PassKit is a powerful platform for managing digital passes, such as loyalty cards, tickets, and coupons. To ensure the security and privacy of sensitive data, PassKit encrypts certain types of information, such as Personally Identifiable Information (PII). This encryption is crucial for protecting user data, but it also introduces some limitations when it comes to searching and filtering this data.

Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and an encryption key. This process ensures that even if unauthorized parties gain access to the data, they cannot interpret it without the decryption key.

Fields containing PII, such as names, dates of birth, and other sensitive information, are encrypted to protect user privacy and comply with data protection regulations like GDPR and CCPA.

When data is encrypted, the original values are not directly accessible. To search encrypted data, the system must compare the encrypted version of the search query with the encrypted data stored in the database. This comparison can only be done on an exact match basis because the encryption process is deterministic—meaning the same input will always produce the same encrypted output.

Operations like "greater than," "less than," or wildcard searches (e.g., "name includes 'Percy'") require the system to understand the underlying data's structure and content. Since encrypted data is not readable, these types of queries cannot be performed directly on the encrypted data.

You cannot filter records based on date ranges (e.g., "greater than" or "less than" a specific date) because the encrypted date values do not retain their original order or meaning.

Wildcard searches (e.g., "name includes 'Percy'") are not possible because the encryption process does not preserve the partial content or structure of the original data.

When searching for encrypted data, ensure that your search queries are exact. For example, if you are looking for a specific date of birth, you must provide the exact date in the correct format.

Consider maintaining an indexed list of exact values that you frequently search for. This can help streamline the search process and reduce the need for complex queries.

If possible, segment your data so that only the most sensitive information is encrypted. Less sensitive data can be stored in plaintext, allowing for more flexible search and filtering options.

Use metadata or additional fields to store non-sensitive information that can be used for filtering. For example, you could store a non-encrypted age range or a partial name in a separate field to facilitate broader searches.

In some cases, tokenization can be used to replace sensitive data with non-sensitive equivalents (tokens) that can be searched more flexibly. However, this approach requires careful implementation to maintain security.

For advanced use cases, consider decrypting data on the client side after it has been retrieved from the server. This allows for more complex queries but requires robust security measures to protect the decryption keys and process.

Encrypting sensitive data like PII is essential for protecting user privacy and complying with data protection regulations. However, this encryption comes with the trade-off of limited search and filtering capabilities. By understanding these limitations and implementing best practices, you can effectively manage and search encrypted data in PassKit while maintaining the highest levels of security.

If you have further questions or need assistance, please reach out to PassKit support for more detailed guidance.