The balancing act with security concerns
It is not an exaggeration to say that Kiosk technology is a top consideration for business executives in casinos and hospitality properties. As a matter of fact, in a recent Raving survey, gaming operators stated that kiosks were the number one technology addition implemented in 2018!
Casino and Hospitality enterprises are employing Kiosk technology as a key ingredient in their digital and guest engagement strategy and marketing mix. A Kiosk is a vital engagement and marketing channel to deliver loyalty and promotional content and gain valuable guest insights.
Properties are making significant investments to improve per guest profitability and guest experience management with their Kiosk technology selection and implementations. It is equally important to pay attention to understand and prevent the security vulnerabilities when a kiosk device is used as a personal ATM for individualized guest engagement and data exchange.
In this article we have highlighted key building blocks and important security checkpoints in the technology selection and implementation of Kiosks as part of the digital strategy.
Key Building Blocks
When a Kiosk device is used as a personal ATM, we are talking about exchanging personal information at an individual level that cannot be compromised at any level. The key building blocks that we need to pay attention to are:
- User: Is a guest or a players club card member exchanging personal information via the kiosk?
- Kiosk device: Be it a standalone or a tablet device, it is the digital engagement device capturing the personal information from the user and giving information back.
- Players club card: A physical card wherein the user information is electronically stored.
- Kiosk software application: A typical kiosk software application consists of a software client (e.g., App) that resides on the Kiosk device and the back-end server software application that deployed either on the property itself or in the cloud.
Below is a list of checkpoints to consider when personal and sensitive data is exchanged between these building blocks.
Any Kiosk hardware device, such as a standalone or tablet, has a unique device identity. During the device onboarding process, this device identity will be recognized and registered in the back-end system. On every subsequent attempt when data is exchanged via this Kiosk device, the device will be authenticated and authorized by the back-end systems before any data could be exchanged in either direction.
Additionally, the Kiosk device should be allowed to operate only within authorized locations within the property. The first level of validation can be implemented in the local IT network. The second level of validation can be done in the Kiosk application software, depending on the capabilities of the vendor.
2. Kiosk Software:
The Kiosk client and server software exchange data entered from the Kiosk device and the back-end systems, such as the players club card membership application, marketing application, etc. The next security checkpoint is to ensure that the Kiosk client and server are authenticated mutually, and that the data is encrypted and transported over a secure pipe between the Kiosk device and back-end systems via APIs. Token-based API authentication is utilized to validate the Kiosk client and server applications, and SSL certificates are employed to encrypt sensitive data and transport over a secure HTTPS pipe.
3. User and Players Club Card:
Once the connectivity between the Kiosk device and the back-end systems, and the data pipe transportation are secure, the next important step is to validate the identity and authenticity of the user before exchanging any personal information via the Kiosk and delivering loyalty entitlements and individualized promotions to the Kiosk. In the absence of any fingerprint and/or facial recognition technologies, the electronic data stored on the players club card is utilized to identify and validate a user. Additional software can be embedded into the Kiosk client software to encrypt any sensitive data that is read from the swiping of the membership card, and make it only available and visible to the back-end membership loyalty system.
A user can be a person with or without a loyalty card membership. In the case of a non-member, an email or mobile phone number can be entered from the Kiosk device as the user identity. A two-step authentication process, such as sending an email or text message to a mobile phone, can be employed to bind the user’s identity (e.g., membership number from the card swipe, or email/phone number entered from the kiosk) with the person exchanging data via the Kiosk device.
Do you have the proper security protocols in place to protect your data? Do you have questions about the seven areas above regarding your current Kiosk setup? Drop us a line at 775-329-7864, or email Amy Hergenrother at [email protected] if you’re interested in a Kiosk security check-up.