1. Testing is now about more than RNGs and pay tables. Operational processes, corporate governance, management oversight, hiring processes, background checks, or any other area that can influence the gaming systems is now in-scope for some form of testing or audit.
2. The scope of testing is not limited to the gaming platform or games suppliers. Data centre security used to host the gaming systems, what cloud services are in use, or what personal player data AML engines have access to, is just as important as the primary supplier’s code. Regulators are now looking at the gaming ecosystem holistically; bringing third party suppliers in-scope for testing.
3. Having testing solely performed by the supplier or vendor is not necessary sufficient. Many regulators are moving to a model where testing performed by independent testing houses and audit firms accountable to the regulator directly, rather than relying on the vendors to do it themselves.
4. Risk or principle based testing is becoming more prevalent. Although testing is more exhaustive it is focused on those area that pose a greater risk such as geolocation of players or data storage of player personal information, rather than marketing email systems.
5. Providing previous testing for other jurisdictions is of value. Where testing has been performed already, being able to provide the regulator with specific details of what types of testing, to what regulations, the outcomes, and other details, can help reduce the test cycle. To emphasise this is only of value when full test details are provided, a game pass one-page certificate will not suffice.
6. Build in security, and compliance will follow. Finding and fixing security bugs can cost up to 30 times more at the deployment stage as compared to fixing it at the development stage. By taking a pro-active, strategic approach to building security into the Software Development Life Cycle (SDLC), you can increase the ROI early on and reduce inefficiencies and expense related to compliance requirements in the long term.
7. Getting better at the basics. Most security compromises typically occur when foundational core processes fail. Patch, configuration and upgrade management are the usual culprits. Ensuring that the processes are working the way they should by performing periodic spot checks in the form of security assessments will help catch breakdowns sooner and give you ample time to course correct.
In summary, achieving and maintaining compliance in regulated markets for online gaming can be a challenge. However, with the right proactive planning and consideration for each jurisdictions regulatory detail, compliance from day one is achievable. This in turn leads to a more secure, reliable and trusted system that is good for players and suppliers alike.
Arryn Blumberg is a Director with PwC's (PricewaterhouseCoopers) Gaming Practice in Canada where he leads the Gaming Technology & Testing group, specializing in iGaming and business transformation. Arryn can be reached at Arryn.Blumberg@ca.pwc.com.
Bryson Tan is a Director with PwC's (PricewaterhouseCoopers) Security Practice in Canada where he leads the Threat & Vulnerability Management Team. Bryson can be reached at Bryson.Tan@ca.pwc.com.