As digital businesses scale, so does the complexity of their compliance obligations—especially under PCI DSS 4.0. The latest iteration of the standard introduces tighter technical requirements and broader oversight, from mandatory log automation to expanded access controls and risk-driven testing. For many organizations, this translates into higher compliance costs, longer timelines, and more pressure on teams. But what if you could reduce your PCI scope entirely—without compromising access or analytics?
That’s the promise of data-centric security: a proactive approach that protects sensitive data like cardholder information at the source and throughout its lifecycle. By applying privacy-enhancing technologies – specifically tokenization – you can remove sensitive data from systems altogether. Those systems will no longer fall within PCI scope. The result is a dramatically reduced compliance surface, simplified audits, and protection by design. As James Rice, VP of Data Security & Analytics at Protegrity, puts it: “The best way to reduce risk is to remove the data. If there’s nothing sensitive to steal, the cost of a breach drops to near zero.”
The true enabler of this model is automation. From intelligent role-based access controls to AI-driven data classification, modern enterprises can now apply security policies automatically and consistently. This not only eliminates the need for compensating controls but ensures sensitive data is protected as it moves across ingestion pipelines, storage layers, and analytic tools. Compliance becomes continuous, adaptive, and far less resource-intensive—allowing teams to focus on innovation, not checklists.
And while the vision of frictionless, automated compliance sounds ambitious, it’s already here—and you can see it in action. In the next section we walk through how Protegrity’s API-based platform helps developers and security architects tokenize sensitive data with just a few lines of code. Whether you’re modernizing legacy systems or launching new cloud-native services, this interactive playground lets you explore how tokenization works—and how it can be embedded directly into your data architecture to instantly reduce scope and enhance security.
Explore PCI DSS Protection in the API Playground
Securing PCI and PII data is at the core of what we do at Protegrity. You can try out Protegrity’s capabilities today, through our API Playground. This section walks you through some sample scenarios of de-identifying PCI data, so that it is removed from your environment and only reversed once it leaves it.
To run this example, you have to be signed up to the Protegrity API Playground. Head to the registration page to create your account and make sure to check out our Getting Started guide to set up your environment. This guide uses Python, but you can recreate the examples in your language of choice.
Once logged in, let’s start by sending a simple request to protect a Credit Card Number. In the Playground we provide specific endpoints for each data type. Here, we’ll use the ccn endpoint. Copy the following code snippet and let’s modify it to match your environment.
import requests
import json
url = 'https://api.playground.protegrity.com/v1/ccn'
headers = {
'x-api-key': '<API_Key>',
'Content-Type': 'application/json',
'Authorization': '<JWT_TOKEN>'
}
data = {
"operation": "protect",
"data": ["4321567898765432"],
"options": {
"bin": false
}
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
Supply your own API_Key and the JWT_Token in the placeholders.
The operation is set to protect as we will be de-identifying, i.e. protecting the data sent. You can supply any synthetic Credit Card number in the body. With the option bin set to true you can choose to leave part of the CCN in the clear, without applying the protection.
Once you’re happy with the request, hit send. A few milliseconds later you should see the CCN protected using Protegrity’s tokenization algorithm:
["4063818346309972"]
And – poof! The original Credit Card Number is gone. To get it back, simply send the token to the same endpoint, specifying the operation to unprotect:
import requests
import json
url = 'https://api.playground.protegrity.com/v1/ccn'
headers = {
'x-api-key': '<API_Key>',
'Content-Type': 'application/json',
'Authorization': '<JWT_TOKEN>'
}
data = {
"operation": "unprotect",
"data": ["4063818346309972"],
"options": {
"bin": false
}
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
This simulates a real-life scenario in which Credit Card Numbers are de-identified as soon as they are received, i.e. within a data streaming pipeline or an ETL process. They are stored as tokens in the database, effectively removing them from the environment and, hence, the PCI DSS scope. The CCNs are only returned to their original values when the data needs to be accessed by end-users or systems.
We can extend this scenario: in most cases you will be processing full Credit Card details, including the expiry date, CVV, and the card holder’s name. You can group all your requests in a single body using the /multi endpoint provided by the Playground. See the below example:
import requests
import json
JWT_Token = "<JWT_TOKEN>"
API_Key = "<API_Key>"
url = 'https://api.playground.protegrity.com/v1/multi'
headers = {
'x-api-key': API_Key,
'Content-Type': 'application/json',
'Authorization': JWT_Token
}
data = [
{
"id": "ccn",
"type": "ccn",
"operation": "protect",
"data": ["4321567898765432"]
},
{
"id": "expiry_date",
"type": "number",
"operation": "protect",
"data": ["02/2027"]
},
{
"id": "cvv",
"type": "number",
"operation": "protect",
"data": ["521"]
}
]
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
You can assign any IDs that are meaningful to your scenario. The response will carry the IDs along with the de-identified data:
[
{
"id": "ccn",
"results": ["4063818346309972"]
},
{
"id": "expiry_date",
"results": ["11/5152"]
},
{
"id": "cvv",
"results": ["343"]
}
]
At last, you can leverage Protegrity’s classification capabilities to discover PCI and PII data in any given unstructured text. You can also decide to protect the fields carrying sensitive data, if such are found. Use the /ai endpoint to see it in action:
import requests
import json
JWT_Token = "<JWT_TOKEN>"
API_Key = "<API_Key>"
url = 'https://api.playground.protegrity.com/v1/ai'
headers = {
'x-api-key': API_Key,
'Content-Type': 'application/json',
'Authorization': JWT_Token
}
data = {
"operation": "protect",
"options": {
"format": "text",
"type": "tokenize",
"tags": True,
"threshold": 0.7
},
"data": ["Hi, my name is Jon Eagle and I'd like to see the charges associated with my credit card, the number is 5185536113541956."]
}
response = requests.post(url, headers=headers, data=json.dumps(data))
print(response.text)
If you run the same example, you should get the following result:
{
"results": "Hi, my name is [PERSON]roE Vnkrz[/PERSON] and I'd like to see the charges associated with my credit card, the number is [CREDIT_CARD]62251273392985461[/CREDIT_CARD]."
}
You can adjust the configuration of the request to match your requirements, i.e. your risk tolerance (represented by threshold), inclusion of tags, and the preferred protection method. More information about our /ai endpoint can be found on the API Playground’s documentation page.