Why Casinos Shouldn’t Gamble on Data Security

June 21, 2019 at 4:51 pm by Paul Falcone

Casinos have long been high-risk targets for theft and fraud. As such, most gambling institutions establish stringent policies in anticipation of every possible criminal heist activity, and some even partner with security firms to further ensure safeguards are met and followed. Yet, casinos are still playing catch-up in their policies and procedures to safeguard against digital heists, even though they are a veritable treasure trove of private and personally identifying information (PII).

The Perils to Overlooked Casino Data

Casinos often offer more than just a place for adults to gamble. Most include hotels, stores, restaurants, and entertainment experiences on the casino premises, and all payment transactions through these businesses funnel through the casino’s payment processing system. There’s also a plethora of ATMs strategically placed across gaming floors to make sure customers can continue to play and spend money with the casino with ease. And let’s not forget the casino reward cards given out to players to use during their visit which requires PII like name, birth date and address to sign up. In short, casinos store and promise to protect mass amounts of sensitive and private data. Whether the data is stored in drives on the premises or with a third-party cloud system, casinos must establish an equally strict set of regulations on the handling, management, and disposal of all data that passes through their doors.

If that isn’t complicated enough, casinos must also establish data protection and disposal policies that incorporate the myriad of state and federal privacy regulations that have recently arisen. Though there are no laws (yet) specific to casinos for mandating data safeguarding, these businesses must comply with their state’s financial privacy regulations and consumer protection and privacy laws as well as those set by the federal government. Casino operators can make this easier by complying with industry encryption standards as well as by limiting their data-sharing partnerships. And, of course, as with physical heists, casinos should have data breach notification plans and safeguarding procedures outlined in their overall IT security measures.

Securing Data at Game-Level

There’s also the security around the gaming personnel and game pieces like chips, playing cards, and dice to consider. All casino personnel are issued their own personal identification badges and keycards for secure entry into private areas of the casino, including non-gaming areas where money and data is stored. Ensuring the security of these keycards is therefore paramount, especially when they reach end-of-life and need to be disposed of properly.

Additionally, play data is tracked through advanced technology like invisible bar codes on cards, weight sensors for dice, and radio-frequency identification (RFID) embedded in the chips. Chips are also uniquely designed for each casino, with identifying marks like color combinations for the edges and UV markings on the chip inlay that are impossible to replicate. This makes it easier for casinos to identify counterfeit chips as well as chips that do not belong to their establishment (and therefore cannot be used in play or turned in for cash).

Complying with Security Regulations for Data Disposal

As part of their stringent policies to thwart fraud and criminal heist activity, casinos must also establish security measures for the destruction and disposal of these authorized personnel keycards and for the playing cards, dice, and chips when they reach end-of-life. The same can be said for any hard copy paperwork and digital data stored in drives or on a cloud system, whether it be consumer PII or casino-specific information.

It’s recommended that a casino purchase data destruction devices from a vendor like SEM to keep on-site and thereby further limit access to the data and devices during destruction. SEM, in fact, has been supplying destruction equipment to the gaming industry and casinos throughout the globe for decades, offering several casino and gaming destruction solutions for the proper and irrevocable destruction of playing cards, dice, casino chips, and ID/keycards.

In short, if casino operators don’t comply with consumer privacy and data regulations as well as security regulations to minimize fraud and theft, you might as well call it: game over.