GCP Professional Cloud Security Engineer Practice Question

While migrating 10 years of purchase data from Cloud SQL for MySQL to BigQuery, you must scrub a 16-digit credit_card_number column. Compliance requires that analysts can still join historical and new tables on the protected value, the field must remain exactly 16 numeric characters so existing regex-based ETL jobs keep working, and a restricted security team must be able to re-identify a card if fraud is reported. Which Sensitive Data Protection (DLP) de-identification technique best meets all these needs with minimal schema changes?

Redaction of the first 12 digits, leaving only the final 4 digits visible
Format-preserving encryption (FPE) using the numeric alphabet (FPE_FF31)
Tokenization that replaces each card number with a randomly generated surrogate key
Bucketing card numbers into predefined numeric ranges

Report Issue

Answer Description

Format-preserving encryption (FPE) encrypts each credit-card value yet keeps the ciphertext in the same 16-digit numeric format, so no ETL or schema updates are needed. FPE is deterministic for a given key and tweak, meaning the same card number always encrypts to the same 16-digit string, which preserves the ability to perform equality joins across historical and new tables. Because the data is encrypted rather than irreversibly transformed, authorized users who possess the key can decrypt specific values for fraud investigations. In contrast, random tokenization breaks joins, redaction shortens the field, and bucketing discards the exact value, preventing re-identification.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.