Inside Out Security Blog   /  

Data Classification Tips: Finding Credit Card Numbers

Data Classification Tips: Finding Credit Card Numbers

4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers

Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for.  These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN.  If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).

What’s considered sensitive?

Well, that really depends on who you’re asking.  Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential.  But some things are universally considered sensitive – like credit card numbers.

Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium.  Enjoy!

Mastercard – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

AMEX – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

Discover – validate with Luhn

\b(?<![:$._'-])6(?:011|5\d{2})(?:\d{12}|[ -]\d{4}[ -]\d{4}[ -]\d{4})\b

Visa – validate with Luhn

\b(?<![:$._'-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.

Photo credit: Shawn Rossi –

We're Varonis.

We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

How it works