What does the Generic Payment Card Number (13–19 digits) regex match?

Matches a payment card number with 13 to 19 digits, with optional spaces or hyphens as group separators.

Is the Generic Payment Card Number (13–19 digits) regex ReDoS-safe?

Yes. Verified through static analysis: no ambiguous alternations or nested quantifiers that could trigger exponential backtracking.

How do I use this regex in javascript?

// No imports required — RegExp is built into JavaScript const regex = /^(?:[0-9]{4}([\s-])[0-9]{4}\1[0-9]{4}\1[0-9]{1,7}|[0-9]{13,19})$/; const isValid = regex.test(input);

Finance/Card Numbers

Verified Safe

Generic Payment Card Number (13–19 digits) Regex for JavaScript

/^(?:[0-9]{4}([\s-])[0-9]{4}\1[0-9]{4}\1[0-9]{1,7}|[0-9]{13,19})$/

What this pattern does

This page provides a well-structured, multi-part regular expression for matching generic payment card number (13–19 digits), ported and verified for JavaScript. Financial data validation has zero tolerance for false negatives — a missed invalid entry can corrupt downstream calculations. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// Generic Payment Card Number (13–19 digits)
// ReDoS-safe | RegexVault — Finance > Card Numbers

const genericPaymentCardNumber1319DigitsRegex = /^(?:[0-9]{4}([\s-])[0-9]{4}\1[0-9]{4}\1[0-9]{1,7}|[0-9]{13,19})$/;

function validateGenericPaymentCardNumber1319Digits(input: string): boolean {
  return genericPaymentCardNumber1319DigitsRegex.test(input);
}

// Example
console.log(validateGenericPaymentCardNumber1319Digits("4111111111111111")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`4111111111111111`	`41111111111111111111`
`4111 1111 1111 1111`	`4111-1111 1111-1111`
`4111-1111-1111-1111`	`abcd1234abcd1234`
`5500005555555559`	—
`378282246310005`	—
`411111111111111`	—

When to use this pattern

This pattern is drawn from the Finance > Card Numbers category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Never log full card numbers. Mask to show only the last 4 digits (XXXX XXXX XXXX 1234). PCI-DSS compliance requires minimizing the surface area that touches full PANs.

Technical Notes

Format only — does not validate the Luhn checksum. Always implement Luhn algorithm validation separately. PCI-DSS prohibits storing full PANs (Primary Account Numbers) without encryption.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern