Hero Background

Next-Gen App & Browser Testing Cloud

Trusted by 2 Mn+ QAs & Devs to accelerate their release cycles

Next-Gen App & Browser Testing Cloud
TestingSecurity

Data Masking: Techniques, Types, and Best Practices

A practitioner's guide to masking production data into safe, compliant, referentially intact test data, with techniques, types, and standards you can act on.

Author

Sadhvi Singh

Author

Last Updated on: July 2, 2026

Every time a team copies production data into a test or staging environment, it multiplies the number of places real customer records can leak from. Data masking is how QA and data teams keep those lower environments useful without keeping them dangerous: it swaps sensitive values for realistic fakes while preserving the structure that tests depend on.

This guide walks through what data masking is, its types and techniques, how it differs from encryption and tokenization, the compliance rules that shape it, and how to mask test data without breaking referential integrity.

Overview

What is data masking?

Data masking replaces real sensitive values with realistic but fictitious ones, so a dataset stays usable for testing and analytics without exposing real people.

What are the types of data masking?

  • Static data masking: a permanently masked copy at rest, used in test and staging environments.
  • Dynamic data masking: masks values on the fly at query time, based on the requesting user's role.
  • On-the-fly masking: masks data in transit as it moves from source to target, common in continuous data provisioning.

How do you keep masked test data usable?

Use deterministic techniques that preserve referential integrity so joins and foreign keys still work. For test teams provisioning masked data at scale across environments, TestMu AI's AI-native test management platform keeps test data, execution, and audit trails in one governed workspace.

What Is Data Masking?

Data masking is the process of replacing sensitive data with structurally similar but inauthentic values. The masked dataset keeps the same format, length, and data types as the original, so applications and tests behave the same, but the real names, card numbers, and health records are gone.

The idea maps directly to a legal concept. GDPR Article 4(5) defines pseudonymisation as processing personal data so it "can no longer be attributed to a specific data subject without the use of additional information," provided that additional information is kept separately. Most masking aims for something stronger: an irreversible transformation where the original value cannot be recovered from the output at all.

Masking is not the same as generating test data from scratch. Masking starts from real production records and transforms them, so the resulting dataset keeps the real distributions and edge cases that make tests meaningful. Here is what the transformation looks like on a single record:

  • Before: name "Priya Sharma", card "4539578763621486", SSN "482-19-7365".
  • After: name null, card "453957******1486", SSN "XXX-XX-7365".
  • Unchanged: field names, data types, string lengths, and the relationships between tables.

Why Mask Test Data

The stakes are concrete. Under GDPR Article 83, regulators can impose fines of up to 20 million EUR, or 4% of total worldwide annual turnover, whichever is higher, for infringing basic processing principles. Yet one of the least-governed places personal data lands is the test environment.

A single production database restore into staging can copy every customer's real data into a system with weaker access controls, no encryption at rest, and shared developer logins. Masking closes that gap before the data ever leaves production. The specific reasons to mask test data:

  • Shrink the blast radius: a breach of a masked staging database exposes fictitious values, not real customers.
  • Reduce regulatory scope: environments holding only masked or pseudonymised data carry lighter compliance obligations than those holding raw personal data.
  • Enable safe collaboration: masked datasets can be shared with offshore teams, contractors, and vendors without a data processing agreement for every record.
  • Keep tests realistic: unlike random data, masked production data preserves the volume, skew, and messy edge cases that break software.

This is where masking connects to the wider discipline of test data management and database testing: the goal is a dataset that is safe to use and faithful to production at the same time.

Note

Note: Copying raw production data into lower environments is one of the most common compliance gaps in QA. TestMu AI gives teams a governed, SOC 2 Type II and ISO 27001 certified workspace to manage test data and execution together. Start free

What are the Types of Data Masking?

The type of masking you choose is defined by when and where the masking happens, not by which algorithm scrambles the value. Three types cover almost every use case.

TypeHow it worksBest fit
Static data maskingCreates a permanently masked copy of the data at rest, usually during a database clone or extract, before it reaches a lower environment.Provisioning test, staging, and analytics environments where the original values must never be present.
Dynamic data maskingLeaves the source data intact and masks values on the fly as they are read, applying rules based on the requesting user's role.Controlling what support agents, analysts, or read-only users see in a live system without duplicating data.
On-the-fly maskingMasks records in transit as they move from source to target, so no unmasked copy is ever written to the destination.Continuous data delivery and CI pipelines that refresh test environments on every build.

For QA teams, static and on-the-fly masking matter most: both produce a safe dataset to test against. Dynamic masking is a production access control, closer to row-level security than to test data provisioning.

