GCP Professional Cloud Security Engineer Practice Question

Your fintech startup streams millions of purchase transactions into multiple BigQuery tables. Each record contains a 16-digit credit_card_number column in clear text. Compliance requires that:

Data analysts must never see full card numbers, but they still need to aggregate by issuing-bank BIN (the first six digits).
The fraud-investigation team must be able to recover full card numbers on demand.
Any new BigQuery tables or columns that contain card numbers must be protected automatically, without manual schema changes.

Which approach best satisfies all requirements while minimizing ongoing operational effort?

Enable BigQuery dynamic data masking to reveal only the first six digits of credit_card_number to analysts and the full value to the fraud team; copy the masking policy manually whenever a new table with card numbers is added.
Configure an organization-level Sensitive Data Protection discovery scan for BigQuery and automatically invoke a Dataflow de-identification pipeline that applies format-preserving encryption to only the last ten digits of any CREDIT_CARD_NUMBER field, using a Cloud KMS-wrapped key. Grant analysts read access to the de-identified tables and give the fraud team permission to call the SDP re-identify API with the same key when full PANs are needed.
Apply Data Catalog policy tags to every credit_card_number column, deny tag access to analysts, and create an authorized view that returns SUBSTR(credit_card_number,1,6)||"******"; grant the fraud team unrestricted table access.
Encrypt all credit card numbers client-side with deterministic AES using Cloud KMS before loading into BigQuery; store the ciphertext in BigQuery and keep the plaintext numbers in Secret Manager for the fraud team to retrieve.

Report Issue

Answer Description

Configure an organization-level Sensitive Data Protection (SDP) discovery scan so that any current or future BigQuery columns matching the CREDIT_CARD_NUMBER infoType are automatically identified. Feed the scan results to a Dataflow de-identification template that applies format-preserving encryption (FPE) only to the last ten digits of each 16-digit card number-leaving the first six digits in clear text-by using a custom infoType that targets digits 7-16. Analysts can group or join on the unchanged BIN, while the remaining digits are strongly protected. Because FPE is reversible with the same Cloud KMS-wrapped key, the fraud-investigation team (granted the reidentifyContent permission) can call the SDP re-identify API to decrypt the protected portion and obtain the full PAN. No manual updates are needed when new tables appear, as the organization-level discovery configuration and Dataflow pipeline continue to detect and transform new card-number columns automatically.

The other choices fail to meet one or more requirements:

Policy tags with authorized views leave plaintext PANs in storage and require manual tagging of new columns.
Client-side deterministic AES changes every digit, preventing BIN-level aggregation unless a second derived field is maintained.
Dynamic data masking must be applied per column and only controls query results, not stored data, so new tables would need manual policy updates.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.