In a recent interview with SafetyDetectives, Mark Pace, Vice President of the International Gaming Standards Association (IGSA), draws on his 30-year tenure in the gaming industry to illuminate the intersection of technological innovation and regulatory practices. He touches on IGSA’s mission to enhance security, address data privacy concerns, responsibly integrate AI, and promote safer gaming practices. With a background that encompasses launching casinos and leading tech operations, Mark offers a unique perspective on the vital work IGSA does to ensure a secure and ethical gaming landscape.
Can you introduce yourself and talk about your role as VP at IGSA?
My name is Mark Pace. I’m currently the VP of the International Gaming Standards Association, as well as the Managing Director of GSA Europe, which is our European office. I’ve been in the gaming industry for over 30 years. Over that time, I’ve worked for one of the largest gaming operators, where I was part of opening 13 land-based casinos, worked at a leading gaming device manufacturer, and ran technical operations for land-based casino, online, and lottery for one of the largest suppliers in the world. I have been involved in IGSA for over 15 years, representing each of those companies at the association and was the association’s Treasurer and Vice Chairman of the Board. Most of my gaming career has been focused on technology, innovation, and implementation—which in a highly regulated industry means lots of interaction with regulatory authorities. For that reason, I’ve been immersed in the regulatory affairs sphere for most of my time in gaming.
Could you provide an overview of the mission and objectives of the International Gaming Standards Association (IGSA)?
IGSA is a non-profit trade association that is focused on developing Standards to help benefit the gaming industry. We do this by partnering with regulators and legislators, whom we refer to as the Policy Domain, to understand what challenges they face as technological innovations occur and the gaming industry continues to evolve. We also partner with gaming suppliers and operators, whom we call the Industry Domain, to likewise understand the obstacles they face as they seek to innovate in the gaming space. Working with those two Domains, we identify areas where either Technical Standards or Best Practices can help solve issues, eliminate barriers to entry, drive efficiencies, improve security, and increase data transparency. Our goal is to empower regulators to provide better oversight through Standards and Best Practices, ensuring that gaming remains fair, free of crime, and is conducted with a high degree of integrity.
With the increasing concern over cybersecurity in the gaming industry, what measures and standards does IGSA promote to enhance security in gaming systems?
One of the first Standards IGSA created was a communication protocol between land-based gaming devices and casino management systems (CMS). This protocol, which we call the Game to System or G2S protocol, was designed to replace all of the antiquated serial-based protocols that were being used, which had little to no security capabilities. G2S was unique in that it was the first ethernet-based protocol, and that allowed gaming devices to send encrypted and secure data directly to the CMS. All of the other protocols required the use of additional hardware, commonly referred to as Slot Machine Interface Boards or SMIBs. This emphasis on security and encryption was also implemented in the Third-Party Gaming Interface (TPI), a Standard developed to replace the myriad proprietary APIs used to allow communication between the various components of an online gaming system.
Most recently, IGSA announced the creation of a Cybersecurity Resiliency Committee (CRC) to directly tackle the cybersecurity issues the industry is facing. IGSA started working on establishing this committee late last year and even hosted a webinar seeking to educate the gaming industry on the need for a more dynamic and ongoing cyber risk assessment process. With the recent events, cybersecurity has come into sharp focus, and through the CRC, IGSA will be working on creating a set of Best Practices which can be used by both the Policy and Industry Domains to ensure that appropriate processes are in place to protect against cyber threats.
How does IGSA address data privacy and the protection of players’ personal information in the gaming ecosystem?
We have been advocating for processes that limit the amount of Personally Identifiable Information (PII) that is collected in the industry for a number of years. Our focus has been more on the gaming employee information, however, and not so much on player data. Players, one might argue, have a choice whether to provide their PII in return for which they have their play tracked and earn loyalty points and rewards. Gaming industry employees, however, have no choice but to provide their PII if they wish to obtain the appropriate license required to work. While many employees only get licensed in one gaming jurisdiction, there are substantial numbers of supplier and operator employees that have to be licensed in multiple jurisdictions.
