about the Analytics or not. The Reports & Dashboard are based on the Logs. If you delete them, the Analytics will be 0. If you do not want to use Analytics, many customers use a Dataloading tool to mass delete the Logs to conserve data storage space. We do have a script to mass-delete the Logs, but it might be better to use a tool for the job.

Q: There is some confusion over relating a Log to a record. Does the Log always have a link to the related record?
A: The PCIFY Logs will always have a related record in either of the following scenarios:

• Records are updated (i.e., Before Update).
• You ran an Audit.
• Compliance detected PII in Attachments or Content Version.

Attachment and Content Version logs give you the link to the actual Content Version record and the parent Case. Cases don't need a parent record, so the "Parent Link" field will be blank.

Compliance Triggers are Before Insert and Before Update by default. This means that when the Email Message or Case is created, the ID of the record does not exist yet Before Insert, and therefore there will be no related ID in the PCIFY Log. You can disable our default Compliance Triggers and write your own, but this requires thorough knowledge of Apex coding.

SecureAttachment

Q: Are emails containing logos and signatures scanned and counted against our SecureAttachment API usage?
A: Images included in the body of the email message are only included as API calls if they end up in the Attachments' Related List on the Case, as either Attachment or Content Version records.

Audits

Q: If our configuration is set to mask all but the last 4 characters, will this pattern continue to be detected in audits? For example, if we receive an attachment with this pattern, will it be caught in an audit? If so, do we have to modify the detection pattern?
A: Audits work the same as detecting new records. If you have configuration set to "Last4," then during audits you will also mask all but the last 4 characters.

Q: Is detection for Content Version based on the date/timestamp of the Attachment? For instance, if I want to isolate a particular grouping of Attachments, would I run an audit pointed to that specific time frame?
A: The Audit Start Date & End Dates are based on the Created Date of the record. So if you're auditing Content Version, the date range would find all Content Version records created between those dates. (Note: You can change the default Audit date range field to any other Date/Time field type (such as Last Modified Date) by changing the Custom Metadata Types' Manager AuditDateField custom field.)

Q: I know that Attachment is the old Salesforce object and Content Version is the new one. When running an audit, should we use only Object = Content Version or can we use Object = Attachment?
A: This depends on your production org. It is possible for you to have both types of records. There is a chance that you still have old Attachments which could have PII, even if you currently use Content Version. Here is a useful link which explains the difference.

Q: Are the timestamps in the audit the same as our System date?
A: Yes, the "Timestamp" field on the Logs is the same as the System Created Date field.

Enhanced Domains

Q: Does updating the Salesforce domain URL or Enhanced Domain have an impact on the Compliance / SecureAttachment packages?

A: Changes to the Salesforce org/Enhanced Domain URL should not impact Compliance / SecureAttachment since we don't reference any URLs within the app or our licenses.