What does the PCI-DSS Requirement Reference regex match?

Matches a PCI-DSS v4.0 requirement reference number.

Is the PCI-DSS Requirement Reference regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

How do I use this regex in javascript?

// No imports required — RegExp is built into JavaScript const regex = /^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$/i; const isValid = regex.test(input);

Security/Audit & Compliance

Verified Safe

PCI-DSS Requirement Reference Regex for JavaScript

/^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching pci-dss requirement reference, ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// PCI-DSS Requirement Reference
// ReDoS-safe | RegexVault — Security > Audit & Compliance

const pcidssRequirementReferenceRegex = /^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$/i;

function validatePcidssRequirementReference(input: string): boolean {
  return pcidssRequirementReferenceRegex.test(input);
}

// Example
console.log(validatePcidssRequirementReference("Requirement 3")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`Requirement 3`	`Req 13`
`Req 3.4`	`Req 0`
`Requirement 10.2.1`	`Requirement 3.4.5.6`
`Req 12`	`PCI 3.4`
`Requirement 6.2`	`3.4.5`

When to use this pattern

This pattern is drawn from the Security > Audit & Compliance category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

PCI-DSS v3.2.1 and v4.0 have different requirement numbering in some sections. The mandatory effective date for v4.0 is March 31, 2025 — after which v3.2.1 is retired.

Technical Notes

PCI-DSS v4.0 (released March 2022, mandatory from March 2025) has 12 requirements. Key requirements: 3 (Protect stored cardholder data), 4 (Encrypt transmission), 6 (Develop/maintain secure systems), 10 (Log and monitor), 12 (Information security policy). v4.0 adds 64 new requirements vs v3.2.1.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern