Industry insight: Gaming and the liability limbo

Industry insight: Gaming and the liability limbo

Tuesday, September 15, 2015 Totally Gaming
Craig Jacobs on the new EMV standard

On October 1, 2015 the point-of-sale world undergoes a major shift in liability for any retailers that haven’t updated to the latest ‘Smart’ credit card technology in their venues in the US, writes Craig Jacobs.

Commonly known as EMV (Europay, MasterCard & Visa), the standard has been used in much of the world for years, and the US is catching up to combat fraudsters who have continually attacked the financial system using card cloning schemes. 

While ATMs and gas stations have a year or longer to get their systems compliant with EMV technology, the point-of-sale industry has been running full speed to pump retailers and their systems up to the latest standard.

The gaming industry, with its multi-faceted businesses, finds itself in a liability limbo. Although liability will be shifting for point of sale terminals, card not present transactions (transactions processed over the phone or online) will not be affected and there is still time for American land-based casinos to get their ATM infrastructure up to snuff. 

The liability limbo will be determined based on three factors:
1) Type of Transaction
a. Card Present   b. Card Not Present
2) Type of Terminal
a. EMV Enabled   b. Magnetic Swipe Only
3) Type of Payment Card
a. EMV Chip Enabled   b. Magnetic Swipe Only

The new standard specifies that liability will fall to the “least EMV compliant” party involved in the transaction. This may mean that a card issuer who has not issued an EMV card is the least compliant party, shifting liability away from the retailer. However, retailers who have not upgraded to EMV-enabled systems may find themselves stuck with high costs from fraudulent transactions conducted through counterfeit cards. 

While land-based gaming operators in the US have been focused on upgrading their systems, casinos must also keep in mind that card-not-present transactions will become the weakest link in the payment card industry chain and will likely be more heavily attacked.

As part of the EMV effort, casinos would do well to add a second phase to their projects, tokenisation. Tokenisation is the latest effort to minimise an attack that has been plaguing the gaming industry over the last several years - memory scraping.

Memory scraping allows attackers to watch payment card information in process and steal the data in large quantities.

Often, these attacks will go unnoticed for months before the card brands or, in some cases, the card issuers notify the location that there is a problem.

By making tokenisation the second phase of the necessary EMV projects dominating the compliance conversation in boardrooms across the nation, the industry can help mitigate risk and ensure that it stays under the limbo bar in the next wave of attacks.

Craig Jacobs is the Director of Incident Response and Problem Management for MGM Resorts International where he drives priority incident escalation, communication restoration, analysis and review. He is also author of Breaching America, which explores what it takes to better protect America's organisations from security breaches. The views expressed on this site are Mr Jacobs' and do not necessarily reflect the views of MGM Resorts.


Hard Rock Hokkaido

Hard Rock details plans for integrated Japanese resort

American football

Caesars strikes New York and NFL deals


AGS agrees $49m acquisition of Integrity Gaming

Scientific Games

Scientific Games settles Shuffle Tech patent case

Gaming Products & Services Directory

The essential directory for the gaming industry