Data Classification Tips: Finding Credit Card Numbers

Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated,...
Rob Sobers
1 min read
Last updated June 9, 2023

4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers

Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for.  These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN.  If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).

Get a Free Data Risk Assessment

What’s considered sensitive?

Well, that really depends on who you’re asking.  Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential.  But some things are universally considered sensitive – like credit card numbers.

Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium.  Enjoy!

Mastercard – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

AMEX – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

Discover – validate with Luhn

\b(?<![:$._'-])6(?:011|5\d{2})(?:\d{12}|[ -]\d{4}[ -]\d{4}[ -]\d{4})\b

Visa – validate with Luhn

\b(?<![:$._'-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.

Photo credit: Shawn Rossi – http://www.flickr.com/photos/shawnzlea/527857787/

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-data-governance?-framework-and-best-practices
What Is Data Governance? Framework and Best Practices
Data Governance helps organize, secure, and standardize data for all types of organizations. Learn more about data governance frameworks here.
5-data-governance-reports-for-data-owners
5 Data Governance Reports for Data Owners
This blog will cover five Varonis reports that you can automatically generate for data owners to promote strong data governance practices. We will show you how to create, customize, schedule,...
what-is-data-classification?-guidelines-and-process
What is Data Classification? Guidelines and Process
Data classification is the process of analyzing data and organizing it into categories. Learn how to mitigate and manage governance policies with Varonis.
the-difference-between-data-governance-and-it-governance
The Difference Between Data Governance and IT Governance
Lately, we’ve been so focused on data governance, extracting the most value from our data and preventing the next big breach, many of us have overlooked IT governance fundamentals, which...