The PCI Security Standards Council recently released ‘The PCI DSS Tokenization Guidelines’. In section 4 of this document the idea of “high-value tokens” is described. I have seen comments on discussion groups and some blog posts including PCI Council’s High-Value Token Definition Disappointing that indicate that maybe the Council could have done a better job of explaining this. Maybe this (greatly oversimplified) example will help.
You’re at a hotel for a conference and decide to leave your expensive leather coat at the hotels’ coat check. In exchange for your coat you are given a ticket that has no identifying marks on it, just a number. What if you were to drop this ticket a few blocks away from the event? If someone picks it up it’s just a ticket with a number on it. It’s of no value to the person that found it. It’s a worthless token.
Now what if the hotel coat check gave you a ticket that clearly indicated that it was a hotel coat check ticket and included the date, time, hotel name, and address? This additional information provides the ticket holder with valuable insight into what the ticket could be worth. With very little effort, a walk of a few blocks, this ticket could possibly be exchanged for your expensive leather coat. This ticket is not a worthless token. It is a high-value token.
With tokenization solutions you can have the same two scenarios. If someone were to get their hands on a token and this token could not be reasonably presented to any system, process, or person that would exchange it for monetary or product value then it’s a worthless token.
On the other hand, if this token could be submitted directly into an application where it is accepted as a form of payment (since it’s tied directly to a real form of payment) then it is a high-value token.
The ideal tokenization design would provide individuals with access to tokens of no value. Business process usually requires that a few individuals have access to high-value tokens or even the ability to de-tokenize. If tokenization is implemented correctly, the organization can focus their security efforts on closely controlling and monitoring only the access to these high-value tokens or the de-tokenization process.