Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Data Classification Tips: Finding Credit Card Numbers

Compliance & Regulation

4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers

Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for.  These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN.  If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).

What’s considered sensitive?

Well, that really depends on who you’re asking.  Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential.  But some things are universally considered sensitive – like credit card numbers.

Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium.  Enjoy!

Mastercard – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

AMEX – validate with Luhn

\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b

Discover – validate with Luhn

\b(?<![:$._'-])6(?:011|5\d{2})(?:\d{12}|[ -]\d{4}[ -]\d{4}[ -]\d{4})\b

Visa – validate with Luhn

\b(?<![:$._'-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.

Photo credit: Shawn Rossi –

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.