Data masking replaces sensitive data with realistic but fictitious values — for testing, development, and analytics where real data isn't needed.
Static masking: permanently replaces data. Dynamic masking: masks data on the fly when accessed. Tokenization: replaces data with a token that maps back to the real value. Used heavily in PCI DSS for cardholder data.