PIIfinancial
Last updated: June 9, 2026
The PIIfinancial policy check identifies highly-sensitive financial and bank information in your database changelogs, helping prevent PII (Personally Identifiable Information) data exposure. This check employs the Phileas library of Identifiers to scan INSERT and UPDATE SQL statements in your changesets for financial identifiers such as credit card numbers, bank routing numbers, IBAN codes, and bitcoin addresses. When the check detects potential financial PII, it flags the changelog and can block deployment, protecting your organization from accidentally committing sensitive financial data to version control or deploying it to your databases. This check supports compliance efforts in highly-regulated financial and banking environments by providing audit-ready evidence that your team is actively monitoring and preventing financial PII exposure in database changes.
Scope | Type | Database |
|---|---|---|
changelog | xml, json, yaml, sql | Any SQL database |
Before you begin
Create a Check Settings file
Update any existing Check Settings file to 5.2+ by running
liquibase checks show --auto-update=ONto ensure the PIIfinancial check appears on the list of checks.(Maven users only) Add the
liquibase-checksdependency to yourpom.xmlfile. See Add extensions with Maven for more information.Ensure you have Java 17+ installed. If you used the Liquibase Installer, Java is included automatically. Otherwise, you must install Java manually.
Procedure
Enable the PIIfinancial check
This check is disabled by default. To enable it, run the checks enable command:
liquibase checks enable --check-name=PIIfinancial
Customize the check.
After enabling PIIfinancial, run checks customize to configure the check's behavior. This command lets you set which financial identifiers to scan for, the message displayed when a violation is found, and additional identifier-specific options.
Command:
liquibase checks customize --check-name=PIIfinancial
Liquibase prompts you to set these parameters:
Severity — The return code generated on a violation. Options:
INFO|0,MINOR|1,MAJOR|2,CRITICAL|3,BLOCKER|4. Default:MAJOR.FINANCIAL_IDENTIFIERS — The financial data types to scan for. Accepts
ALLor a comma-separated list of:BANK_ROUTING_NUMBER,BITCOIN_ADDRESS,CREDIT_CARD,CURRENCY,IBAN_CODE,TRACKING_NUMBER,VIN. Default:ALL.MESSAGE — The message displayed when a violation is found. The default message includes the detected data type, statement type, statement number, line number, and position.
If CREDIT_CARD is included in FINANCIAL_IDENTIFIERS, Liquibase also prompts for:
CREDIT_CARD_VALIDATE — Enable Luhn algorithm validation to confirm that detected numbers are valid credit card numbers. Options:
true,false. Default:true.CREDIT_CARD_IGNORE_UNIX_TIMESTAMP — Exclude patterns that match Unix timestamps to reduce false positives. Options:
true,false. Default:false.
If IBAN_CODE is included in FINANCIAL_IDENTIFIERS, Liquibase also prompts for:
IBAN_ALLOW_SPACES — Allow spaces in IBAN codes. Note: enabling this option limits detection to 22-character IBANs. Options:
true,false. Default:false.
Example output:
Short Name | Category | Description | Customization | Status | Severity | Scope | Type |
|---|---|---|---|---|---|---|---|
| Sensitive Data | Identifies highly-sensitive Financial or Bank information, helping avoid PII data exposure in highly-regulated environments. |
| enabled | 2 | changelog | sql, xml, yaml, json |
Run the checks run command
After enabling and customizing the PIIfinancial check, run it against your changelog to detect the financial identifiers you have configured. Your customized check is stored in your checks settings file.
To run checks with a custom settings file, use the --checks-settings-file parameter. If you don't specify this parameter, Liquibase uses the default liquibase.checks-settings.conf file. You can also use the --changelog-file flag to target a specific changelog.
Checks settings file example:
liquibase checks run --checks-settings-file=path_to_my_file_name.yaml
Checks settings file and specific changelog file example:
liquibase checks run --checks-settings-file=<path_to_my_file_name>.yaml --changelogfile --<your_changelog_here>.sql
Note: If you run liquibase update with a checks settings file configured, the checks run automatically as part of the update process.
liquibase checks run --checkname < yourCustomizedCheckName > --changelogfile --< yourChangelogHere >.sql
liquibase checks run --checks-settings-file=my_file_name.yamlAnalyze the results in the terminal output.
When the PIIfinancial check finds financial data in the changelog, you will see output similar to this in the terminal:
CHANGELOG CHECKS
----------------
Checks completed validation of the changelog and found the following issues:
Check Name: PII (Financial) Information detection (PIIfinancial)
Changeset ID: financial-1
Changeset Filepath: my-changelog.sql
Check Severity: MAJOR (Return code: 2)
Message: Policy violation: raw CREDIT_CARD detected in INSERT at statement #1, line 1, positions 45-61.
Check Name: PII (Financial) Information detection (PIIfinancial)
Changeset ID: financial-2
Changeset Filepath: my-changelog.sql
Check Severity: MAJOR (Return code: 2)
Message: Policy violation: raw BANK_ROUTING_NUMBER detected in INSERT at statement #1, line 1, positions 44-52.
Changesets Validated: in my-changelog.sql
ID: financial-1; Author: test
ID: financial-2; Author: test
Checks run against each changeset:
PII (Financial) Information detection (Short names: PIIfinancial)
The output identifies the check name, changeset ID, file path, severity, and the exact location of the detected financial data in the changelog.
Results
Now you can see how the check runs and what the results look like when it flags an issue within the changelog.
You can then remove, mask, or handle the sensitive financial information appropriately before committing changes to your database.