- 30 Mar 2023
- 7 Minutes to read
- Updated on 30 Mar 2023
- 7 Minutes to read
When using Compliance during a trial period, only three records or files can be flagged or deleted. The fourth record will not be masked, although a Log file with the following message will be created. “This record was not masked as this org’s license has run out of masked record allowances. Contact Blackthorn.io for questions.”
Install Blackthorn Compliance
Navigate to the latest version of Blackthorn Compliance.
Click Get It Now on the AppExchange listing.
Select Log In, and enter your Production Salesforce credentials.
Choose the environment where you’d like to install Blackthorn Compliance.
If you are already logged into the Salesforce instance where Compliance will be installed, you’ll be redirected to a confirmation page for the installation. Otherwise, you will be directed to a login screen where you can enter the credentials for that environment.
When prompted to select the profiles that will be able to access the installed application, leave the default, Install for Admins Only, selected and click Install.
Compliance will now be installed in your Salesforce org.
- In most cases, this page will automatically refresh noting whether or not the package installed successfully.
- For orgs that have complex logic/code already applied, the installation process may take longer. In this case, an email will be sent to the email address associated with the user who performed the installation, either confirming success or failure of the installation.
After installation, the Compliance package will visible on the list of Salesforce Installed Packages in Setup.
How Compliance Works
You’ve installed Compliance -- now what? Good news! Compliance is already blocking credit card numbers from entering your Salesforce org. When Compliance is installed in your Salesforce environment no new records can enter Salesforce with a credit card number.
Detection is Compliance-speak for “stopping credit card numbers from coming in”. Compliance Detection processes entire strings of text for numbers which match the format of known credit card issuers. Not only that, but Compliance also determines whether the detected number is a valid credit card. This is important because there are lots of other numbers which match similar credit card number formats: order numbers, phone numbers, etc. Compliance never masks a number unless it is a completely valid credit card number.
For example, when a new Case record is created, and the Description contains a number which matches a known issuer format, Compliance will check whether the number is a valid credit card. If the number is a valid credit card, then Compliance will appropriately mask the number before the Case is even saved.
What Types of Credit Cards Does Compliance Detect?
While we’re pretty good at detecting credit cards, we can’t predict the format of every type of credit card on the planet. Compliance comes with detection patterns for the following credit card issuers:
- American Express
- China UnionPay
- Diners Club Carte Blanche
- Diners Club
Note: If you need to detect credit card number types not listed here or other Personally Identifiable Information (PII) (e.g. social security numbers) then check out Detection Patterns.
But what if the credit card isn’t in the right format?
It doesn’t matter! Compliance will detect the following formats:
- 4111 1111 1111 1111
- “Here is my valid credit card 4111111111111111 thanks!”
Here is an example of what Compliance will not detect: 4111%1111&1111*1111.
Auditing is Compliance-speak for “finding the credit card numbers already stored in Salesforce”. Audit actually uses the exact same technology as Detection, except it scans your historical Salesforce data for credit card numbers.
**Example: **Let’s say you have a bunch of Cases from 2016 with credit card numbers stored on them. You would simply configure an Audit to run across all Cases in 2016. Audit will automatically find the credit card numbers, mask them, and send you an email when it’s done.
When you have completed an Audit, Compliance stores the results in records called “[Logs](doc: logging-the-log-object)”. These Log records drive the native reporting and dashboards for Compliance. Check out the Analytics tab for more information on Audit results.
Detection and Audit Actions
Actions in Compliance are “what happens when you find a credit card number”. The default action is to mask the number upon detection, but you are also able to Report and Delete records.
When a credit card number is detected, the default (and recommended) Action is Mask. This means that the credit card number is masked, and permanently removed from your Salesforce org. This is NOT the same as encryption - you cannot get the data back once it’s been masked!
But what if I don’t want to mask the numbers? Great! You can also simply Report the records which are flagged as containing credit card numbers. You would still need to manually remove the numbers from the records later.
Better safe than sorry! For some customers, they don’t want to risk the chance of storing any PII. If a customer sends their credit card number to you, what’s the likelihood that they’ll send other sensitive information? Selecting “Delete” for your Audit or Detection Action will delete the entire record if a credit card number is detected. For example, if a valid credit card number is detected in the body of an Email Message - the entire record is deleted.
Detection Patterns are how Compliance finds credit card numbers and other PII. We use a combination of Regular Expressions (RegEx) to match specified patterns of numbers. The Custom Metadata Type “DetectionPattern” comes pre-configured with 15 patterns. These patterns are the most likely instances of credit card numbers to be found in your Salesforce org. You may turn some of these off if you would like, and you can even add your own patterns!
Credit card numbers are given special treatment in Compliance. When a Detection Pattern is a “Credit Card Pattern”, we go beyond a simple RegEx match - we also make sure that the credit card number is valid. This way we can avoid false positives getting masked accidentally. Check out the section Configure Detection Patterns for how to set up your own patterns.
What Objects Does Compliance Support?
While Compliance can be extended to support any object in Salesforce, it is pre-configured to support the following objects.
|Object||Preconfigured Detection Fields|
|Case Comment||Comment Body|
Instant upgrades are available for the following objects.
|Object||Preconfigured Detection Fields||Required Package|
|Content Version||Version Data||Compliance-Files|
|Feed Item||Title, Body||Compliance-Chatter|
|Feed Comment||Comment Body||Compliance-Chatter|
|Email Message||Subject, Text Body, HTML Body||Compliance-Email2Case|
If you need to detect credit card numbers on other objects in Salesforce then check out Extending Blackthorn Compliance to Other Objects for how to add your own objects to Compliance.
Note: Compliance is a Lightning App. If you are a Salesforce Classic User, you will need to temporarily switch to Lightning Experience before configuring Compliance. You can switch back to Classic after you’re done. It is not required to have enabled Lightning Experience for you Salesforce Org or any Users.
When you install Compliance - nearly all of the configuration is already done for you. Depending on your Salesforce org, you may choose to not make any changes to the default configuration. We recommend that you consider keeping the configuration as-is before making changes.
If you are a Classic User, click the Switch to Lightning Experience link. Otherwise, go to the next step.
Open the App Launcher menu.
Select Blackthorn Compliance.
If you want to configure a specific object, click the object name.
Otherwise navigate to Setup > Custom Code > Custom Metadata Types > Manager > Manager Records.
You should see a list of Manager records.
Press Edit on the object you wish to configure.
Enter a comma-delimited API names for Salesforce fields in Detection Fields (must be less than 255 characters).
- Do not add any trailing commas or spaces.
- Any fields which are over 255 characters will not be included in masking.
- If you need more than 255 characters, add your additional fields to DetectionFieldsPlus.
Select Detection Action.
- Update: masks credit card numbers Compliance detects on records. Compliance will create a Log record when this action occurs.
- Report: creates a Log record when this action occurs but will NOT mask the credit card number. You can view the reported records in the PCIFY Reports Folder.
- Delete: deletes the entire records (Case, Email Message, etc) if PII is detected.
- Press Save.
All Done! Next up, you should learn How to Run an Audit to remove PII from your existing records.