Data security in the gambling industry
by Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd
Complying with the mandatory security regulations within the gambling industry may appear to some to be a pain in the proverbial. Yet, be under no illusions because there is no grey area here: online security compliance is a legal requirement. Simply meeting minimum standards, perhaps grudgingly or under sufferance, however, offers no tactical advantage within the industry because everyone is subject to the same rules.
So, while a practical organisation accepts that these compliance standards need to be met, going a step further and deciding to build enhanced compliance standards into the operational framework is the sign of a pragmatic organisation. This is because enhanced compliance significantly improves the odds in their favour. However, before detailing the advantages of such an approach, it is firstly important to understand the three main standards pertaining to the gambling industry. Like an onion skin, under each layer there is another layer, protecting, at the heart, the interests of customers.
UK Gambling Commission requirements
The UK Gambling Commission states that it is ‘committed to the protection of privacy of personal data’. A full copy of the Data Protection Act 1998 is available on the ICO’s website (www.ico.gov.uk).
The main standard relating to stored payment card data is the Payment Card Industry Data Security Standard (PCI DSS). Gambling firms risk fines, reputational damage and restrictions on processing cardholder data if they, or their suppliers, do not comply with the industry’s standards on storing payment card details.
The UK Gambling Commission has indicated that wherever possible this framework should be followed. Anyone working in PCI knows that 27001 is the inner layer of the onion: the bedrock for compliance.
More and more organisations are now asking for the ISO 27001 approach because within its framework, is an inherently inbuilt flexibility. Used as a basis, it is possible to use its methodology to manage several compliance programmes and to build security into each layer of operation.
Meeting minimum standards is a basic necessity but surpassing these standards must be an aspiration for all mature organisations. With compliance at the core, it is possible to establish documented procedures which set out clear boundaries. Having developed a strategy with compliance built in, it is then possible to replicate that framework when another product is brought on line, thus making this process much quicker and cheaper.
An example of this is a payments strategy for whole procedure. Starting with PCI DSS compliance, a robust payments protocol can be used across all new products within company. It can replicated in the full knowledge that it will be compliant.
Another example is with firewalls. Having met the highest standard levels from the outset, it is possible to establish fire wall protocols, enabling the business to grow in a manageable way without additional risk.
One client in the gambling industry is following this principle and is now able to bring new products online within a fortnight because, while establishing protocols, they have automated much of the process. With this practice of streamlining, standardising and automating protocols there are added inherent advantages: employees know what they should do within defined boundaries which, as well as minimising risk, makes for happier more productive staff.
There are many potential pitfalls when dealing with PCI and compliance in general. The main one is selecting the wrong product; but others include not specifying correctly or misinterpreting the intent of the standards. Using a consultant experienced in the gambling industry reduces these risks while improving the odds of a successful integrated and cost effective strategy.