Casino Enterprise Management

Ernst & Young estimate that globally, more than $358 billion U.S. dollars are spent, on average, in the gaming industry each year. Which means that hundreds of thousands of debit and credit card payment transactions are being processed every day by gaming and gambling companies around the world.

Today’s modern gaming industry offers customers a whole range of gaming and gambling options, from traditional brick-and-mortar sites to online gaming and casinos, to the very la­test in-play betting using mobile commerce. The gaming industry is at the cutting edge of payment technology. But with this comes the increasing threat of becoming a target of the organized criminal gangs that seek to obtain cardholder and transaction information for fraudulent use.

Making sure this customer data is kept secure is paramount, because data breaches and the corresponding fees, fines and legal costs are enough to give any organization a run for its money, literally.

Online casinos can take a lesson from Sony’s massive data breach earlier this year. Despite the millions Sony spends on its platform and website, it was hacked, confidential data was stolen, and gaming was suspended for close to a month, causing significant damage to the company’s reputation. It also knocked its entire playing platform offline for an extended period of time.

With billions of dollars flowing through casinos and online gaming systems, bad guys are constantly scheming to figure out how to steal even a portion of these funds. But the days of “holding up” a casino have passed … or have they? Increasingly, criminals are leaving the guns and weapons of the past for new 21st century weapons: high-tech hacking and computer exploits used in an attempt to steal funds or cardholder data from lucrative businesses. Today, cybercrime is a global enterprise affecting everyone from Singapore to Toronto. A whole global underground economy is built around the ill-gotten gains of international criminals.

While the gaming industry has significant security experience and is on the cutting edge of the payments industry, casinos are still very attractive to today’s determined cyberthieves.

So, what do gaming organizations need to know when it comes to protecting this information, and how can they increase the security of payment data across the industry? Well, first, it may help to know that there is a global body that is dedicated to protecting card data throughout the transaction process. The PCI Security Standards Council was established in 2006 to protect cardholder data throughout the transaction life cycle, whether the data is stored, processed or transmitted.

The council does this by working with organizations from across all industries to create security requirements and best practices to help secure card payment data. The council is made up of more than 600 organizations from every conceivable industry sector globally. This group of participating organizations is extremely valuable to the council’s mission to secure payment card data around the world. It is through the input and feedback of these organizations that we develop the security standards we manage.

• The PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.
• The PIN Transaction Security (PTS) requirements contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals.
• The Payment Application Data Security Standard (PA-DSS) helps software vendors create and develop secure payment applications.

These standards provide the baseline framework for securing payment environments globally.

In addition, we also rely heavily on our participating organizations for their assistance on our special interest groups (SIGs) that look into areas of interest that may require additional guidance, clarity or scrutiny. In the last year, our SIGs have helped create guidance on the security ramifications of virtualization, point-to-point-encryption and tokenization.

In the coming year, our SIGs will also be looking at new areas—areas where we believe the valued expertise of the gaming industry can significantly help the global payments world better understand. Cloud computing, e-commerce security and risk assessment are all areas where the gaming sector is quite strong.

Another challenge we recognize everyone is facing is that of securing mobile commerce, and the council has established a task force to investigate and provide guidance on the subject. As a wide community incorporating merchants, vendors, assessors and the credit card brands, we have access to a significant pool of expertise to help work on this issue. But we’d welcome the input and experience of the gaming industry, too.

Gaming has led the way in many of the best practices associated with these topic areas, among many others. Gaming sites tend to be the most hardened to external attack, and risk assessment has been built into the business process of gaming since its formalized inception. It’s that sort of expertise and security knowledge that is the council’s mission to share with the rest of the payments and security community.

The gaming industry has been on the forefront for many security initiatives. We are now asking you to share with us your expertise and receive the added benefit of gaining the expertise and knowledge of other sectors and industries to understand their best practices. We are attempting to provide a win-win for all those involved. And by doing so, we are creating a much safer, more secure payment chain globally.

We’d like to open the doors for ongoing participation with your industry. Quite frankly, in today’s high-stakes game of cybercrime, your expertise is needed by others, and you need additional information from other key stakeholders.

By sharing your expertise and benefiting from that of your peers, collectively we can increase payment card security, starting first with our own businesses and then across the payments chain. Together we can reduce risk, minimize potential for cybercrime, and reduce the number of debilitating data breaches that come at great cost to brands, their reputation, their shareholders and their customers.

Protecting this data is a shared responsibility that requires all of us to work together. We’d like to work with you to help make tomorrow’s landscape much more secure.

For more information on the PCI Security Standards Council, visit www.pcisecuritystandards.org. There you can get more information about the council, find valuable resources to help secure your organization, and learn more about how you can participate in creating the next iteration of the PCI Security Standards.

Jeremy King, European Director for the PCI Security Standards Council, leads the council’s efforts in increasing adoption and awareness of the PCI Security Standards in the European region. He also serves as a resource for Approved Scanning Vendors, Qualified Security Assessors and related staff in supporting the regional training, certification and testing programs. King recently served as Vice President for the Payment System Integrity Group at MasterCard Worldwide.