Financial data protectionthat never becomes the target.Financial data protection at RankShield Financial means verifying payments without hoarding the data attackers want. Account references are keyed and de-identified, the ledger stores commitments — not account numbers — and signing keys stay in hardware. Verification with payment data privacy built in, not bolted on.
Every row is the same account — but every commitment differs, so payments can’t be correlated by anyone reading the ledger. The account number itself is never stored. Salted commitments, not zk-SNARKs.
How does RankShield verify payments without becoming a honeypot?
By never collecting the data a honeypot is made of. A verification layer that stored raw account numbers would become the single most valuable target on the network — the exact thing attackers hunt for. RankShield inverts that: it verifies the intent and identity behind a payment, then records a keyed, nonce-bound commitment instead of the account itself. There is no vault of account numbers to breach, because the sensitive value was de-identified before anything was written. Protection here comes from not holding the data, not from promising to guard a pile of it — the strongest privacy posture is the one that has nothing worth stealing. This is a deliberate design choice with a real trade: RankShield gives up the convenience of holding raw data in exchange for a system where a full ledger breach yields commitments an attacker cannot open or correlate.
What is keyed de-identification, and why is it unlinkable?
Every account reference is HMAC-keyed and de-identified under a secret pepper before it touches the ledger — a preimage-resistant transform, so the account number can’t be recovered from what’s stored. That de-identified value is then wrapped in a nonce-bound commitment: a fresh per-transaction nonce is mixed in, so the same account produces a different commitment on every payment. To an observer reading the ledger, two transactions from one account are unlinkable — there is no shared identifier to correlate them. Only a party holding the key can open the commitment. Honest framing: these are salted commitments, a zero-knowledge primitive — not full zk-SNARK proofs. We call it what it is. Try the demo: enter the same account twice and watch it produce two unrelated commitments, then confirm the key still opens both to the same underlying reference.
Every row is the same account — but every commitment differs, so payments can’t be correlated by anyone reading the ledger. The account number itself is never stored. Salted commitments, not zk-SNARKs.
What happens to an account reference before it reaches the ledger?
An account reference passes through three steps before anything is written, and the raw number survives none of them. First, de-identification: the reference is run through an HMAC transform keyed by a secret pepper held apart from the data, producing a preimage-resistant value from which the original account cannot be recovered. Second, nonce binding: a fresh per-transaction nonce is mixed in, so the committed value is different on every payment even for the same account — this is what makes the ledger unlinkable to an observer. Third, sealing: the resulting nonce-bound commitment, alongside the payment’s signed verdict, is written to the tamper-evident record. At no point is a raw account number persisted. When verification, dispute resolution, or settlement reconciliation later needs to confirm two transactions came from the same party, a keyholder opens the commitments; an outsider reading the same ledger sees only uncorrelated values.
1 · De-identify
The account reference is HMAC-keyed under a secret pepper held apart from the data — a preimage-resistant transform, so the number cannot be recovered from the output.
2 · Bind a nonce
A fresh per-transaction nonce is mixed in, so the same account produces a different commitment on every payment — unlinkable to anyone reading the ledger.
3 · Seal
The nonce-bound commitment and the signed verdict are written to the tamper-evident record. No raw account number is ever persisted.
Open with the key
Verification and dispute resolution open the commitment with the key to confirm two payments share an account. An outsider sees only uncorrelated values.
Where do signing keys live, and who can release a payment?
Signing keys live in a hardware security module (HSM) and never leave it in the clear, so the most sensitive material stays off application servers and out of reach of a server-side compromise. Releasing a payment is deliberately not a single-key act: it requires an M-of-N quorum, meaning several independent keys must agree before a release is authorized. No one key, and no one operator, can unilaterally push a payment through. That combination — hardware-held keys plus quorum release — removes the single points of failure that make key theft catastrophic, and it means an attacker who compromises one component still cannot forge a release on their own. The keys themselves sign with composite ML-DSA-65 under NIST FIPS 204, crypto-agile so the scheme can rotate, so the release authority is quantum-safe by construction as well as quorum-gated.
