Might I suggest 2nd factor auth instead of these rules @AmericanExpress?