altenar2.gif
altenar2.gif
altenar2.gif
CLOSE
× Gambling News In-Depth iGaming Calendar Connections GI Friday Trafficology GI Magazine
GGA 2019 AffiliateCon
IN-DEPTH 27 February 2017
Advanced guard: The importance of data security
The target-rich gaming industry needs to think seriously about data security in order to avoid bad publicity and lost revenue, says CardConnect Payments Executive Vice President Scott Dowty
By Gambling Insider

We see it in the news almost every day: Despite being PCI (Payment Card Industry) compliant, a company or a government agency has been breached, putting millions of financial records and personal data into the hands of hackers and ultimately, on the black market. The gaming industry is a high profile, payment transaction-rich environment living on borrowed time. With last October’s adoption of EMV (Europay, MasterCard and Visa) and its credit and debit chip cards in the USA, card-not-present (e-commerce/online) fraud will likely increase dramatically over the next three years, as evidenced in European countries, following wide EMV adoption.

When it happens in the gaming industry, and according to experts it will, who will pay for it? Lisa Monaco, US Homeland Security advisor to President Obama, stated, "There are two types of merchants in this arena; those that have been hacked and those that will be hacked." There may be one more type; those that have been hacked but are unaware yet. Bad publicity and a loss of consumer trust come standard with a large data breach, but there is also the financial impact, which could amount to thousands or millions of dollars lost.

Many customer service centres were in operation long before PCI standards were established, and there is a myriad of contractual structures as to where the liability might lay. In some instances, the entire operation is outsourced to a service provider; in others, the organisation performs all services. Several variations of these two scenarios exist where a casino might outsource a portion while using a software application from a large systems integrator. It is worth considering if all of the existing contracts are aware of today's environment and the associated risk.

Experts agree, however, that payment security is being challenged in the gaming industry.

FIVE CRITICAL LEVELS OF SECURITY

The surest way to protect sensitive data, such as customer credit cards, personally identifiable information and player data is to remove as much of the sensitive information from the merchant’s environment as possible, often referred to as taking the merchant out of PCI scope. If the information does not touch the merchant’s system, there is no valuable data to steal. There is also the opportunity to avoid the costs associated with becoming PCI compliant and maintaining compliance, as well as avoiding risk to the merchant’s brand and eliminating financial penalties.

The steps to achieve an out-of-scope environment are as follows:

PHYSICAL DEVICE SECURITY FOR CARD-PRESENT

In many breaches, the systems is compromised by malware installed on point-of-sale (POS) systems. Criminals use skimming devices to grab credit card information – even wirelessly with Bluetooth . PCI 3.0 has stricter standards for maintenance, including documenting all devices and their unique identifiers, and inspecting those devices regularly.

SECURITY FOR CARD-NOT-PRESENT (ONLINE AND CSC TRANSACTIONS)

With the rise in fraud, the PCI Council, which is the self¬ governing arm of the Payment Card Industry, adopted additional security measures. One security measure is the creation of the PCl's Point-to-Point Encryption (P2PE) certification. A P2PE solution secures sensitive data from the point of interaction all the way to the completion of a transaction, and is one of the safest options for protecting payment data.

TERMINAL TO GATEWAY TRANSMISSION

As sensitive data moves from the terminal or network into the gateway, there are instances when data is unencrypted; for example, when card data leaves the merchant network. While the move to EMV cards will mask this data with computer chips, the only way for a business to truly protect itself is to encrypt data at the point of interaction (POI).

GATEWAY TO BANK TRANSMISSION

PCI standards require payment gateways to transmit data to a select list of certified processors’ IP addresses. At this point, data leaves the merchant’s system and carries inherent vulnerability because it must be unencrypted before reaching the bank or processor. Payment gateways must halt data transmission to foreign IP addresses outside of that list.

STRICT NETWORK MONITORING / VULNERABILITY MANAGEMENT PROGRAM

PCI DSS (the Payment Card Industry Data Security Standard) requires merchants to regularly track and monitor access to network resources and cardholder data, and regularly test security systems and processes. Without proper follow-through, a data breach is likely. PCI3.0 includes a new section that provides guidance for implementing security measures into 'business as usual' activities to maintain compliance.