HSM-held keys
Signing keys are generated and used inside a hardware security module and never exposed in the clear to application servers.
M-of-N release
A payment release needs a quorum of independent keys to agree — no one key and no one operator can authorize a release alone.
Commitments, not PII
The ledger stores nonce-bound commitments rather than account numbers, so there is no store of PII to breach.
Unlinkable by design
The same account looks different on every transaction, so an observer can’t correlate a party’s payments across the ledger.
What is actually written to the ledger, and what never is?
What is written is the minimum needed to verify a payment and prove the decision later; what is never written is anything an attacker could turn into value. The table below draws the line precisely. Signed verdicts, nonce-bound commitments, and the reasons for a release, hold, or deny are recorded, because those are what make the decision independently verifiable. Raw account numbers, the secret pepper, and the HSM signing keys are never on the ledger, because holding them would rebuild the honeypot the whole design exists to avoid. The result is a record that an examiner or partner can verify without ever handling a customer’s account data.
Commitments and verdicts persist; account numbers, the pepper, and signing keys never touch the ledger.
The ledger stores commitments, not account numbers.
What persists on the RankShield Network is a set of keyed, nonce-bound commitments — never raw account numbers. Because the account reference is de-identified before it’s written and re-randomized on every payment, the ledger holds no PII to breach and nothing an observer can correlate. Verification, dispute resolution, and settlement reconciliation all work against commitments that only a keyholder can open. To be precise: these are salted commitments, a ZK primitive — not zk-SNARK proofs.
What happens when a key or algorithm needs to rotate?
Both the signing keys and the signing algorithm can rotate without rewriting the data model, because RankShield is crypto-agile by design. The keys that sign each intent live in the HSM and can be rotated on a schedule or in response to an incident; because release already requires an M-of-N quorum, rotating one key of the set never interrupts the ability to authorize releases. The algorithm can move too: intents are signed with composite ML-DSA-65 under NIST FIPS 204 today, and the crypto-agile construction is built to rotate to a stronger scheme such as ML-DSA-87 or SLH-DSA as standards evolve. This matters for the pepper as well — a compromised or aging pepper can be rolled forward without exposing historical account numbers, because the raw references were never stored to begin with. The design assumption is that no single key, pepper, or algorithm is permanent; each is a component that can be replaced without breaking the tamper-evident record already sealed on the ledger. That is quantum-safe by construction, not quantum-proof: a cryptographically relevant quantum computer does not exist yet, but harvest-now-decrypt-later collection is a present risk this posture is built against.
Why does no-PII verification matter to a bank, fintech, or issuer?
It matters because it lets a partner join verifiable pre-settlement checks without handing a third party the customer data it would otherwise have to protect and account for. Every institution that shares account data with a vendor inherits that vendor’s breach risk, expands its own regulatory surface, and takes on a new set of data-processing obligations. RankShield removes that exchange: because account references are de-identified before they reach the ledger and only commitments are stored, a bank can participate in signed, pre-settlement verification while its customers’ account numbers never leave its control in a usable form. The verification still works — a keyholder can open commitments for dispute resolution or reconciliation — but the data an attacker or an errant subprocessor could misuse simply isn’t there. For a fintech adding a fraud control, or a stablecoin issuer proving how transfers were screened, that is the difference between buying a new liability and buying a control that reduces one.
Financial data protection — questions, answered.
What is financial data protection at RankShield Financial?
Does RankShield Financial store my customers’ account numbers?
Are these zero-knowledge proofs?
Can an observer link two payments from the same account?
What is an HMAC pepper, and why does it matter here?
Where do the signing keys live?
What does M-of-N release actually protect against?
How does this protect payment data privacy without a new honeypot?
Does data protection weaken the compliance evidence RankShield produces?
See your payments verified before they settle.
RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.