PCI compliance in the gaming industry
TRIBAL NATIONS QUARTERLY |
The gaming industry has many opportunities to be payment card industry (PCI) compliant. At a minimum, most properties have lodging as well as restaurants and the computer systems to manage those businesses. In addition to those basic services, there may also be traditional retail, golf courses, theaters and other entertainment options that accept credit and debit cards for payment.
In a perfect world, all of a property’s applications would be integrated. For a variety of reasons, however, many gaming organizations default to a best-of-breed approach and then must attempt to integrate disparate applications. As a result, PCI compliance becomes much more complicated than it would be with a fully integrated system.
Probably the most risk in the gaming industry, from a PCI compliance perspective, involves the lodging systems. Lodging management systems can store cardholder data for months, possibly longer for reservations. At a minimum, lodging systems begin storing guests’ credit or debit card information when they check in and that information is not securely deleted until guests check out and the card transaction has been processed.
Older lodging management systems may store the full track information when the clerk swipes a card at check in. Our consulting teams have found that the older the application, the more likely that the guest’s card information, including track data, is stored and not encrypted or protected in any way. Additionally, older systems may not delete or properly delete cardholder data upon checkout. As a result, these older systems are a great source for cardholder data, as are any backups of these systems.
Restaurant point-of-sale (POS) solutions also need to be PCI compliant. As with lodging systems, restaurant POS solutions can also be a significant source of cardholder data, particularly if they are old. These systems may be installed on the organization’s general network, not segregated from other systems and users outside the gaming operation.
Some restaurants are now requiring a credit or debit card to hold a reservation. If a guest does not use their reservation, the card on file is charged a fee. As with lodging systems, this type of reservation system can store cardholder information for days, weeks or even months.
Merchandise and entertainment
Some organizations also manage golf pro-shops or retail outlets for souvenirs. In these cases, a traditional retail POS solution may have been implemented. As with all other applications, these retail POS solutions may also be implemented on the organization’s general network.
In addition to retail outlets, a lot of gaming organizations operate entertainment complexes that include theaters and sell tickets to performances. While some organizations have outsourced ticketing operations to Ticketmaster or similar third parties, some operate ticketing systems using systems that can store cardholder information.
Organizations may also operate golf courses, tennis courts, baseball diamonds or other sporting venues that take reservations. As with their restaurant counterparts, in order to make reservations the guest is required to provide a credit or debit card to hold the reservation and will be charged a fee if they fail to show at the reserved time.
Also seen on some gaming networks are the automated teller machines (ATM) used by gamblers to obtain cash for the gaming tables. While these ATMs are typically provided by third parties, the machines utilize the organization’s network to connect to the ATM provider’s network. Because ATMs can process transactions that are in-scope for PCI compliance, such as debit card withdrawals and cash advances, the ATMs need to be segregated from an organization’s general network.
What to do
Here are some actions you should consider to ensure your organization is PCI compliant:
- Make sure that all of your applications that process, store or transmit cardholder data are certified as payment application data security standard (PA-DSS) compliant. A current list of certified applications is maintained at the PCI Security Standards Council’s website. If an application is not certified as PA-DSS compliant, you should not purchase it.
- Make sure that your applications are implemented to the application’s published PA-DSS guidelines. Just because an application is certified as PA-DSS compliant does not mean that it is compliant straight out of the box. Every PA-DSS certified application comes with a manual that explains how the application must be implemented to maintain its PA-DSS certification.
- Use network segmentation techniques to reduce the scope of your cardholder data environment (CDE) and, therefore, your PCI assessment. These techniques can include approaches such as using firewalls or virtual LANs with access control lists to isolate the CDE from other networks and users.
- Use encryption to protect data, particularly when dealing with older applications. Encrypt the data at the folder level on the server and on backup media. Only the application should have access to the encrypted folder on the server. Also make sure that appropriate encryption key management practices are followed.
- Investigate the use of tokenization to remove cardholder data from your systems. Tokenization allows your systems to act like they have the guest’s cardholder information stored without actually storing that information. When a charge needs to be made, the token is sent to the processor who converts it to the cardholder information and the charge is made.
For more information about this topic, contact McGladrey risk assurance services director, Jeff Hall.