Gambling organisations in the United Kingdom must ensure that they’re following proper security procedures. This is necessary to prevent issues like money laundering, and it also helps ensure the protection of customer data as well. As such, the U.K. Gambling Commission has established security requirements that remote gambling operators must follow. Remember, this is not just an issue of compliance. It’s a way to demonstrate fairness and accountability for your customers, too.
What Is Remote Gambling in the UK?
A bulletin from the U.K. Gambling Commission, citing the Gambling Act of 2005, defined remote gambling as “gambling in which persons participate by the use of remote communication.” It goes on to describe remote communication as including TV, the radio, telephones, the internet and other electronic devices. Importantly, this means that self-service terminals located in a betting establishment would still be considered remote gambling. On the other hand, lottery ticket vending machines do not fall under this classification.
Is the Credit Card Ban Related to Security Concerns for Remote Gambling?
As you may be aware, in April 2020, the U.K. Gambling Commission began to prohibit the use of credit cards for gambling. By and large, the motivation for this regulation seems to stem from reducing financial harm that can result from problem gambling. According to a press release from the Commission, the agency’s chief executive, Neil McArthur, was hopeful about the ban’s impact.
“It is a ban which ultimately reduces the risks of harm to consumers from gambling with money they don’t have,” said McArthur.
The UK Gambling Commission’s Security Requirements for Remote Gambling
Guidance from the U.K. Gambling Commission in 2017 outlined technical standards for remote gambling operations. These guidelines are intended to adhere to those recorded in the standard known as ISO/IEC 27001:2013 from the International Organization for Standardization and the International Electrotechnical Commission. The overall objective of these guidelines is to ensure security practices are sufficient for protecting the data and funds of remote gambling customers while also maintaining the integrity of those gaming services themselves.
Below, we share the 13 key security provisions mentioned there, along with some additional information. We’ve honed in on some of the important aspects of each point, but the official standards provide a significant amount of additional detail.
Information Security Policies
This standard outlines the need for a comprehensive information security policy as well as for processes devoted to reviewing such a policy.
Compliance
To comply with the security standards, this provision discusses the need for an independent review of the remote gambling company’s security policies. It also covers how to implement such policies in a way that’s adequate and effective.
Operations Security
This standard is also thorough. Preventing malware and data loss are key topics. Related to those concerns, event logging protocols are explored, as are procedures for separating environments used for development, testing and operations.
Access Control
This is one of the more comprehensive sections of the security standards for remote gambling. The standard outlines appropriate access control guidelines on the business administration end as well as discussing how to manage user access, user responsibilities and controlling access to systems and applications. Requirements included here explore user registration practices, secret authentication information, secure log-on techniques and password management.
System Acquisition, Development and Maintenance
The central objectives for this standard are concerned with security requirements for information systems as well as in the development and report processes. The protection of test data is also discussed. Development and support processes demand close scrutiny in particular. Requirements also cover application services on public networks and application service transactions.
Communications Security
Network security is the leading concern for this section. Segregation, control and secure services are explored.
Organisation of Information Security
In this guideline, there are security policies enumerated for responsibly leveraging mobile devices. Teleworking is also covered by this standard.
Cryptography
Standards related to cryptographic controls and key management are essential.
Physical and Environmental Security
Virtual security protocols can only take you so far. This section discusses requirements for protecting physical equipment, even as you dispose of or repurpose items. There are also guidelines for unattended user equipment.
Asset Management
Classification of information and acceptable techniques for properly handling and disposing of removable media are included here.
Human Resources Security
There are two objectives for this section. The first is to mandate that employees are made aware of security best practices and properly trained on how to follow them. The second objective relates to employee reassignment or termination.
Supplier Relationships
In order to ensure that suppliers adhere to information security standards, online gambling customers must follow this standard. Requirements address information security policies, supplier agreements and supply chain concerns. Monitoring, reviewing and managing changes to supplier services are also essential concerns.
Information Security Incident Management
When information security incidents and weaknesses do occur, the monitoring and response protocols are governed by this standard. Responsibilities, reporting, assessment and other guidelines are explored here.
The security standards outlined by the U.K. Gambling Commission are important for compliance and customer service. To find out how Saphisle can help your remote gambling enterprise adhere to these policies, contact us or book a meeting today to learn more.