s/(?<=cc_number=)|\G\d/X/g

Do you work in a PCI certified office?
If not, then you do not have the right to request CVV\CVC and card number. You can store the card in the format “First six + last four”, this is allowed for transmission in clear text.
When it comes down to it, why do you even need to know the length of the card number? Replace simply with "HIDDEN"

To write to the log, it's better to do something like this:
cc_number=HIDDEN_CC_NUMBER&amount=1500&CVV=HIDDEN_CVV Otherwise
, in a couple of weeks you will sculpt regular expressions for searching in the logs 3-4-12-14-16 consecutive "X"

s/(?<=cc_number=)?(\d)/X/g;
Perl notation, not sure about PHP's specific form of notation.

Try
$data=preg_replace_all('(?<=cc_number=)?(\d)','X',$data);

(deleted, not answered in the right place)

Is it possible to access the $_POST array?
If yes, then you can try to do without a regular expression.

$data = str_replace('cc_number='.$_POST['cc_number'], 'cc_number='.str_repeat('X', strlen($_POST['cc_number'])), $data);

there was a wrong comment

Exceptional how to play. Still preferable with a callback.

$data[1] = "cc_number=1234567890123456&amount=1500";
$data[2] = "cc_number=12345678901234&amount=1500";
$data[3] = "amount=1500&cc_number=12345678901234&otherNumber=123123123";

$patterns = array ('/\d{16}/','/\d{14}/');
$replace = array ('xxxxxxxxxxxxxxxx','xxxxxxxxxxxxxx');
echo preg_replace($patterns, $replace, $data[1]);
echo "<br>";
echo preg_replace($patterns, $replace, $data[2]);
echo "<br>";
echo preg_replace($patterns, $replace, $data[3]);

IMHO, it's safer like this:

<?php
$data = parse_str($data);
 if (isset($data["cc_number"])) {
    $data["cc_number"] = str_repeat("X", strlen($data["cc_number"])); 
} 
$data = http_build_query($data);
?>