Payment Card Magnetic Stripe Track 1

Detects ISO/IEC 7813 magnetic-stripe Track 1 (format code B) data for payment cards: a start sentinel %B, the primary account number, the cardholder name, expiry date, service code and discretionary data. Storing full track data after authorization is prohibited by PCI DSS 4.0 Requirement 3.3.1.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: the full Track 1 framing (%B start sentinel, two ^ field separators, fixed expiry+service-code structure and ? end sentinel) wrapped around a 13-19 digit PAN is a highly distinctive structure that does not occur in ordinary prose, making false positives extremely unlikely.
Jurisdictions: global
Regulations: PCI-DSS
Frameworks: CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories: financial
Scope: narrow
Risk rating: 10
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

%B\d{13,19}\^[A-Za-z][^\^]{1,25}\^\d{4}\d{3}[A-Za-z0-9]{0,40}\?

Corroborative evidence keywords

track 1, track data, magnetic stripe, magstripe, card present, sensitive authentication data, SAD, PAN

Proximity: 300 characters

Should match

%B4111111111111111^DOE/JOHN^25051010000000000000000? — Track 1 format-B with 16-digit fake Visa PAN, name, expiry 2505, service 101
TRACK1=%B5500005555555559^SMITH/JANE Q^26129990000? — Labelled Track 1 with fake Mastercard PAN and full sentinels
%B340000000000009^CARDHOLDER/TEST^271010100? — Track 1 with 15-digit fake Amex PAN

Should not match

%A4111111111111111^DOE/JOHN^2505101? — Format code A, not B (not a financial Track 1)
4111111111111111 expiry 2505 cvv 123 — Bare PAN and fields without the Track 1 sentinel framing
Track 1 magnetic stripe data must never be stored after authorization — Prose describing track data, no actual encoded track

Known false positives

Test or sample magnetic-stripe strings embedded in QA fixtures or payment-terminal documentation. Mitigation: Require corroborative keywords and treat known test PANs (e.g. 4111 1111 1111 1111) as samples; confirm with surrounding transaction context.