At many casinos, there is no downtime. A 24x7x365 environment needs security that operates efficiently around the clock. The uninterrupted flow of money between casinos and patrons stems large in part because of the overall convenience of modern payment methods. Digital credits, along with the ability to use debit or credit cards at individual slot machines, naturally promotes increased spending.
As the line between casino games and Internet of Things (IoT) devices has become irreversibly blurred, many casino games now possess the capability to interpret a particular user’s behavior and game preferences. Games can perceive when users are about to switch machines, which games appeal most to particular users, and more. Designed to maximize on profit, these machines can adjust on-the-fly to meet the needs of customers.
Rather than having to carry physical currency, patrons regularly opt to exchange digital currency. This flow of money, one that casinos rely on, endures because casino patrons have confidence that their money and data is secure. If thieves steal cardholder data, modify player rewards databases, or even threaten the integrity of casino gaming systems, patrons will no longer feel comfortable trusting casinos with their data and their money. In many cases, customer distrust could signal the downfall of a business. To prevent this, patron data requires diligent safeguarding.
P2PE, database encryption, and tokenization are three distinct solutions that work together to create a secure infrastructure, protecting sensitive data at the point of capture, in transit, and at rest.
Point-to-Point Encryption
In a compliant P2PE environment, sensitive cardholder data is encrypted from the point of interaction with the EGM and decrypted only within the secure boundary of a FIPS 140-2 Level 3 and PCI HSM-validated hardware security module. In the casino gaming industry, the point of interaction is most frequently provided by the mobile terminals carried by the wait staff. Terminals can also be located within the game itself, or at a POS terminal located at the front desk. From any of these entry points, card data becomes encrypted until it reaches the HSM and can be validated for payment. By implementing P2PE, organizations can enhance their data security infrastructure while simultaneously reducing PCI compliance scope.
Database Encryption
To protect cardholder data and PII, it is a necessity for casinos to configure database encryption, whether at a column or transparent data encryption (TDE) level. Not only does this make data inaccessible to unauthorized parties, it ensures the integrity of the contents of a database, and it allows multiple users to access the database securely. Futurex devices allow for the encrypting of databases and the logging of all access attempts. It is up to the organization as to whether to deploy granular protection on a field-by-field basis (column level) or to encrypt the database in its entirety, in a manner that does not affect users (transparent data encryption).
Tokenization
The payment card data casinos collect is stored in a centralized database, presenting a tempting target for thieves. Tokenization offers a way to protect this information. To validate cardholder data, the EGM or Point of Sale terminal device first captures the clear cardholder data. This can occur at the electronic game, or at any of the POS terminals located in the casino. Next, the relevant token is sent to the HSM through the secured host database, which returns the requested data in a secure manner. By implementing tokenization and eliminating in-the-clear storage of sensitive data, operators of these machines enjoy a considerable reduction of PCI scope and cost. In turn, organizations who practice tokenization do not need to devote significant resources to maintaining compliance, seeing as a security breach is substantially lessened.