ACHIEVING PAYMENT SECURITY

A true P2PE solution, certified by the PCI Council, encrypts card data at the point of entry so the merchant cannot decrypt it. The data stays encrypted until it reaches a hosted environment. Merchants benefit tremendously from P2PE solutions – most notably, PCl -certified P2PE solutions reduce PCl requirements.

CONSEQUENCES OF A DATA BREACH

The effects of a security data breach are far reaching and can have substantial negative impacts on a company or organisation of a hosted environment. Merchants benefit tremendously from P2PE solutions – most notably, PCl-certified P2PE solutions reduce PCl requirements.

There is a difference between P2PE and end-to-end encryption (E2E). E2E solutions do not provide the same PCI compliance benefits, nor have they been subjected to PCl's rigorous certification process. Only those solutions listed as P2PE on the PCI Council's website are true P2PE.

The purpose and goal of the EMV standard is interoperability between EMV cards (also known as chip cards) and EMV-enabled payment terminals throughout the world. There are two major benefits associated with chip-based credit card payment systems; improved security (with associated fraud reduction) and more control over offline credit card transaction approvals.

It is significantly more difficult and expensive to replicate EMV cards than magnetic stripe cards. As of October 2015, a merchant using a terminal without EMV capability is liable for any fraudulent transactions if the victimised customer uses a chip card. While this is a major step forward in the quest to control breaches, EMV alone is not enough to keep data safe, in fact it does not protect card-not -present transactions. The ideal solution is a combination of tokenisation, P2PE and EMV.

Tokenisation has reduced the scope of PCl DSS requirements for many organisations, especially online (e-commerce) environments, by sanitising sensitive data in the end-user's browser before the payment is submitted. When a customer enters a card number, it is sent to a securely hosted vault and a token is delivered to the customer’s computer. By tokenising the card number on the checkout page prior to the card number entering the web environment, the entire website is removed from PCI scope. There are two methods of using this type of tokenisation technology: the tokeniser can be embedded into specific fields on a website using an iFrame or a payment page is fully hosted by a third party (called a hosted payment page). There are configurations available to keep a hosted payment page consistent with the organisation's website and branding, or you can choose to pre-populate the fields if the customer information is already on file.

A Ponemon Institute study shows that the business impact of a data breach is detrimental in many ways, including the up-front costs of notifying each affected person. The investigation and controls that need to be put into place, and litigation may result in US$217 per compromised record. It's simple math: one million records breached (representing a medium-sized gaming entity) equals US$217M in costs. The long-term effects include damage to the brand and loss of trust, loss of customers and negative political implications.
DISCUSS THIS ARTICLE
2019_42_enteractive.gif
GI FRIDAY: WEEKLY NEWSLETTER
THE GI HUDDLE PODCAST
NEW! #006 - LISTEN NOW
Gaming Industry Conferences (22:37)
#005 - LISTEN NOW
The role of gambling media (27:11)
#004 - LISTEN NOW
What is the role of a Gambling regulator? (29:09)
#003
The Future of Gambling Sponsorship in Sport (30:50)
ANALYSIS
MUST READ
IN-DEPTH 11 October 2019
Landing on a monopoly

Matthew Enderby asks who benefits from a monopoly-driven gambling market and if there is any point in maintaining one.

It can appear anti-capitalist, like the government wants total control. Players are ushered to a single, often state-run operator, and only one supplier is contracted to provide the platform, making the gambling market seemingly easier to manage. But does that hold true? When monopolistic gambling markets are enforced, who is the winner? Do the players benefit from what is meant to be a safer environment? Will the public perception of gambling be more positive than in an open market?

To answer these results-based questions, the motivations behind a monopoly-driven market need to be looked at first. The initial question is always: Why? A few quick answers spring to mind. It might be testing out gambling and observing how its country responds once the option to have a bet is made legal and available. With only one operator in place, player protection seems like a reasonable motivator.

It would be easier to keep track of addiction and factors leading to problem gambling as all the data, theoretically, could be accessed in one location. The main motivator however, is revenue. With the market dominated by a single legal operator, all of the country’s gambling revenue will flow through it and to the government. But for this to be effective, there cannot be any offshore operators present.

