Payment Card Magnetic Stripe Track 2

Detects ISO/IEC 7813 magnetic-stripe Track 2 data for payment cards: a start sentinel ;, the primary account number, a field separator =, expiry (YYMM), service code and discretionary data, end sentinel ?. Also detects the common no-sentinel database form PAN=YYMM... Storing full track data after authorization is prohibited by PCI DSS 4.0 Requirement 3.3.1.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: the sentinel form is unmistakable, and the no-sentinel form requires a 13-19 digit account number immediately followed by = and at least 7 further digits (expiry, service code and discretionary), a structure that does not occur in ordinary text, making false positives unlikely.
Jurisdictions: global
Regulations: PCI-DSS
Frameworks: CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories: financial
Scope: narrow
Risk rating: 10
Platform compatibility: Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

;\d{13,19}=\d{4}\d{3}\d*\?|(?<![0-9;])\d{13,19}=\d{7,40}(?![0-9])

Corroborative evidence keywords

track 2, track data, magnetic stripe, magstripe, card present, sensitive authentication data, SAD, PAN

Proximity: 300 characters

Should match

;4111111111111111=250510100000000000? — Track 2 sentinel form, fake 16-digit Visa PAN, expiry 2505 service 101
TRACK2=;5500005555555559=26129990000000? — Labelled Track 2 sentinel form, fake Mastercard PAN
pan=4012888888881881=2611101000000 — No-sentinel database form, fake PAN = expiry+service+discretionary

Should not match

;4111111111111111=2505? — Sentinel form missing service-code digits (only 4 after =)
order 12345=67890 ref — Short number=number pair, not a 13-19 digit PAN with 7+ trailing digits
Track 2 data and the PAN must be truncated before storage — Prose mentioning track 2, no encoded track

Known false positives

Long numeric identifiers joined by = in exported config or log lines that coincidentally resemble PAN=digits. Mitigation: Require corroborative keywords; validate the PAN portion with a Luhn check before alerting.