What are the Data Masking Techniques?

Where the type decides when masking happens, the technique decides how each value is transformed. A real masking job usually applies several techniques, one per column, chosen by how the data is used downstream.

TechniqueWhat it doesExample
SubstitutionSwaps a value for a realistic one drawn from a fake pool."San Francisco" becomes "Springfield".
ShufflingReorders existing values within a column, keeping the same set of values but breaking the link to each row.Salaries reassigned to different employees.
Nulling / redactionRemoves the value entirely or replaces it with a constant.Full name set to null.
Character maskingReveals only part of a value and masks the rest, preserving format.Card shown as "453957******1486".
Number / date varianceShifts a number or date by a bounded random amount, keeping the distribution roughly intact.A balance nudged within 10%.
Deterministic pseudonymizationMaps the same input to the same token using a keyed function, so relationships survive.A phone number becomes a stable "usr_" token.

To make this concrete, here is a small masking routine we ran on one record. It combines nulling, character masking, format-preserving card masking, deterministic pseudonymization, substitution, and numeric variance:

import crypto from 'crypto';

const salt = 'tdm-salt-2026';
// Deterministic: same input -> same token (preserves referential integrity)
const pseudonymize = (v) =>
  'usr_' + crypto.createHmac('sha256', salt).update(String(v)).digest('hex').slice(0, 10);

// Format-preserving: keep first 6 + last 4 (PCI DSS baseline), mask the middle
const maskCard = (c) => c.slice(0, 6) + '*'.repeat(c.length - 10) + c.slice(-4);

// Character masking: keep the email domain, mask the local part
const maskEmail = (e) => {
  const [local, domain] = e.split('@');
  return local[0] + '*'.repeat(Math.max(local.length - 1, 1)) + '@' + domain;
};

const record = {
  full_name: 'Priya Sharma',
  email: '[email protected]',
  phone: '+1-415-555-0147',
  card_number: '4539578763621486',
};

console.log({
  full_name: null,                          // nulling
  email: maskEmail(record.email),           // character masking
  phone: pseudonymize(record.phone),        // deterministic pseudonymization
  card_number: maskCard(record.card_number) // format-preserving
});

Running it produced this output. The card keeps the exact first-six and last-four format a payment system expects, and pseudonymizing the same phone number twice returns an identical token, which is what keeps joins intact:

MASKED (safe test data):
{
  "full_name": null,
  "email": "p***********@acme.io",
  "phone": "usr_29f97c5f85",
  "card_number": "453957******1486"
}

Referential-integrity check (same phone -> same token twice): PASS - deterministic

The technique per column is a design decision: substitution and variance keep analytics test data realistic, while nulling and redaction are fastest when a column has no test value at all. For teams that need to fabricate additional rows rather than transform real ones, a synthetic data generator pairs well with masking to fill gaps and scale volume.

Test across 3000+ browser and OS environments with TestMu AI

Masking vs Encryption vs Tokenization

These three are often confused because all of them obscure data. The difference that matters for test data is reversibility: can someone recover the original value, and do they need to?

AttributeData maskingEncryptionTokenization
Reversible?Usually no, by design.Yes, with the key.Yes, via the token vault.
Format preserved?Yes, that is the point.Often not; output is ciphertext.Yes, tokens mimic the format.
Primary useSafe test, analytics, and shared datasets.Protecting data in transit and at rest in production.Removing sensitive values from systems that must still reference them.
Best for QAYes, directly.No; testers would need the key, defeating the purpose.Partly, for payment-flow tests.

The rule of thumb: if a system must recover the original value later, use encryption or tokenization. If nobody downstream should ever see the original, mask it. Test environments almost always fall into the second case, which is why masking is the default tool for safe test data.

Data Masking and Compliance

Masking is named or implied across the major data-protection regimes. Three are worth knowing precisely, because each defines what "sufficiently masked" means for the data it governs.

  • GDPR (EU): pseudonymisation is defined in Article 4(5) and treated as a recommended safeguard, while Recital 26 places genuinely anonymised data outside the regulation's scope entirely. Masking test data moves it toward, or past, that line.
  • HIPAA (US healthcare): the U.S. Department of Health and Human Services recognizes two de-identification methods, Expert Determination and Safe Harbor, the latter requiring removal of a defined set of identifiers before health data can be shared or used freely.
  • PCI DSS (payments): the PCI Security Standards Council states that a maximum of the first six and last four digits of a primary account number is the baseline that may be retained after truncation.

