Gambling Commission Compliance - Security Requirements
What does the gambling commission do?
The Gambling Commission regulates gambling in the UK. All licensed remote gambling operators and gambling software operators must comply with specific licensing requirements, including technical standards, and provide annual security audit reports.
Newly licensed remote gambling operators must also submit a security audit within six months of being granted a licence, irrespective of whether they are trading.
Remote gambling and software technical standards
The Gambling Commission’s Remote gambling and software technical standards (RTS) detail the specific technical standards and the security requirements that licensed remote gambling operators and gambling software operators need to meet.
Under section 4 of the RTS, remote gambling operators must complete a third-party annual security audit against specific sections of the ISO/IEC 27001:2013 standard and submit an audit report to the Commission.
Gambling operators that obtain certification to the full Standard must be audited against ISO/IEC 27001:2013.
Scope of the security audit
The scope of the “security audit” needs to cover the following “critical” systems:
- Electronic systems that record, store, process, share, transmit or retrieve sensitive customer information, e.g. credit/debit card details, authentication information, customer account balances;
- Electronic systems that generate, transmit or process random numbers used to determine the outcomes of games or virtual events;
- Electronic systems that store results or the current state of a customer’s gambling history;
- Points of entry to and exit from the above systems (other systems that are able to communicate directly with core critical systems);
- Communication networks that transmit sensitive customer information.
Scheduling your security audit
While the Commission does not approve security audit firms to perform the security audit, it highlights that “Licensees must satisfy themselves that the third party security auditor they intend to use is reputable, is suitably qualified to test compliance with BS ISO/IEC 27001 and that the auditor is independent from the licensee.”
The auditor must be one of the following:
- ISO 27001 Lead Auditor
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
IT Governance has a team of ISO 27001 Lead Auditors, many of whom also hold CISA, CISM or CISSP certificates and are qualified to carry out independent information security audits as required by the Gambling Commission.
PCI DSS compliance for remote gambling operators
As a PCI QSA company, we can help operators that process payment cards comply with the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS imposes strict information security control requirements on all merchants that process payment cards, and these security requirements overlap and intersect with the controls identified under the Gambling Commission's technical requirements.
Ensure your web applications are secure
As a CREST-accredited company we can also provide penetration testing services to help you determine whether your web applications are protected from fraudulent activity and unauthorised disclosure.
Speak to an expert
Please contact us for further information or to speak to one of our in-house expert.