The Swedish gambling market was opened up at the start of the year, and private companies were free to apply for a license. The reasoning for this, according to state-run operator Svenska Spel, was to achieve fair market conditions and bring order. Life before the update in legislation was not entirely different to what it is today. Despite being closed to private companies, Patrik Hofbauer, CEO of Svenksa Spel, says the previous market was only a monopoly on paper.

He tells Gambling Insider: “Around 90% to 95% of the companies now operating with licenses in the Swedish market have been here for more than 10 years, so we are already used to competition.”

Offshore operators were present in Sweden for more than 10 years. They did not pay tax and found ways to navigate around the law. Up until the start of the year, there were three legal operators. Svenksa Spel handled betting, ATG specified in horseracing, and Postkodlotteriet managed the lotteries.

A MediaVision study from October showed 60% of Swedes aged between 18 and 74 had a registered account at the end of June 2018; a 12% rise year-on-year. Roughly 58% of these accounts were with one of the three state-run operators.

On the surface, this seems like a success story for the monopolistic market, but where are the rest of them registered? Nearly half of Sweden’s gamblers, 42%, were registered with international operators. These companies held no Swedish license or authority to offer a service in the country.

What’s worse, where the monopoly is concerned, is 60% of all new accounts registered within the 12 months leading up to 30 June were with these businesses. With so many players setting up with unregistered companies, the idea of a monopoly making gambling safer, with upheld regulation, is incorrect.

Now the market has gone through its changes and levelled out, Hofbauer finds order is in place and player protection has improved. He says: “We now have a level playing field for gambling operators, increased revenues for the state, and clear rules to protect customers against excessive gambling thanks to stronger and better consumer protection. It has ultimately benefitted the Swedish customers, which is the biggest win.”

The move away from a monopolistic approach has not exactly produced a goldmine for other operators, and certainly not for Svenksa Spel. A look at its first quarter results shows a 6% year-on-year decline in revenue to SEK 2.05bn ($197.4m). Its land-based operations, Casino Cosmopol & Vegas, fell 17% to SEK416m, while lottery dropped 6% to SEK 1.1bn. It reported SEK 544m in revenue from sport and casino, a 4% increase. Operating profit for the quarter decreased 55% to SEK 519m. Svenska Spel paid SEK 401m in gaming taxes for the quarter.

While it won’t be impressed with revenue for Q1, the operator stressed one of the biggest challenges in the transition was launching three new products. Hofbauer says: “Business wise, it is positive that we now can offer our customers products like online casino and horseracing, and also offer more competitive pricing."

Improved pricing is another reason Swedish customers will be happy with the change in legislation. So who exactly has been benefitting in the monopolistic structure besides state operators making easy tax revenue? Suppliers might have the most to gain from a monopolistic market. Being selected by the government to provide technology solutions for its online or land-based operations signifies trust. Suppliers will have to earn that trust by proving their platforms can generate the most revenue for the government’s operator.

The appeal behind branding in this case is also undeniable and the opportunity for a supplier to be the leading face is not one to be missed. Building brand recognition in a country where you are the only brand is obviously much easier. The competition exists, but only through unlicensed companies that will not want to attract further attention to their operations in that specific location.

In April, Kambi extended its contract with Bulgaria’s National Lottery JSC, parent company of the Moldovan National Lottery, to supply online and retail sportsbook. The operator is expected to enter Moldova in the summer, where a monopoly is in place.

Kambi CCO Max Meltzer spoke exclusively to Gambling Insider after the deal and said: “From a technological standpoint and user experience, it will be like going into an ATG shop in Sweden right now. We are really excited to say this is not a monopolistic situation where players will get a bad experience from a bad solution."

The sports betting supplier was keen to emphasise that players in this monopoly would not be neglected as a result of the structure set out by the government and it would supply the same level of technology as it would to any market across the world. Only time will tell if Moldova’s bettors do receive this standard of solutions. But what we do know is, with a lack of legal competition for market share, the Moldovan National Lottery will not be pushing its supplier as much as it would have in an open market, to develop niche solutions.

The evidence is stacked against monopolies and it is clear governments still using them are doing so in a misguided attempt to stay in total control and generate state revenue. The irony is the complete opposite is true. More state tax is made in the open market and players are being protected better when operators are acting under approved licenses. Drop the monopoly, it’s good for nobody.

READ MORE
PREMIUM CONNECTIONS