What does the PCI-DSS Requirement Reference regex match?

Matches a PCI-DSS v4.0 requirement reference number.

Is the PCI-DSS Requirement Reference regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

How do I use this regex in python?

import re pattern = re.compile(r'^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$') is_valid = bool(pattern.match(input_str))

Security/Audit & Compliance

Verified Safe

PCI-DSS Requirement Reference Regex for Python

/^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching pci-dss requirement reference, ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

Python

# PCI-DSS Requirement Reference
# ReDoS-safe | RegexVault — Security > Audit & Compliance

import re

pcidss_requirement_reference_pattern = re.compile(r'^Req(?:uirement)?\s*([1-9]|1[0-2])(?:\.([1-9]|[1-9][0-9])(?:\.([1-9]|[1-9][0-9]))?)?$')

def validate_pcidss_requirement_reference(value: str) -> bool:
    return bool(pcidss_requirement_reference_pattern.fullmatch(value))

# Example
print(validate_pcidss_requirement_reference("Requirement 3"))  # True

Test Cases

Matches (Valid)	Rejects (Invalid)
`Requirement 3`	`Req 13`
`Req 3.4`	`Req 0`
`Requirement 10.2.1`	`Requirement 3.4.5.6`
`Req 12`	`PCI 3.4`
`Requirement 6.2`	`3.4.5`

When to use this pattern

This pattern is drawn from the Security > Audit & Compliance category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

PCI-DSS v3.2.1 and v4.0 have different requirement numbering in some sections. The mandatory effective date for v4.0 is March 31, 2025 — after which v3.2.1 is retired.

Technical Notes

PCI-DSS v4.0 (released March 2022, mandatory from March 2025) has 12 requirements. Key requirements: 3 (Protect stored cardholder data), 4 (Encrypt transmission), 6 (Develop/maintain secure systems), 10 (Log and monitor), 12 (Information security policy). v4.0 adds 64 new requirements vs v3.2.1.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern