Request access
RankShield Network · Financial

Financial data protectionthat never becomes the target.Financial data protection at RankShield Financial means verifying payments without hoarding the data attackers want. Account references are keyed and de-identified, the ledger stores commitments — not account numbers — and signing keys stay in hardware. Verification with payment data privacy built in, not bolted on.

no PII on ledgerHSM keysM-of-N release
unlinkable commitments · one accountno PII on ledger
account acct-04f2-1180 → what an observer sees on the ledger:

Every row is the same account — but every commitment differs, so payments can’t be correlated by anyone reading the ledger. The account number itself is never stored. Salted commitments, not zk-SNARKs.

01 // Nothing worth stealing
Verify without exposure

How does RankShield verify payments without becoming a honeypot?

By never collecting the data a honeypot is made of. A verification layer that stored raw account numbers would become the single most valuable target on the network — the exact thing attackers hunt for. RankShield inverts that: it verifies the intent and identity behind a payment, then records a keyed, nonce-bound commitment instead of the account itself. There is no vault of account numbers to breach, because the sensitive value was de-identified before anything was written. Protection here comes from not holding the data, not from promising to guard a pile of it — the strongest privacy posture is the one that has nothing worth stealing. This is a deliberate design choice with a real trade: RankShield gives up the convenience of holding raw data in exchange for a system where a full ledger breach yields commitments an attacker cannot open or correlate.

The full security posture
No PII
The ledger holds commitments and verdicts, not account numbers — nothing to breach.
De-identified
Account references are keyed and de-identified before anything is written.
Unlinkable
A fresh nonce per transaction means the same account looks different every time.
02 // Keyed de-identification
Keyed de-identification

What is keyed de-identification, and why is it unlinkable?

Every account reference is HMAC-keyed and de-identified under a secret pepper before it touches the ledger — a preimage-resistant transform, so the account number can’t be recovered from what’s stored. That de-identified value is then wrapped in a nonce-bound commitment: a fresh per-transaction nonce is mixed in, so the same account produces a different commitment on every payment. To an observer reading the ledger, two transactions from one account are unlinkable — there is no shared identifier to correlate them. Only a party holding the key can open the commitment. Honest framing: these are salted commitments, a zero-knowledge primitive — not full zk-SNARK proofs. We call it what it is. Try the demo: enter the same account twice and watch it produce two unrelated commitments, then confirm the key still opens both to the same underlying reference.

unlinkable commitments · one accountno PII on ledger
account acct-04f2-1180 → what an observer sees on the ledger:

Every row is the same account — but every commitment differs, so payments can’t be correlated by anyone reading the ledger. The account number itself is never stored. Salted commitments, not zk-SNARKs.

03 // Account to commitment
From account to commitment

What happens to an account reference before it reaches the ledger?

An account reference passes through three steps before anything is written, and the raw number survives none of them. First, de-identification: the reference is run through an HMAC transform keyed by a secret pepper held apart from the data, producing a preimage-resistant value from which the original account cannot be recovered. Second, nonce binding: a fresh per-transaction nonce is mixed in, so the committed value is different on every payment even for the same account — this is what makes the ledger unlinkable to an observer. Third, sealing: the resulting nonce-bound commitment, alongside the payment’s signed verdict, is written to the tamper-evident record. At no point is a raw account number persisted. When verification, dispute resolution, or settlement reconciliation later needs to confirm two transactions came from the same party, a keyholder opens the commitments; an outsider reading the same ledger sees only uncorrelated values.

1 · De-identify

HMAC under a pepper

The account reference is HMAC-keyed under a secret pepper held apart from the data — a preimage-resistant transform, so the number cannot be recovered from the output.

2 · Bind a nonce

fresh per transaction

A fresh per-transaction nonce is mixed in, so the same account produces a different commitment on every payment — unlinkable to anyone reading the ledger.

3 · Seal

commitment, not account

The nonce-bound commitment and the signed verdict are written to the tamper-evident record. No raw account number is ever persisted.

Open with the key

only a keyholder

Verification and dispute resolution open the commitment with the key to confirm two payments share an account. An outsider sees only uncorrelated values.

04 // Keys in hardware
Keys in hardware, releases by quorum

Where do signing keys live, and who can release a payment?

Signing keys live in a hardware security module (HSM) and never leave it in the clear, so the most sensitive material stays off application servers and out of reach of a server-side compromise. Releasing a payment is deliberately not a single-key act: it requires an M-of-N quorum, meaning several independent keys must agree before a release is authorized. No one key, and no one operator, can unilaterally push a payment through. That combination — hardware-held keys plus quorum release — removes the single points of failure that make key theft catastrophic, and it means an attacker who compromises one component still cannot forge a release on their own. The keys themselves sign with composite ML-DSA-65 under NIST FIPS 204, crypto-agile so the scheme can rotate, so the release authority is quantum-safe by construction as well as quorum-gated.

HSM-held keys

never leave hardware

Signing keys are generated and used inside a hardware security module and never exposed in the clear to application servers.

M-of-N release

no single key

A payment release needs a quorum of independent keys to agree — no one key and no one operator can authorize a release alone.

Commitments, not PII

nothing to steal

The ledger stores nonce-bound commitments rather than account numbers, so there is no store of PII to breach.

Unlinkable by design

fresh nonce per tx

The same account looks different on every transaction, so an observer can’t correlate a party’s payments across the ledger.

05 // On and off the ledger
What is and isn’t stored

What is actually written to the ledger, and what never is?

What is written is the minimum needed to verify a payment and prove the decision later; what is never written is anything an attacker could turn into value. The table below draws the line precisely. Signed verdicts, nonce-bound commitments, and the reasons for a release, hold, or deny are recorded, because those are what make the decision independently verifiable. Raw account numbers, the secret pepper, and the HSM signing keys are never on the ledger, because holding them would rebuild the honeypot the whole design exists to avoid. The result is a record that an examiner or partner can verify without ever handling a customer’s account data.

ElementOn the ledger?Why
Signed verdict (released / held / denied)WrittenMakes the decision independently verifiable
Nonce-bound commitmentWrittenLets a keyholder confirm identity without exposing the account
Verdict reasonsWrittenExplains why each payment was allowed or stopped
Raw account numberNeverDe-identified before write — no PII to breach
Secret pepperNeverHeld apart so a ledger copy can’t reverse the transform
HSM signing keysNeverGenerated and used only inside hardware

Commitments and verdicts persist; account numbers, the pepper, and signing keys never touch the ledger.

06 // No PII on the ledger
No PII on the ledger

The ledger stores commitments, not account numbers.

What persists on the RankShield Network is a set of keyed, nonce-bound commitments — never raw account numbers. Because the account reference is de-identified before it’s written and re-randomized on every payment, the ledger holds no PII to breach and nothing an observer can correlate. Verification, dispute resolution, and settlement reconciliation all work against commitments that only a keyholder can open. To be precise: these are salted commitments, a ZK primitive — not zk-SNARK proofs.

HMAC-keyed
account references de-identified under a secret pepper (preimage-resistant)
Nonce-bound
same account → different commitment every transaction (unlinkable)
HSM + M-of-N
keys never leave hardware; release needs a quorum
Salted, not zk-SNARK
a zero-knowledge primitive — we say so plainly
07 // Rotating the keys
Crypto-agility

What happens when a key or algorithm needs to rotate?

Both the signing keys and the signing algorithm can rotate without rewriting the data model, because RankShield is crypto-agile by design. The keys that sign each intent live in the HSM and can be rotated on a schedule or in response to an incident; because release already requires an M-of-N quorum, rotating one key of the set never interrupts the ability to authorize releases. The algorithm can move too: intents are signed with composite ML-DSA-65 under NIST FIPS 204 today, and the crypto-agile construction is built to rotate to a stronger scheme such as ML-DSA-87 or SLH-DSA as standards evolve. This matters for the pepper as well — a compromised or aging pepper can be rolled forward without exposing historical account numbers, because the raw references were never stored to begin with. The design assumption is that no single key, pepper, or algorithm is permanent; each is a component that can be replaced without breaking the tamper-evident record already sealed on the ledger. That is quantum-safe by construction, not quantum-proof: a cryptographically relevant quantum computer does not exist yet, but harvest-now-decrypt-later collection is a present risk this posture is built against.

Why harvest-now-decrypt-later drives the design
08 // Why partners care
What this means for you

Why does no-PII verification matter to a bank, fintech, or issuer?

It matters because it lets a partner join verifiable pre-settlement checks without handing a third party the customer data it would otherwise have to protect and account for. Every institution that shares account data with a vendor inherits that vendor’s breach risk, expands its own regulatory surface, and takes on a new set of data-processing obligations. RankShield removes that exchange: because account references are de-identified before they reach the ledger and only commitments are stored, a bank can participate in signed, pre-settlement verification while its customers’ account numbers never leave its control in a usable form. The verification still works — a keyholder can open commitments for dispute resolution or reconciliation — but the data an attacker or an errant subprocessor could misuse simply isn’t there. For a fintech adding a fraud control, or a stablecoin issuer proving how transfers were screened, that is the difference between buying a new liability and buying a control that reduces one.

How banks use verification without exposing member data
FAQ

Financial data protection — questions, answered.

What is financial data protection at RankShield Financial?
Financial data protection is how RankShield Financial verifies payments without collecting a store of account numbers an attacker would want. Instead of holding raw payment data, the platform de-identifies every account reference under a keyed transform and records a nonce-bound commitment. The ledger keeps commitments, not account numbers, so verification never builds a new honeypot of payment data privacy risk.
Does RankShield Financial store my customers’ account numbers?
No. The ledger stores commitments, not account numbers, so there is no PII sitting on it to breach. Each account reference is HMAC-keyed and de-identified under a secret pepper before anything is written, then bound to a per-transaction nonce. What persists is a value that is preimage-resistant — it can be checked and opened with the key, but the underlying account number is never recorded in the clear.
Are these zero-knowledge proofs?
No, and we will not claim they are. These are salted commitments — a zero-knowledge primitive — not full zk-SNARK proofs. The construction gives you unlinkability and preimage resistance: an observer cannot correlate payments or recover the account, yet the platform can open the commitment with the key. It is honest to call this a ZK building block, and dishonest to call it a zk-SNARK, so we call it what it is: keyed, nonce-bound commitments.
Can an observer link two payments from the same account?
No. Because each commitment is bound to a fresh per-transaction nonce, the same account produces a different value on every payment. To anyone reading the ledger, two transactions from one account are unlinkable — there is no shared identifier to correlate. Only a party holding the key can open the commitments and see they refer to the same account, which is exactly what verification and dispute resolution require.
What is an HMAC pepper, and why does it matter here?
A pepper is a single secret key, held apart from the data, that is mixed into the HMAC transform applied to every account reference. Unlike a salt — which is stored next to each record — the pepper is never written to the ledger, so an attacker who copies the entire ledger still cannot reproduce the transform or brute-force account numbers out of it. HMAC over the account reference under that secret pepper is preimage-resistant: the output can be recomputed and checked with the key, but the input account number cannot be recovered from what is stored. The pepper is what makes de-identification stand up even against someone who exfiltrates the whole dataset.
Where do the signing keys live?
Signing keys are held in a hardware security module (HSM) and never leave it in the clear. Releasing a payment is not a single-key operation either: it requires an M-of-N quorum, so no one key — and no one operator — can unilaterally authorize a release. This keeps the most sensitive material off application servers and out of any single point of compromise.
What does M-of-N release actually protect against?
M-of-N release protects against a single compromised key, a single rogue operator, and a single stolen server all at once. Instead of one signature authorizing a payment, several independent keys — the M of a larger set N — must agree before a release is valid. An attacker who steals one key, or an insider acting alone, cannot forge a release, because their signature is only one of the several the quorum requires. Combined with keys that never leave the HSM in the clear, it removes the single points of failure that make key theft catastrophic: compromising one component is no longer enough to move value.
How does this protect payment data privacy without a new honeypot?
A verification layer that hoarded account numbers would become the exact target attackers hunt for. RankShield avoids that by design: it verifies intent and identity, records commitments rather than raw data, keeps keys in an HSM, and gates releases behind an M-of-N quorum. The result is payment data privacy that comes from not holding the sensitive data in the first place — not from promising to guard a vault of it.
Does data protection weaken the compliance evidence RankShield produces?
No — it strengthens it. The verdict for every payment, its reasons, and the signed intent are sealed to a tamper-evident record, and that record references de-identified commitments rather than account numbers. So an examiner can independently verify that a specific intent was approved by a specific principal and released or held for a stated reason, without ever seeing a customer’s account data. You get demonstrable, per-payment evidence and privacy at the same time. To be precise about the primitive: these are salted commitments, a zero-knowledge building block, not zk-SNARK proofs, and RankShield produces evidence to support compliance rather than making you compliant.
Verify, then settle

See your payments verified before they settle.

RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.

Request accessHow it works