Regular Expression Credit Card Filter

beneckij_ironport · ‎04-26-2007

I've been playing around with filters for credit cards and have yet to find one that stops all credit cards while limiting false positives because it is matching any random 16 characters.

I need one that blocks all amex, visa, mc, and discover without spaces, with spaces or with dashes.

This one has worked the best so far (it's a mish mash of filters I have found or tweaked or have been sent to me), but I think it can be improved. Any ideas? Anyone have a better filter they are using?

Visa/MC/Amex
^((4\d{3})|(5[1-5]\d{2}))(-?|\040?)(\d{4}(-?|\040?)){3}|^(3[4,7]\d{2})(-?|\040?)\d{6}(-?|\040?)\d{5}

Discover Card:
(6011|5[1-5][0-9]{2}|4[0-9]{3}) [0-9]{4} [0-9]{4} [0-9]{4}
(6011|5[1-5][0-9]{2}|4[0-9]{3})-[0-9]{4}-[0-9]{4}-[0-9]{4}
(6011|5[1-5][0-9]{2}|4[0-9]{3})\.[0-9]{4}\.[0-9]{4}\.[0-9]{4}

fastnoypi_ironport · ‎08-27-2007

im not so versed at regular expressions, but i have found the following regular expressions on the web.

If someone can get these Ironport legal, maybe they might help with the false positives.

if (type == "Visa") {
// Visa: length 16, prefix 4, dashes optional.
var re = /^4\d{3}-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == "MC") {
// Mastercard: length 16, prefix 51-55, dashes optional.
var re = /^5[1-5]\d{2}-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == "Disc") {
// Discover: length 16, prefix 6011, dashes optional.
var re = /^6011-?\d{4}-?\d{4}-?\d{4}$/;
} else if (type == "AmEx") {
// American Express: length 15, prefix 34 or 37.
var re = /^3[4,7]\d{13}$/;
} else if (type == "Diners") {
// Diners: length 14, prefix 30, 36, or 38.
var re = /^3[0,6,8]\d{12}$/

thanks for the reg expression beneckij. I am still waiting to capture legit traffic, but getting false positves on South american phone numbers

jbivens_ironport · ‎08-28-2007

Just as an FYI, in the 5.5 code coming next month there will be new options in Content Filters called smart identifiers which include credit card number where IronPort has pre-configured the credit card information into AsyncOS and it also include check bits to reduce false positives.

This is a very slick enhancement and should greatly reduce the number of false positives over the standard regex configurations discussed on this thread.

Sincerely,

Jay Bivens
IronPort Systems

Greg Muszynski · ‎10-04-2017

the problem with the Credit Card smart Content Filter is that if it finds a credit card number then that's it that message does not continue on to the actual DLP engine for additional scanning and does not show up as a DLP violation, at least that's how we see it working in our environment while testing, and yes we opened up a case with Cisco IronPort on this and are working with an engineer on it, I just wanted to contribute to this forum, and warn you all that this may not be working as you expected