The practical takeaway: your masking rules should be written against the specific standard your data falls under. A card column masked to first-six and last-four satisfies the PCI baseline; a patient dataset needs the HIPAA identifier set removed, not just a name nulled. Documenting which rule maps to which column is what turns masking into an auditable control.

Shift from a legacy test platform to TestMu AI

Masking Without Breaking Data

The failure mode that ruins masked test data is broken referential integrity. If a customer ID is masked to one value in the orders table and a different value in the payments table, every join fails and the dataset is useless for realistic testing.

Deterministic masking solves this. Because a keyed function maps the same input to the same output every time, a masked foreign key still matches its masked primary key across tables. The rules that keep masked data usable:

  • Mask keys deterministically: use the same keyed function for every occurrence of an identifier so joins survive.
  • Preserve format and constraints: a masked email must still pass an email regex; a masked date must still respect check constraints.
  • Keep data distributions: mask a "country" column by substitution, not nulling, so queries that group by country still return meaningful shapes.
  • Version the masking rules: treat the ruleset as code so a masked dataset is reproducible and auditable.

Masking is only half the job; the masked data then has to flow into governed test cycles. TestMu AI's Test Manager keeps test cases, execution, and results in one workspace with role-based access control at the organization, project, and folder level, AES-256 encryption at rest, and compliance-grade audit trails that log every create, update, and execution. That is the difference between a masked file on someone's laptop and a masked dataset used inside an auditable process.

This also connects masking to data-driven testing: once a masked dataset is stable and referentially intact, it becomes a reliable input source that a data-driven suite can iterate over without ever touching production PII.

What are the Best Practices of Data Masking?

A masking program that holds up under audit follows the same discipline as any other security control: classify first, automate, and verify.

  • Discover and classify before masking: you cannot mask a PII column you have not found. Inventory sensitive fields first, then map each to a masking rule.
  • Mask as close to the source as possible: mask during extract or in transit, so an unmasked copy never lands in a lower environment.
  • Prefer irreversible masking for test data: if testers never need the original, do not keep a way back to it.
  • Preserve referential integrity by default: use deterministic masking for all keys and cross-table identifiers.
  • Automate masking in the pipeline: a manual masking step gets skipped under deadline; a pipeline step does not.
  • Audit the result: scan the masked output to confirm no real identifiers survived, and log the run.

For a broader view of provisioning masked and synthetic data at scale, see our roundup of test data management tools, which covers the tooling layer that automates these steps.

Note

Note: This article was reviewed, fact-checked, and published by Sadhvi Singh, Director of Quality Engineering and Community Contributor at TestMu AI, whose listed expertise includes security testing and database testing, and it was researched and drafted with AI assistance. Sources cited are from primary standards bodies (GDPR, HHS/HIPAA, and the PCI Security Standards Council). Read our editorial process and AI use policy for details.

Conclusion

Start by inventorying the sensitive columns in the data you copy into lower environments, then assign each one a masking rule: deterministic pseudonymization for keys, format-preserving masks for cards and identifiers, and substitution for values you still want to query. Automate that ruleset into your provisioning pipeline so every environment refresh produces safe, referentially intact test data by default.

From there, run that masked data through a governed process. Explore TestMu AI's Test Manager to keep test cases, execution, and audit trails in one compliant workspace, and see the test run and cycle documentation to connect masked datasets to your test cycles.

Author

...

Sadhvi Singh

Blogs: 9

  • Twitter
  • Linkedin

Sadhvi Singh is a software testing and quality engineering leader with 14+ years of experience driving automation, performance, and AI-augmented QA initiatives. Currently Director of Quality Engineering at Brevo, she specializes in API and UI automation, performance testing, CI/CD integration, and vulnerability management systems (SCA, SAST, DAST). Sadhvi is ISTQB Foundation and Advanced Test Analyst certified and has led large QA teams across enterprise environments.

Open in ChatGPT Icon

Open in ChatGPT

Open in Claude Icon

Open in Claude

Open in Perplexity Icon

Open in Perplexity

Open in Grok Icon

Open in Grok

Open in Gemini AI Icon

Open in Gemini AI

Copied to Clipboard!
...

3000+ Browsers. One Platform.

See exactly how your site performs everywhere.

Try it free
...

Write Tests in Plain English with KaneAI

Create, debug, and evolve tests using natural language.

Try for free

Data Masking FAQs

Did you find this page helpful?

More Related Blogs

TestMu AI forEnterprise

Get access to solutions built on Enterprise
grade security, privacy, & compliance

  • Advanced access controls
  • Advanced data retention rules
  • Advanced Local Testing
  • Premium Support options
  • Early access to beta features
  • Private Slack Channel
  • Unlimited Manual Accessibility DevTools Tests