"Encryption" refers to encrypting data stored in a database using an encryption key.
Only users whose database access user ID has the appropriate encryption key can retrieve decrypted information. Please refer to your database's encryption guidelines for how to encrypt data.
"Masking" refers to overwriting all or part of a decrypted field value with a masking character before it is presented to a user (or an external system) without the appropriate security access. For example, an implementation can mask the first 12 digits of a credit card number with an asterisk for users who do not have security rights to see credit card numbers.
Multiple masking rules. The system allows different masking rules to be applied to different fields. For example, a credit card number can be masked differently than a social security number. In addition, some user groups may be allowed to see certain fields unmasked.
Masking happens after decryption. It is obvious, but worth emphasizing, that only decrypted data can be masked. This means that if a user does not have authority to retrieve decrypted data then masking is not relevant because the data to be masked would be encrypted.
The topics in this section describe how to mask field values.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.