What Is PII Masking? Methods, Examples & How It Works
PII masking hides personally identifiable information so it can't be read while keeping data usable. Here are the main methods — redaction, blurring, tokenization, encryption and anonymization — and where screen-share blurring fits.
PII masking is the practice of obscuring personally identifiable information so it can't be read, while keeping the surrounding data usable. Instead of deleting a name or an account number, you hide or replace it — by redacting it, blurring it, swapping it for a token, or encrypting it. Masking shows up everywhere from databases and logs to the screen you share on a video call.
What counts as PII?
Personally identifiable information is any data that can identify a specific person — on its own or combined with other data. Common examples:
- Direct identifiers — full name, email address, phone number, government ID, account or card numbers.
- Quasi-identifiers — date of birth, postal code, job title, IP address; harmless alone, identifying in combination.
- Sensitive categories — health information (PHI), financial details, and other regulated data with stricter handling rules.
Common PII masking methods
| Method | What it does | Reversible? | Typical use |
|---|---|---|---|
| Redaction | Removes or blacks out the value entirely | No | Documents, exports, PDFs |
| Blurring | Visually obscures it so it can't be read | No (visually) | Screens, images, screen sharing |
| Tokenization | Replaces it with a non-sensitive stand-in token | Yes (with the vault) | Payments, databases |
| Encryption | Encodes it so only a key can read it | Yes (with the key) | Data at rest and in transit |
| Anonymization | Strips identifiers so no one can be re-identified | No | Analytics, research data |
Masking vs. encryption vs. anonymization
These overlap but aren't the same. Encryption protects data in storage and transit and is reversible with a key — but an encrypted field, once decrypted on screen, is fully readable. Anonymization permanently removes the link to a person, so it can't be reversed. Masking sits in between: it hides values at the point of display or use, often without changing the underlying record. Screen-share blurring is a form of masking applied at the moment of presentation.
Where screen-share blurring fits
Data-layer masking protects PII inside your systems. But the moment you screen-share a CRM, a dashboard or an inbox, that data is rendered in full on your screen — decrypted, un-tokenized, and visible to everyone on the call. Visual masking closes that last gap: a tool like BlurFirst blurs the specific fields in the page before you share, so PII you're not presenting never reaches the feed. It complements, rather than replaces, masking in your data layer.
PII masking best practices
- Apply the minimum-necessary principle — only expose the PII a task or audience actually requires.
- Mask at every layer it appears: storage, logs, exports, and the screen during live presentations.
- Choose the method by whether you need it back — tokenization/encryption when reversible, redaction/anonymization when not.
- Test what's actually visible, including tooltips, hover states and content that loads as you navigate.