Inside Out Security Blog   /  

Data Classification Tips: Finding Credit Card Numbers

Data Classification Tips: Finding Credit Card Numbers


    4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers

    Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

    One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for.  These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN.  If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).

    What’s considered sensitive?

    Well, that really depends on who you’re asking.  Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential.  But some things are universally considered sensitive – like credit card numbers.

    Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium.  Enjoy!

    Mastercard – validate with Luhn

    \b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

    AMEX – validate with Luhn

    \b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

    Discover – validate with Luhn

    \b(?<![:$._'-])6(?:011|5\d{2})(?:\d{12}|[ -]\d{4}[ -]\d{4}[ -]\d{4})\b

    Visa – validate with Luhn

    \b(?<![:$._'-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

    Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.

    Photo credit: Shawn Rossi –

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works