4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers
Data classification is a critical piece of the data governance puzzle. In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.
One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for. These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN. If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).
Get a Free Data Risk Assessment
What’s considered sensitive?
Well, that really depends on who you’re asking. Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential. But some things are universally considered sensitive – like credit card numbers.
Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium. Enjoy!
Mastercard – validate with Luhn
\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b
AMEX – validate with Luhn
\b(?<![:$._'-])3[47](?:\d{13}|\d{2}[ -]\d{6}[ -]\d{5})\b
Discover – validate with Luhn
\b(?<![:$._'-])6(?:011|5\d{2})(?:\d{12}|[ -]\d{4}[ -]\d{4}[ -]\d{4})\b
Visa – validate with Luhn
\b(?<![:$._'-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b
Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.
Photo credit: Shawn Rossi – http://www.flickr.com/photos/shawnzlea/527857787/
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
