Since V 7.1 IBM i includes built-in functionality to encrypt field level data without having to make application changes. The feature is the FIELDPROC exit point. This feature can actually be used to insert and logic into field level read/write events, but it has been successfully adapted to encrypt (mask) sensitive data.
USE CASE
FIELDPROC Exit Point
Workflow for masking senstive data
The data will reside in your database in an encrypted state. Therefore, if the data is accessde via alternate (non application based) methods such as ODBC, the query data returned with show encrypted data. Likewise if there is a breach, the data will not be accessible.
Considerations:
IBM documentation:
https://www.ibm.com/docs/en/i/7.5?topic=considerations-field-procedures