Code Room
System designHardsd-g622
Subject Pii tokenization securityLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology

Question

Design a PII-tokenization and data-masking service that lets a large org store and process sensitive data (SSNs, card numbers, emails) without raw PII spreading across hundreds of downstream systems. Applications exchange real values for tokens at the boundary; only authorized services can detokenize. It must handle 100k tokenize/detokenize ops/sec at p99 under 25ms, preserve format (a tokenized card must still pass a Luhn-shaped check for legacy systems), and shrink PCI/PII compliance scope. Cover the token vault, the detokenization access model, and the security/operability trade-off.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.