API handling of PII and sensitive data
The API handles personally identifiable data (PII) and sensitive data in the following ways:
- PII and sensitive data in API responses
- In API responses, the system masks sensitive data with asterisks. For example, the
following highly sensitive fields are masked:
- Tax ID
- Bank account number
- Customer login credentials
- Insurance score
- Debit card number
- Credit card security code
- Credit card expiry year
- Credit card expiry month
- Credit card number
- PII and sensitive data in API requests
- API requests submit un-masked PII or sensitive data when there is requirement to add or update the data. When updating a resource with a PUT or PATCH request, the API request can leave masked values as-is unless the request includes an update to the masked the value.