Working with paper documents to ensure security is no longer a viable option. Today, players want secure and readily available mobile access to their accounts, anytime, and on multiple devices.
Recent changes call for increased security measures like HSMs
The lottery and gaming industry requires appropriate hardware-based security measures
The lottery and gaming industry has undergone major changes similar to those in other industries over the past two decades. The ongoing digitization of the market opens up numerous opportunities for companies and players alike:
- rapid go-to-market
- broader target groups
- access anywhere anytime
- higher efficiency and transparency
- easier auditing
Simply offering services online is a thing of the past. Today, players want secure and readily available mobile access to their accounts, anytime, and on multiple devices.
Utimaco provides tamper-proof Hardware Security Modules (HSMs) with FIPS 140-2 Level 3 and 4 certifications that build the root-of-trust basis for numerous applications used in the lottery and gaming industry.
Regulations and standards to fight fraud and manipulation
Fraud and manipulation have always existed, since the very first casinos saw the light of day. However, digitalization brings new and more sophisticated attack vectors involving hackers and cybercriminals, taking security risks to a new level. A company’s reputation and success greatly depend on mitigating risks such as fraud and manipulation, theft of personal data, account or payment card information, as well as insider threats. The market has become heavily regulated over recent years, addressing increased IT security requirements, among other things. Regulators and other stakeholders have paved the way for national and international standards to protect sensitive and business-critical data. Two examples of applicable regulations are:
- Data Protection laws and regulations such as the US Data Protection Act or the EU General Data Protection Regulation (GDPR) have been created to protect personal data of individuals. These apply to all industries, including the lottery & gaming industry.
- Many lottery and gaming organizations and platforms need users’ payment card information to participate in gambling activities. As such, the Payment Card Industry Data Security Standard (PCI DSS) applies and requires that payment card information must always be protected when in use, in motion and at rest.
Working with paper documents to ensure security is no longer a viable option
For a long time, the lottery & gaming industry was reluctant to make the switch to using electronic documents and systems. The latter are much easier to access and manipulate. Nowadays, this is unthinkable. Offering goods and services online and in electronic format is considered as given in this industry.
The IT and security infrastructures need to account for this:
- User authentication to access an account is based on the unique identification (ID) of an individual user. The user ID can be set up as part of a public key infrastructure (PKI) that provides each user with digital identities. The related cryptographic keys are stored inside a Hardware Security Module (HSM) for maximum security. 2-factor-authentication and strong passwords (one-time passwords, OTP) complement the secure access to the user account.
- True random number generation (RNG) is essential, on the one hand, for generating cryptographic keys used in encryption, authentication and signing processes. On the other hand, it is key for the randomness and entropy required for online lottery and gaming operations.
- Adding a digital signature to documents and transactions identifies the author, proves the authenticity of the content and ensures non-repudiation. A digitally signed timestamp adds certainty to their validity and chronological order.
- The tamper-proof creation of timestamps is also crucial, e.g. for issuing lottery or sports betting tickets. Players guess the outcome of a future event and submit their guess before an event takes place. The timestamp proves that a player’s betting slip was issued before the lottery draw or end of the football game, which everyone can then verify. Back-dating or altering logs is not possible with secure auditable timestamps. The European eIDAS regulation lists various requirements for timestamping services.
- Database encryption ensures that user, account and transaction data that is stored and at rest can never be accessed in the clear (unencrypted) by any unauthorized person. The related encryption keys are securely generated and stored in an HSM. They are kept separate from the actual encrypted data and cannot be accessed by either unauthorized parties or by the administrator themselves.
Utimaco provides tamper-proof Hardware Security Modules with FIPS 140-2 Level 3 and 4 certifications that build the root-of-trust basis for the above-mentioned applications used in the lottery and gaming industry.
Do you have questions regarding these applications? Or need assistance with selecting the most appropriate IT security solution for your business? Let us know at firstname.lastname@example.org.