[Dave Birch] I happened to be at a seminar about online payments for gaming and gambling and sat in on a fascinating talk by Jim Noakes, the Head of Payments at Gala Coral Remote Gambling, on the challenges that he is facing at the moment. It was fascinating because his list of challenges could easily serve at the basis of a requirement specification for a next-generation payment system. Setting aside the challenges of compliance, I thought there were two key challenges that we (ie, the payment industry) might be able to help with. The first is reducing the cost of cash in, and the second is reducing the cost of cash out (ie, winnings). The latter is often where the fraudsters attack, particularly when they get payouts directed to stolen cards. And because the online gambling companies are specific targets for the fraudsters, any solutions must have a high level of security built-in from the very beginning.
The kind of fraud they are subject to is that a criminal will spent several thousand pounds on a bent card and get back half in winnings, which are then paid out as "clean" money -- exactly the same way that criminals launder money through physical casinos -- and off they go. Sometimes the game operator may suspect that there is a scam underway, but there's not much they can do to stop it. I suppose they could hold all winnings for 181 days until all of the chargebacks have been through but I don't suppose that would be a popular approach! As an aside, let's just remember that not all criminals target online gambling though!
State gaming officials said the theft of money from a high-stakes slots machine at The Meadows Racetrack and Casino went unnoticed for several weeks because the false jackpots that the machine was paying out to a trio of suspects were not recorded internally by the machine. State Gaming Control Board spokesman Doug Harbach said that detecting the theft of more than $430,000 would have been easier if the winnings displayed on the machine matched its internal records.[From Gaming security failed to record slots theft]
A couple of other points of note: first of all, Jim said that customers like 3DS once they get used to it, and after a while they will actually call up when it is missing (because the directory server has failed or whatever) and said that, and I do quote, "there is a business case for 3DS any day of the week". He also mentioned that they don't store card numbers (PCI-DSS and all that), but actually it would be useful to because then they could spot card use across multiple accounts, and this would help to fight fraud. I wonder if there are other examples where attempts to crack down on card fraud in one area lead to more fraud in other areas?
Incidentally, with reference to the recent fuss about the exclusive use of Visa at the Olympics, Jim said that Gala Coral wouldn't take MasterCard for a while -- I'm not sure why -- but that it "didn't matter as most customers to seem to have Visa and MasterCard".
The point I wanted to focus on was that we need to separate the anonymity of the payment transaction at low values (Gala Coral are targeting people with £100 per month discrentionary leisure and entertainment spend) and the identification and authentication of players. Suppose, for example, that a company needs to know that I am over 18 and a UK citizen. How can I prove this to them? And, more to the point, how can I prove this to them cost-effectively and without disclosing personal data that is not relevant to the transaction? Following the current FSA rules means that the company has to KYC everyone, spending as much money on Mrs. Trellis from North Wales who spends a tenner a week on online bingo as they do on Middle Eastern visitors spending thousands of pounds every night. A working national identity infrastructure, which we do not have in the UK, should enable me to be able to prove to Gala Coral that I am over 18 and a UK citizen, but that's it.
As for the payment transaction itself, who should know whether you are using your prepaid card, for example, to gamble? Well, some people think they should.
Gov. Arnold Schwarzenegger has issued an executive order barring California welfare recipients from using state-issued debit cards at casino ATMs. Thursday's order followed a report by The Los Angeles Times that found CalWORKS cards were used to withdraw cash in more than half the casinos in the state.[From Schwarzenegger Bans Welfare Cards At Casinos - cbs5.com]
Once again, we're seeing the payment system being used to police issues that are nothing to do with the payments, rather pointlessly, since I'd lay a pound to a penny at Gala Coral that some new ATMs are being installed across the street from Californian casinos even as we speak.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]