Credit Card number

ID

credit_card

Severity

high

Vendor

-

Family

Generic secret

Description

A credit card number is a potential financial issue for the owner of the credit card, and perhaps a legal liability problem for the organization that leaked the number.

The detector does not check if the credit card for the given number is valid; it only checks the validity of the Luhn ("mod-10") checksum.

Security

Any hardcoded credit card number is an issue reported by this detector. Not really a secret, but sensitive data that should be managed with due care.

Please note that your organization may be non-compliant with some requirements of standards like the PCI-DSS.

Examples

{
  "cards" : [
    {
      "IssuingNetwork": "Visa",
      "CardNumber": 4556038899521934
    },
    {
      "IssuingNetwork": "American Express",
      "CardNumber": 376342896622539
    },
    {
      "IssuingNetwork": "MasterCard",
      "CardNumber": 5377522499685003
    }
  ]
}

Configuration

The detector has the following properties:

  • key.pattern, used to limit the key. By default, everything is allowed.

  • value.pattern, used to match the credit-card number. NOTE: Those credit-card numbers not matching the Luhn bit will be discarded.

Mitigation / Fix

  1. Remove the credit card numbers from the source code or committed configuration file. Only if they are invalid numbers used for testing you might mute the issues.

  2. Follow your policy for handling leaked secrets, which may require reporting to the credit card issuer, if possible before any fraudulent charges were done.

  3. Keep an eye on the card charges reported by the card issuer during the exposure window.