You’re well on your way to becoming a payments pro. In 2016, we kicked off this three-part series with “Payments 101” equipping you with the fundamentals of the modern payments landscape. You learned all about building a successful payments program, accepting cards and critical terms to know and truly understand, like “interchange fees” and “chargebacks.” If you happened to miss Payments 101, you’ll find it in the Fall 2016 article archive on gamingandleisuremagazine.com.
Now, it’s time to take your knowledge to the next level and dive deep into a subject that impacts every single business in the gaming space – security.
The gaming industry is on the cutting edge of payment technology. Globally, nearly $400 billion is spent annually on gaming. This equates to thousands of debit and credit card transactions being processed every day by the diverse entities comprising our nook of the global economy.
Today’s gaming industry offers customers a range of wagering options, from traditional brick-and-mortar to the latest casino games online or on mobile devices. Amid the growth of platforms, gaming is increasingly becoming a target for criminals looking to obtain cardholder and transaction information.
Gaming isn’t the only industry being targeted by hackers. High-profile retail companies, banks, and even electronics manufacturers have been recent victims. Despite the millions of dollars companies spend on protecting their online assets, they have been hacked and confidential data has been stolen, causing significant damage to companies’ reputations.
No business is immune and security should be a No. 1 priority.
Making sure customer data is safeguarded is critical to any casino’s longevity. Data breaches and resulting fees, fines and legal costs are enough to adversely impact, and potentially devastate, any organization’s bottom line and its brand reputation.
With billions of dollars flowing through casinos, hackers are constantly testing firewalls to figure out how to steal even a small portion of the money. The days of a gambler trying to make off with thousands in chips from a roulette table have passed. Increasingly, criminals are choosing high-tech weapons – hacking and breaching data – in an attempt to steal money and private cardholder information from casinos.
Today, cybercrime is a burden impacting every casino boss from Las Vegas to Macau. A significant global underground economy is being built on the ill-gotten gains of cyber-attacks. While the gaming industry has significant physical security experience, and casinos use the latest in camera technology, that hasn’t stopped determined stealthy cyber thieves from successfully stealing what cameras can’t track down.
So, what key items do you need to know when it comes to protecting consumer data and how can you increase the security of payment data across the industry?
Protecting Data at First Swipe with Point-to-Point Encryption
There is a global organization dedicated to protecting card data throughout the transaction process. The PCI Security Standards Council was founded in 2006 with the goal of protecting cardholder data throughout the transaction life cycle, whether the data is stored, processed or transmitted by setting standards and recommendations within payments industry.
Protecting sensitive payment data begins at the very first swipe. Gaming operators have taken a big step toward reducing the chances of a successful cyber-attack by implementing point-to-point encryption – a data security product that encrypts customers’ card data at the swipe of a card and transmits the encrypted data through the merchant’s payment system to processors for decryption and authorization.
Point-to-point encryption protects gaming entities by rendering sensitive payment card numbers or personal information useless if breached during a sale and en-route to the processors.
Protecting Data That Is Stored With Tokenization
As the popularity of player’s clubs and rewards programs have grown, so has gaming control boards’ interest in the storage of consumer data. For example, in Nevada, the Nevada Gaming Control Board has investigated numerous incidents in which local casino databases have been compromised and the potential for identity theft has existed. Consequently, the control board emphasizes, on a regular basis to casinos, the need for ongoing review of their policies protecting customer data against cyber threats.
Gaming properties need to retain guests’ credit card information for a much longer duration than merchants in the retail or restaurant industries. At the same time, casinos face the daunting challenge of protecting that data. Casinos’ data security can also include tokenization — a term used for a product that replaces sensitive card data by a surrogate number for storage or payments transaction processing. The system replaces guests’ credit card numbers with unique “tokens” which can be used for payment transactions, customer analytics, rewards management and marketing. Tokenization works by assigning unique tokens for each credit card and those tokens can only be used by the assigned merchant.
Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent that has no extrinsic or exploitable value. The process also protects casinos by eliminating sensitive credit card data from their ecosystem. If their systems are hacked then there will be no loss of sensitive data.
EMV Has Arrived
By now, you’ve surely heard of (or experienced firsthand) EMV chip cards and the U.S. adoption of this payments technology. EMV (Europay, MasterCard, Visa) is a set of specifications for smart card payment and acceptance devices. EMV technology was adopted in Europe several years ago, but the U.S. has only ramped up adoption since 2015.
Accepting a new payment format means upgrading your systems. The major benefit of EMV technology is the reduction in card-present fraud that results from criminals using counterfeit, lost or stolen cards. It’s important to understand, however, that EMV also means a liability shift for certain types of fraudulent transactions from banks to merchants. If a merchant doesn’t have EMV-enabled equipment and systems in place and such a transaction hits the business, the merchant will probably be liable.
As we adopt EMV, a lot of the brick-and-mortar fraudsters will eventually go back to their homelands, but it will not be enough to offset the rise of e-Commerce targeting U.S. businesses.
Merchants must look at the tools at their disposal to identify and mitigate fraud before it happens. One option is technology called 3-D Secure. Introduced in the U.S. in 2004, it had an initial popularity with merchants and then that popularity fell off dramatically. The problem with the old version is that cardholders had to separately register their card and create a password. And, every time they checked out, they needed to plug in that password.
The new version of 3-D Secure eliminates cardholder enrollment and the need for another password among the many we already have. The card issuing community is making its move over to newer version of 3-D Secure. And as issuers do that, the merchant community will adopt that technology as a way to mitigate loss on their side as well.
Another option is a transaction monitoring system in the e-Commerce area. Merchants will simply need to do a better job of knowing their customers and their customers’ buying behaviors. By knowing customer habits, it’s that much easier to approve or decline a transaction.
Tying It All Together
In terms of gaming, as the industry goes further in to the online space and given the nature of modern fraud, there certainly is risk. Any gaming merchant needs to be careful in terms of monitoring whether a card is stolen or not and protecting the data they obtain.
Many states also have strict laws governing the security of personal information. While those laws are generally not part of gaming control acts, gaming licensees are nevertheless subject to the acts’ provisions.
The need to protect customer data is more important now than ever before as the casino industry rapidly evolves. There isn’t a “typical guest” anymore, especially in a brick-and-mortar establishment – some are there for dining, some for concerts or shows, some for shopping, while a smaller percentage visit solely for gaming.
As trends change, casinos are investigating new ways to capture data about their diverse clientele. As important as it is to push the envelope for more insightful data, it is just as important, if not more, to protect what you’ve already worked hard to obtain.
Payments Lingo 201 – Growing Your Security Vocabulary
By now, you’ve seen a few acronyms and new terms floating around on these pages. In addition to those that you’ve already digested, we’ve added some other key terms here that you are likely to encounter in making your business as secure as possible. Here is some food for thought:
Anti-Money Laundering (AML) – Generic term for rules and regulations preventing the laundering of money. All financial institutions, including gaming operators, have certain AML Federal and State regulations to comply with and the lack of such compliance can lead to both civil and criminal prosecution.
Bank Secrecy Act – Federal Law that governs, among other topics, AML.
Consumer Financial Protection Bureau (CFPB) – Federal Agency created by the Dodd-Frank Bill to protect the rights of consumers consuming financial services products.
EMV – A set of international standards that defines interoperability of secure transactions across the international payments landscape. EMV transactions introduce dynamic data specific to the card and the transaction. The goal of EMV is to devalue transaction data in flight and reduce the risk of counterfeit fraud. Considered the stepping-stone to the future of payments due to its dynamic data authentication (contactless, mobile).
PCI DSS – Payment Card Industry Data Security Standards – Set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.
Token – Surrogate values that reduce the risk of storing cardholder data. Created in alignment with PCI guidelines to support merchants being able to affect their PCI compliance assessment scope.
Joe Pappano is Senior Vice President and Managing Director of Vantiv Entertainment Solutions. His responsibilities include corporate business development, strategic sales, process improvement, administration, long-term vision, and overall direction for Vantiv Entertainment Solutions. Joe joined Vantiv in 1992 and possesses in-depth knowledge of all facets of the payments industry from merchant acquiring and card issuing, to agent banks and mobile payments. His primary focus is on helping Casino, iGaming, Lottery, ADW and Social Gaming operators build strategic payments programs.
Omer Sattar is Co-Founder and Executive Vice President of Strategic Initiatives of Sightline Payments. He has more than 10 years operations experience in the gaming payment industry. Omer previously served as President of UB Ventures, a service provider to the prepaid card industry. Prior to this role he was Senior Vice-President of Cash Access Services for Global Cash Access Inc. Prior to joining GCA, Mr. Sattar was the Vice- President of Product Development and Sourcing for Phoenician Imports, Inc., a privately held wholesaler and retailer of home and hotel furnishings operating in the Southern U.S. and Latin and South America.