Deterministic Data Masking


Next Steps
Overview Auditing CCPA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic

IRIData Masking Software in Gartner Market Guide

Gartner logo| Read More

Outsmart Risk. Accurately Locate & Consistently AnonymizeSensitive Data in Structured, Semi-Structured, and Unstructured Sources.

Discovery, De-Identification, and Proof

Unsecured data can damage your company's reputation and cost it millions in fines. Award-winning data-centric ("startpoint") security software from IRIhas been repeatedly proven in a wide range of breach nullification, privacy law compliance, and DevOps(test data) environments. Use fit-for-purpose IRIdata 'shield' products (or all of them in the IRI Voracity data management platform) to find and mask sensitive data deterministically on-premise or in the cloud, and to prove that you protected it.

  • Types of Sensitive Data
  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Primary Account Numbers (PANs)
  • Other Sensitive Information
pushpins in a globe on Australia

International Compliance

Data privacy laws require that key identifiers be encrypted, pseudonymized, redacted, or anonymized, or that people cannot be traced by their quasi-identifiers. IRIsoftware can find and fix PIIin any format to meet the data erasure, portability and rectification requirements of the GDPRet al, and score re-ID risk for HIPAA, etc. Inquire about your mandates.

Click the acronyms above to learn more →

Multiple Masking Methods

Use the free IRI Workbench IDE built on Eclipse™ to discover, classify, and mask data quickly and easily. Choose to blur, encrypt, hash, pseudonymize, randomize, redact, scramble, tokenize, etc. Match the function to search-method-associated data classes (or to column names), and apply it consistently to preserve realism and referential integrity across sources.

Which Data Masking Function Should I Use? →

IRI data masking
Two women working at a computer to access a database

Role Based Access Controls

Decide and enforce who can access or use specific data sources and targets; masking rules and job scripts; data classifications and data layout definitions; decryption keys and log files; and, even the masking programs themselves. Establish different roles for different data sources, and different access rights based on those roles. 

Define, Assign, and Follow RBAC Rules →

Auditabilityfor Accountability

Every IRIdata security solution produces machine-readable audit logs that you can secure, query, and display, or export to SIEMtools, to: reliably document everything that's been changed, verify compliance with data privacy laws without tampering concerns, trigger alerts, and take action. That is how auditing is supposed to work.

Learn More →

A governmental building where decisions are made

Which PIIMasking Product Should I Use?

FieldShield button iconIRIFieldShield

Find, classify, mask, and risk-score PIIacross structured data sources, including legacy (flat COBOL, CSV, LDIF) files, ODBC-connected databases, cloud apps like Salesforce, etc. Use AES-256 FPE, blurring, hashing, redaction, pseudonymization, tokenization, etc.

Learn More →

CellShield button iconIRICellShieldEE

Find, report on, mask, and audit PIIin one or more Excel® spreadsheets at once using point-and-click options inside Excel. Search and mask intracellularly, protect formulas, and even entire sheets, too.

Learn More →

DarkShield button iconIRIDarkShield

Discover, deliver, and delete sensitive information in semi- and unstructured text (including XML, HL7/X12, HTML, etc.), files, MS & PDF documents (even within their embedded images), RDBB/LOB and free-floating text columns, NoSQLDBs(MongoDB, Cassandra, and Elasticsearch), image formats, and faces.

Learn More →

Voracity button iconIRIVoracity

Get all three IRI'shield' products inside, plus test data management, within a total data lifecycle management platform that consolidates big data discovery, integration, migration, governance, and analytics. In addition to FieldShield, CellShieldEE and DarkShield, Voracity includes IRI RowGen so you can also create (and mask) DB subsets, or smart test data from scratch for DB/ETLprototyping, PIIfabrication, and application stress-testing.

Learn More →



Types of Sensitive Data

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Primary Account Numbers (PANs)
  • Other Sensitive Information

Personally Identifiable Information (PII)

While there is no set list of PIIacross all privacy laws, there are common elements used across these laws. In short, PIIis information, when used alone or with other data, that identifies an individual. Government regulations like the CCPA, SSAE16, SOC2, and GDPRrequire that all PIIbe protected.

Protected Health Information (PHI)

In medical records, PHI identifies a health care recipient. US HIPAA regulations require that 18 key identifiers be effectively de-identifiedor anonymized.

Primary Account Numbers (PANs)

PANsare identifying numbers used in credit card transactions. The Payment Card Industry Data Security Standard (PCI DSS) requires card issuers, merchants, and testers to encrypt, tokenize, and otherwise protect this information.

