You have a configured a data loss prevention (DLP) with the following settings: 

After implementing the policy, your users are reporting that they can still send credit card number information out of the organization by mail. What must you change to ensure that the policy works as intended (stop information within the U.S. Patriot Act from being shared outside of the organization)?

Answer options:

A.Encrypt email messages (applies only to content in Exchange)
B.Locations
C.Choose the information to protect.
D.Let people who see the tip override the policy.

Correct Answer: B 
In this policy all locations are disabled: Exchange email, SharePoint sites, OneDrive Accounts, Teams chat and channel messages. 
You must enable the location of the service you want to impact: 

Since the answer is given in the documentation, the other options are incorrect. 
Reference:
To know more about implementing DLP policies, please refer to the link below: 

https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide