Sensitive player information and funds flowing along the online payment railways will continue to increase as the industry grows. Recent estimates by the gaming consultancy firm, H2 Gambling Capital, value the online gambling industry at some $36 billion.
The stakes are high and as they get higher, Internet gambling operators must prepare by securing websites to protect their customers’ personal data.
By now, operators that accept credit and debit cards should know about the Payment Card Industry Data Security Standard (PCI DSS), the industry information security standard created by leading card brands to protect cardholder data and reduce fraud. All operators—no matter the size—are required to comply or risk losing the ability to accept many brands of payment cards.
Your business has undergone a PCI self-assessment via questionnaire (SAQ) or has been audited by an external Qualified Security Assessor (QSA). Passing an assessment or audit validates that your business is following industry best practices to protect against a data breach. However, achieving PCI DSS compliance is not a guarantee that your business will be immune to a breach—especially as threats grow ever more sophisticated online.
Regardless, PCI compliance is not an option for businesses accepting the major brands of credit and debit cards. More importantly, adherence to the recommended security guidelines is an ongoing process designed to minimize your risk of a data breach, as it becomes more difficult for an individual operator to stay ahead of the vast array of threats.
For all operators, the most obvious impact of a data breach is financial loss. If your business were to suffer a breach, your actual cost would be determined by factors such as:
• Notification to customers—Breach notification requirements vary by state. Operators with multiple state locations must abide by each state’s specific requirements. The process of sending notifications may cost thousands of dollars depending on the number of online players affected and the type of information that was possibly compromised.
• A mandatory forensic examination—PCI DSS regulations require that operators merely suspected of having a data breach undergo a forensic examination to determine if a breach has actually occurred and to what extent. This examination can last several days and may require the shutdown of payments, and thus online gambling activity, during that time.
• PCI compliance fines—The card associations could levy fines for millions of dollars depending on the nature of the offense that led to the breach, and whether or not the cards have been used in actual fraud cases.
The ensuing loss of reputation and customer trust could be the greatest risk of all. In a Ponemon Institute study on measuring the loss of brand and business reputation after a data breach, 76 percent of executives whose companies had experienced a customer data breach said the event had a significant or moderate impact on the business’ reputation. It can take a year or longer to restore reputation and brand image after a breach.
Further, a recent poll of American shoppers found that 88 percent of the 1,060 surveyed place the burden of protecting the data on retailers who are collecting it.
Lastly, card companies such as Visa, MasterCard, American Express and others may refuse to do further business with you after a breach.
SECURITY: A TEAM EFFORT
Electronic payment systems can be complex but securing them doesn’t have to be. Today there are many resources and innovative solutions to help bolster payment card security. The first step is to recognize that businesses can be vulnerable to a breach, even after passing a PCI compliance assessment or audit. The next step is to discuss business specifics with your payment processor, bank and any other party to the transaction.
And finally, look for expertise and innovative solutions to keep your business protected and to ensure PCI compliance.