Other Sensitive Information

Information like codes and formulas that constitute trade or military secrets need to be protected. You cannot afford to have this critical data lost in a data breach.

Privacy Laws

  • GDPR
  • CCPA


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implements industry-wide standards for health care information. Health care providers, organizations, and their associates are required to develop and follow procedures for PHI when it is transferred, received, handled, or shared. It applies to all forms of PHI, including written, electronic, and oral.


Under the General Data Protection Regulation (GDPR), all personal data of a citizen from the European Union must be secured. Companies are required to protect any data that can directly or indirectly identify an individual ("data subject"). These identifiers include, but are not limited to:

  • Social Security Number
  • Credit Card Number
  • Bank Account Number
  • First Name
  • Last Name
  • Address
  • Zip Code
  • Email Address
  • Medical Information
  • Genomic Information
  • IP Address
  • GeolocationData
  • Income and Tax Data
  • Race, Ethnicity, and Religious Affiliation
  • Sexual Orientation
  • Trade Union Membership
  • Birth Date
  • Password
  • Military ID
  • Passport Number
  • Driver's License Number
  • Vehicle License Number
  • Phone and Fax Numbers

The law also provides citizens with the Right to be Forgotten, or the ability to request that all information about them be removed from a company's possession. IRIdata obfuscation products find that PIIand PI you need in text, image, or facial form, and tell you where it is, and (immediately or later) automatically delete, deliver, and fix it so you can comply with GDPRright to erasure, portability and rectification provisions.


The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student records and information. FERPAgives rights and protections to parents and eligible students. Once a student reaches 18 years of age or enrolls in a post-secondary institution, he or she becomes an "eligible student," meaning all rights formerly controlled by the parents transfer to the student.

Under FERPA, a school may not generally disclose PIIfrom an eligible student's records to third parties unless the student has provided written consent. Data protected includes PIIand no less than the following additional information:

  • Student Name
  • Student ID Number
  • Family Member Names
  • Place of Birth
  • Mother's Maiden Name
  • Student Educational Records
  • Immunization Records
  • Health Records
  • Individuals with Disabilities (IDEA) Records
  • Attendance Records


The Federal Information Security Management Act of 2002 (FISMA) is a federal law that recognizes the importance of data protection and information security to economic and national security interests. Every federal agency must develop, document, and implement an agency-wide course of action to secure the system and assets that support the agency, including those managed by another agency, contractor, or other sources.

Information that must be protected under FISMAincludes PIIand other sensitive information from these categories:

  • Medical
  • Financial
  • Contractor Sensitive
  • Security Management
  • Other information specified by executive order, specific law, directive, policy, or regulation


The Federal Financial Institutions Examination Council (FFIEC) is a government inter-agency body that sets uniform principles, standards, and report forms to promote uniformity in the supervisions of financial institutions. Additionally, the Council oversees real estate appraisal.

Banks, credit unions, and other financial institutions are subject to the rules enacted by the Council. In addition to PIIand Non-Public Personal Information (NPI), these institutions need to protect:

  • Income
  • Credit Score
  • Collection History
  • Family Member PIIandNPI


The California Consumer Privacy Act of 2018 (CCPA) protects the data of Californians from being collected and mishandled. The law grants the citizens of California the rights to know all the information a business collects on them, to forbid companies from selling their data, to delete their data, and more.

List of PII PHI PANs Other Information

  • Social Security Number
  • Credit Card Number
  • Bank Account Number
  • First Name
  • Last Name
  • Address
  • Zip Code
  • Email Address
  • Birth Date
  • Passwords
  • Military ID
  • Driver's License Number
  • Vehicle License Number
  • Phone Number
  • Fax Number
  • Names
  • Addresses / Zip Codes / Geocodes
  • Dates
  • Phone Numbers
  • Fax Numbers
  • Email Addresses
  • Social Security Numbers
  • Medical Record Numbers
  • Health Plan Beneficiary Numbers
  • Account Numbers
  • Certificate / License Numbers
  • Vehicle Identifiers
  • Device Identifiers
  • URLs
  • IP Addresses
  • Biometric Identifiers
  • Facial Images
  • Any Other Unique Identifiers
  • There is no list of PANs, as they are unique to individual accounts.

    A PAN is a 14, 15, or 16 digit number generated as a unique identifier for a primary account.

  • Codes
  • Formulas
  • Trade Secrets
  • Military Information
  • Classified Information
  • etc.

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.