Card Verification Value (Labelled)

Detects a labelled card verification value: a CVV / CVV2 / CVC / CVC2 / CID / CSC keyword (or the spelled-out "card verification value/code" / "card security code") immediately followed by a 3 or 4 digit value. The CVV is sensitive authentication data that PCI DSS 4.0 Requirement 3.3.1 prohibits storing after authorization.

Type: regex
Engine: universal
Confidence: medium
Confidence justification: Medium confidence: the value itself (3-4 digits) is generic, but requiring an adjacent CVV/CVC/CID-family label substantially reduces false positives. Not high because the label-plus-short-number structure can still appear in forms and test fixtures.
Jurisdictions: global
Regulations: PCI-DSS
Frameworks: CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories: financial
Scope: narrow
Risk rating: 9
Platform compatibility: Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z])(?:CVV2?|CVC2?|CID|CSC|CVD|card\s+verification\s+(?:value|code)|card\s+security\s+code|security\s+code)[\s:#=]{0,8}\d{3,4}(?![0-9])

Corroborative evidence keywords

card verification value, card verification code, card security code, cvv, cvc, cid, sensitive authentication data, cardholder

Proximity: 300 characters

Should match

CVV: 123 — CVV label with colon separator and 3-digit value
cvv2=4567 — CVV2 label, 4-digit Amex-style code, lowercase
Card Verification Value 321 — Spelled-out label followed by 3-digit value

Should not match

CVV: 12 — Only 2 digits, too short for a CVV
invoice 123456 — Bare number with no CVV-family label
The CVV is the three-digit code printed on the signature panel — Prose explaining what a CVV is, no value present

Known false positives

Web forms, test fixtures or documentation that show a CVV label next to a placeholder 3-4 digit number. Mitigation: Require corroborative cardholder/PAN context within proximity and exclude obvious placeholders (000, 123, 999, xxx).