Detecting Credit Card Numbers in Network Traffic

The Payment Card Industry Data Security Standard (PCI-DSS for short) requires that credit card numbers are not transmitted in clear and are not presented to users unmasked. Naturally a network monitoring systems such as an IDS or an IPS seems like a natural enforcement system to ensure that such information is not sent against the regulation over a network but a closer examination shows that a correct implementation is far from trivial.

This writeup discusses several aspects of implementing a network monitoring system to detect leakage of credit card numbers:

* Matching a credit card number sequence
* Handling false positives using exceptions
* Additional considerations, including evasion, logging, performance and other sensitive patterns.