Fine, usually you can ask your client for dummy data to provide which is usually termed as test data to test your application. Since the test is pertaining to sensitive info you can very well ask for dummys. Go with it.
Generally, I have access to fresh database schema for a client install. From there, it's leveraging the application API to generate entries in the database with fake/generated Names/SSN/CC#'s, etc.
If the application API is not available or the environment is not conducive to automated generation, only then would I consider asking the client to go through the procedure of obfuscating their database. This is only after I have considered it 'too complex' to generate the data via SQL. To me, this is a last resort. I think that would give the customer the wrong impression, don't you?