Having worked at a gaming supplier, and based on the level of responsibility I had, the Compliance department at my company would submit the required information to ensure that I had the appropriate license to perform my responsibilities in the various jurisdictions. I can’t tell you how many different jurisdictions in which I’ve been licensed, and it’s scary to think of how many copies of my PII are out there! I ask regulatory authorities this question: “How many times do I need to have my background checked, and have to go through thorough investigations, before I’m finally deemed to be fully vetted?” Especially when many jurisdictions rely on the same small number of third-party firms to perform this work!
IGSA has been advocating for a system whereby an individual goes through one such full-fledged background check and investigation once. If the individual is found suitable to work in the gaming industry, then they should receive some sort of a digital ID that indicates they have passed. We realize that some jurisdictions want to collect some personal information that others do not, and in the process that we recommend, there is room for that. Our recommended process would, however, limit the bulk of a person’s PII to be shared only once, greatly reducing the risk of identity theft due to data breaches.
AI is becoming increasingly important in the gaming industry. How is IGSA addressing the integration of AI into gaming standards?
AI is being used across so many different industries and is still such an evolving field that attempting to develop technical Standards is too premature. Instead, IGSA is focusing on how AI should be used and what data should be made available to it. To that end, a few months ago, IGSA created the Ethical AI Committee, comprised of engineers, businesspeople, academics, and former regulators, working to create a set of Best Practices to help guide the industry on AI’s use. The committee is focusing on ensuring that while allowing for innovation, AI is not used to harm humans—be they consumers of gaming activities or employees of gaming companies. The Best Practices will set guidelines for the disclosure of the intent of an AI algorithm, the ongoing auditing of algorithms as they learn and evolve, the disclosure of any unintended outcomes, and the data that will be made available to algorithms, in addition to other actions designed to ensure AI is appropriately implemented in the industry.
Responsible gaming is a critical aspect of the industry. How does IGSA’s work promote responsible gaming practices and standards?
IGSA has been working on solutions to improve Responsible / Safer Gaming and to further Harm Minimization for vulnerable individuals for some time. We advocate for the implementation of centralized exclusion schemes and have developed the Player User Interface (PUI) Standard to deliver messages to the main display on a land-based gaming device. Recently, IGSA established the Responsible Gaming Committee (RGC), which is working on a Responsible Gaming Maturity Matrix (RGMM) based approach to help regulators implement practical, effective, solutions to help protect vulnerable players. The RGMM will provide a set of Best Practices which can be implemented in stages.
IGSA has also been advocating for the use of centralized limits schemes (CLS) to better protect vulnerable players. Today’s operator-level limits schemes require players to set limits with each different land-based establishment and each different online gaming site. In jurisdictions where limits setting is required, this per-operator approach is frustrating and confusing. In jurisdictions where it is optional, many players don’t set them. Regardless of whether they are mandated or not, there is no way to ensure that players have set the same limits consistently across the many different sites they frequent. On top of that, each operator is only aware of the activity occurring at or on their site.
IGSA’s recommended solution anonymizes both the player and operator, provides for the players to set a single set of Limits at one centralized site, and requires operators’ systems to download the player’s Limits balances when they start a gaming session. Activity at the site is tracked against the Limits set by the player. If a Limit is met or exceeded, the required action, such as an email, SMS, cool-down-period, etc. is executed by the operator’s system. The CLS is updated when this happens. When a player ends their gaming session, the operator’s system uploads the player’s Limits balances to the CLS so that they are updated. This scheme makes it easy for players to set limits, eliminates loopholes due to play across multiple operators’ sites, and truly protects vulnerable players. The Limits can be based on means or affordability testing, they can be mandated levels, or they can be entirely up to the player to determine. We believe that jurisdictions looking to truly protect vulnerable players would do well to implement both centralized exclusion and limits systems.