SBC News Voice of the Sports Betting Industry
As compliance across the global online gambling ecosystem becomes increasingly critical, Craig Lusher, Product Principal of Secure Solutions at Continent 8 Technologies, elaborates on the implications that one recent development could have on the space.
This saw the PCI Security Standards Council, which provides a baseline of technical and operational requirements that are designed to protect account data, introduce a 4.0 mandate with 60 new requirements, which will displace the existing standard by March 31, 2025.
In the first of a two-part SBC News special, Lusher delves into the key components of the shift, challenges posed and the crucial aspects that must be adopted as PCI DSS v4.0 replaces version 3.2.1.
SBC News: Could you talk us through the principle reasons behind the PCI Security Standards Council’s Shift to PCI DSS 4.0?
Craig Lusher: The primary driver behind the PCI Security Standards Council’s move to PCI DSS 4.0 is the evolving cyber threat landscape and the need to continually enhance the security of payment card data. As technology advances and new vulnerabilities emerge, it’s crucial to update the standards to address these challenges effectively.
PCI DSS 4.0 introduces several key changes aimed at strengthening security measures, promoting flexibility, and supporting innovative technologies. The updated standard places a greater emphasis on risk analysis, enabling organisations to tailor their security controls based on their unique risk environment. This approach allows businesses to prioritise and allocate resources more effectively while maintaining a robust security posture.
The new standard recognises the growing adoption of cloud technologies and the need for secure implementation of these solutions. PCI DSS 4.0 provides clearer guidance on securing cloud environments, and ensures that organisations can leverage the benefits of cloud computing without compromising the security of cardholder data.
“As attackers become more sophisticated, organisations must continuously update and strengthen their security controls”
Continent 8 has built its reputation on assisting igaming companies in navigating regulated markets and satisfying stringent compliance standards. We understand the importance of staying ahead of evolving regulations and standards, as well as the benefits this proactive approach brings to our customers.
The purpose of PCI DSS 4.0 is to provide a more comprehensive framework that accommodates diverse business models and technologies. It also emphasises continuous risk assessment and management, encouraging organisations to adopt a proactive security posture. According to a report by IBM, the average cost of a data breach in 2023 was $4.45m, underscoring the need for robust security measures.
SBCN: What major challenges are faced by organisations, particularly those within the igaming and online sports betting space, in adhering to these updated credit card payment processing rules?
CL: One of the primary challenges faced by organisations in the igaming and online sports betting industry is the complexity of their IT environments. These businesses often deal with a multitude of interconnected systems, third-party integrations, APIs, and a vast amount of sensitive data, making them prime targets for cyber attacks and challenging to ensure end-to-end security and compliance with PCI DSS 4.0.
Another significant hurdle is the constant evolution of cyber threats. As attackers become more sophisticated, organisations must continuously update and strengthen their security controls to prevent data breaches.
“The global nature of the igaming and online sports betting industry adds an extra layer of complexity”
PCI DSS 4.0 mandates the implementation of robust security solutions like Web Application and API Protection (WAAP) or Web Application Firewalls (WAFs) to protect against web-based attacks. Intrusion Detection/Prevention Systems (IDS/IPS) are also required to monitor and respond to potential security incidents in real-time.
Regular vulnerability assessments and penetration testing are also part of the PCI DSS requirements, helping organisations identify and address potential weaknesses in their security posture.
While not explicitly required, the use of Security Operations Center (SOC) and Security Information and Event Management (SIEM) capabilities are strongly recommended by the PCI Security Standards Council. These tools provide centralised monitoring, analysis, and incident response capabilities, enabling organisations to detect and respond to threats more effectively.
Implementing and maintaining these proactive security measures often requires additional human resources with specialised skills (of which there is a large global shortage).
Organisations may need to invest in hiring, retaining and training in-house security personnel or consider outsourcing to managed security service providers (MSSPs) like Continent 8. By partnering with an experienced MSSP, organisations can access the expertise and technologies needed to meet PCI DSS requirements and maintain a strong security posture without overburdening their internal teams.
The global nature of the igaming and online sports betting industry adds an extra layer of complexity. Organisations must navigate various regional regulations and ensure that their payment processing systems comply with both PCI DSS 4.0 and local requirements. This can be a daunting task, especially for businesses operating in multiple jurisdictions.
“Continent 8 believes that a comprehensive, layered approach to security is essential for achieving and maintaining PCI DSS compliance”
Continent 8 understand these challenges and have developed a comprehensive suite of solutions to help organisations overcome them. Our managed security services, including VAPT, WAAP/WAF, M-SOC & SIEM, and IDS/IPS, are designed to provide a robust defence against cyber threats while simplifying compliance with PCI DSS 4.0. Our team of experts works closely with customers to meet the specific needs of the igaming and online sports betting industry.
SBCN: From your experience, what would you say are the critical introductions to be adopted under the new global standard? Would you say that any aspects have been overlooked?
CL: One of the critical introductions in PCI DSS 4.0 is the increased emphasis on risk analysis and the adoption of a customised approach to security. This shift allows organisations to tailor their security controls based on their unique risk environment, enabling them to allocate resources more effectively and focus on the most critical areas of their IT infrastructure.
Another key aspect is the enhanced requirements for protecting against web-based attacks. PCI DSS 4.0 mandates the use of automated technical solutions, such as WAFs, to continuously detect and prevent web-based attacks. This requirement highlights the importance of proactively defending against the growing threat of application-layer attacks, which can lead to devastating data breaches.
The updated standard also places a greater focus on security monitoring and incident response. Organisations are required to implement robust logging mechanisms, regularly review logs for suspicious activities, and establish formal incident response plans. These measures are crucial for detecting and responding to security incidents in a timely manner, minimising the impact of potential data breaches.
While PCI DSS 4.0 covers a wide range of security aspects, there are a few areas that could benefit from further emphasis. For example, the standard could provide more detailed guidance on securing containerised environments and microservices architectures, which are becoming increasingly prevalent in modern IT infrastructures. Also, it could have further addressed emerging technologies such as blockchain and AI-driven security solutions.
According to Gartner, by the year 2025, 60% of organisations will consider the cybersecurity risks associated with their business partners and third-party vendors as one of the main factors when deciding whether to engage in transactions or establish business relationships with them. Continent 8 believes that a comprehensive, layered approach to security is essential for achieving and maintaining PCI DSS compliance and for wider partnerships.
