## The National Identifier Mask - United States - Social Security Number (SSN)

The SSN consists of 9 digits which are typically dash separated as shown in the example below:

587-65-4320

Historically, each digit group had special significance; however, effective as of June 25, 2011, the US Social Security Administration (SSA) changed the way Social Security Numbers are issued such that the digits no longer have any particular significance except for a few range restrictions as explained below. The SSA describes this new issuing scheme as 'SSN randomization'.

If we represent the SSN format as:

AAA-GG-SSSS

The range restrictions are:

AAA: The 'Area' number. Must be between 001 and 899 inclusive; except that 666 is excluded.

GG: The 'Group' number. Must be between 01 and 99 inclusive.

SSSS: The 'Serial' number. Must be between 0001 and 9999 inclusive.

DataVeil provides an SSN mask that can be used in a deterministic or non-deterministic manner. The determinism of the SSN mask can be set in the Determinism tab.

**Format Preservation**

If the SSN is a text field then DataVeil shall attempt to preserve the format of every original SSN value by preserving all non-numeric characters. Therefore, rows that have dash-separated SSN numbers shall be masked using the same dash-separated format; while other rows that may be space-separated shall be maintained as space separated.

**Note:** A format discrepancy can arise for SSN text values that contain less than 9
digits because DataVeil shall generate SSNs across the full 9 digit SSN range. For
example, if the original SSN value is '12-12-1234' then internally DataVeil shall regard
this as equivalent to '012-12-1234' (leading zero inserted) and may therefore
calculate the masked SSN as '321-45-6789' (the masked value contains 9 digits instead of
the original 8' in this example.)

**NULL**

NULL values are preserved.

**Deterministic mode**

If the SSN mask is Deterministic then every SSN value shall be mapped in a distinct manner.

Therefore a specific original SSN will always receive the same masked value whenever using the same Seed value.

You have the option to preserve the first three digits of the original SSN by selecting the corresponding checkbox shown.

**Invalid original SSN values - Deterministic mode**

When using a deterministic SSN mask, DataVeil will handle any invalid original SSN value as follows:

If the original SSN has 9 digits then any invalid numbers shall be preserved and the remainder shall be masked. This will enable you to detect invalid SSN's in the masked data that are occurring in your original data. Since these are invalid numbers they do not reveal any sensitive information.

For example, if DataVeil encounters 123-00-6789 then it would preserve the '00' (an invalid Group number) and mask the remainder. A possible masked value could be 526-00-3986.

If DataVeil encounters a value with less than 9 digits then it shall first pad the value with '0's on the left and use this as the input SSN. For example, if the input was '14417807' then DataVeil would treat this as '014417807' for the purposes of deriving a deterministic value.

If DataVeil encounters an SSN with more than 9 digits then those additional digits will be masked with zeroes.

NULL values are preserved. Values that do not contain any digits are preserved.

**Non-Deterministic mode**

If this mask is non-Deterministic then SSN's shall be generated sequentially beginning with the value shown in the 'Default start SSN' field.

This mask can generate all of the 888,931,098 valid SSN values starting from 001-01-0001.

Although these SSN values are generated sequentially, they are assigned to target rows in a random order each time that this mask is executed.

**Continue sequence numbers**

The 'Continue sequence numbers' checkbox is only relevant if you have multiple Non-Deterministic SSN masks for the same Column.

It means that IF there was a previous Non_deterministic SSN mask for this Column then this mask shall start generating SSN values from the next SSN in sequence after where the previous mask completed. If there was no such previous mask (or the 'Continue sequence numbers' checkbox is not selected) then this value in the 'Default start SSN' field.

This continuation shall work even if there are other non-SSN masks between the current and previous Non-Deterministic SSN masks.

**Invalid original SSN values - Random mode**

When using a non-deterministic SSN mask, DataVeil will handle any invalid original SSN value as follows:

Unlike the deterministic SSN mask, invalid numbers are not preserved. This mask shall always attempt to mask all digits.

If the original value has 9 digits then this mask shall generate a valid SSN.

If the original value does not have 9 digits (an invalid SSN) then this mask shall mask all digits and therefore the masked SSN shall also be invalid.

NULL values are preserved. Values that do not contain any digits are preserved.