BETTING & CASINO INDUSTRY

Security for iGaming

WehelpiGamingoperators,onlinecasinos,sportsbooks,andbettingplatformsdefendagainstpaymentfraud,account-takeoverattacks,bonusabuse,andAPIexploitation—withsecuritytestingalignedwithONJN,MGA,UKGC,andPCIDSSrequirements.Thehouseshouldalwayswin—nevertheattacker.

Industry snapshot

A distinctive risk profile

The house should always win — never the attacker. iGaming platforms combine regulated gambling, high-volume payments, and complex bonus economies, making them one of the most aggressively targeted verticals online.

40+

Regulators

ONJN · MGA · UKGC · GGL · ADM · KSA · more

PCI

Payment scope

Deposits · withdrawals · cashier

Bonus

Fraud economy

Hunters · farms · abuse

API

Primary attack surface

REST · GraphQL · mobile

Compliance

Regulatory Frameworks

Every engagement is mapped to the frameworks that matter most in this industry — so each finding directly supports your compliance posture.

ONJN (Romania)

OUG 77/2009 and OUG 82/2023 require licensed-lab certification (RNG + system audit) before launch and periodic technical re-audits, including penetration testing and security-control verification

MGA (Malta)

Gaming Authorizations and Compliance Directive mandates annual system audits, independent penetration testing of critical platform components, and ISO/IEC 27001-aligned controls for B2C and B2B licensees

UKGC (United Kingdom)

Remote Gambling and Software Technical Standards (RTS) + security-audit requirements mandate independent security testing and an annual security assessment of remote technical equipment

Gibraltar Gambling Commissioner

Gambling Act 2005 + Code of Practice: license conditions require independent testing of gaming systems and periodic security audits

Isle of Man GSC

Online Gambling Regulation Act 2001 and supporting Regulations: technical compliance audits and security reviews are required at licensing and on an ongoing basis

Alderney AGCC

AGCC Regulations and Technical Standards: independent system and security testing is a condition of Category 1 and Category 2 licenses

Sweden Spelinspektionen

Spellagen (SFS 2018:1138) and SIFS technical regulations require independent system certification and periodic security testing by accredited labs

Denmark Spillemyndigheden

Executive Orders on Online Casino / Betting: certification and annual security audits including penetration testing are mandatory for licensees

Germany GGL

GlüStV 2021 (Interstate Gambling Treaty) + Technical Guidelines require pre-launch certification, monitoring via OASIS/LUGAS, and independent IT-security audits including penetration testing

France ANJ

Décret 2019-1061 and ANJ technical decisions require pre-launch certification of software and infrastructure and periodic security-compliance audits

Spain DGOJ

Real Decreto 1614/2011 and Resolución General Ordenación del Juego: technical, operational and security audits including penetration testing are part of the licensing regime

Italy ADM

Concessioni requirements: annual penetration testing and technical audits of the gaming platform are mandatory, with evidence submitted to the regulator

Netherlands KSA

Remote Gambling Act (Koa) and Regulations: licensees must undergo initial certification and annual independent security audits including penetration testing

Belgium Gaming Commission

Gaming Act 1999 + Royal Decrees: technical and security audits are required at licensing and renewal for classes A, A+, B, B+, F1 and F1+

Portugal SRIJ

Decreto-Lei n.º 66/2015: mandatory pre-launch certification and ongoing compliance audits including technical and security testing

Greece HGC

Law 4002/2011 as amended + HGC Technical Regulations: independent laboratory certification and security audits are required for each licensed vertical

Czech Republic MF

Act No. 186/2016 Coll. (Gambling Act): technical certification by an authorized testing body and ongoing security compliance are required

Bulgaria State Commission on Gambling

Gambling Act and NRA Technical Requirements: licensed-lab technical certification and security audits are mandatory

USA state regulators

NJ DGE, PA PGCB, NV NGCB (Reg 14), MI MGCB, WV LC, CO DOR, IN IGC, IA IRGC, VA OLR, OH, CT, MA, NY, LA, KS, AZ, AR, MD, MS, ME, WY, TN: all require independent lab testing (GLI/BMM) plus periodic penetration testing and technical audits of the gaming platform

Canada iGaming Ontario

Registrar's Standards for Internet Gaming require an annual penetration test, a yearly IT-security audit, and independent game/system certification before go-live

Canada

AGCO, BCLC, AGLC, Loto-Québec, SaskGaming, Atlantic Lottery: provincial operator standards require independent lab certification and regular security testing

Brazil SPA / Ministry of Finance

Law 14.790/2023 and SPA/MF Portarias (2024–2025) require pre-launch certification by accredited labs and annual security and penetration testing of the betting platform

Colombia Coljuegos

Law 643/2001 and Decree 1451/2015: licensees must undergo technical certification and annual technology-audit including security testing

Peru MINCETUR

Law 31557 (effective 2024) and its Regulations require independent technical certification, annual audits, and security testing before and during operation

Argentina

LOTBA (CABA) and IPLyC (provinces) require lab certification and periodic technical/security audits for each licensed operator

Philippines PAGCOR

E-Gaming Regulatory Framework requires independent lab certification (GLI or equivalent), annual system-security reviews and penetration testing

Singapore GRA

Gambling Control Act 2022, Casino Control Act and Technical Standards: mandatory system certification and periodic security audits including penetration testing

Japan

Integrated Resorts Implementation Act 2018 and CRC rules require security assessments, intrusion testing and periodic technical audits of casino management and monitoring systems

Australia state regulators

VGCCC (VIC), L&GNSW / ILGA, OLGR Queensland, GWC Western Australia, SA CBS, ACT GRC and Liquor & Gaming Tasmania: each requires technical standards compliance, lab certification and, for online verticals, periodic security and penetration testing

India

Sikkim Online Gaming Act 2008 and Nagaland Online Games of Skill Act 2015 require independent lab certification and technical/security audits for licensed operators

South Africa

National Gambling Act 7 of 2004 and provincial gambling boards (WCGRB, GGB, ECGBB, KZNGBB): licensees must pass technical certification and ongoing security audits for interactive and casino products

UAE GCGRA

General Commercial Gaming Regulatory Authority (est. 2023) Technical Standards require pre-launch certification, annual penetration testing and IT-security audits

Curaçao Gaming Authority (CGA)

new Landsverordening op de Kansspelen (LOK 2024) replaces the old master-license model and requires licensees to demonstrate independent security testing and ongoing technical audits

Kahnawake Gaming Commission

Regulations require independent testing of gaming systems and periodic security audits by accredited labs

GLI standards

GLI-11 (Casino gaming devices), GLI-19 (Interactive gaming systems), GLI-33 (Event wagering) and GLI-GS4 (Security controls) define the technical and security tests labs must run to certify an operator

WLA Security Control Standard

certification required of World Lottery Association members mandates penetration testing, vulnerability management and an ISO/IEC 27001-aligned ISMS

ISO/IEC 27001:2022

certification requires periodic vulnerability assessments and penetration testing as part of control A.8.8 (management of technical vulnerabilities) and A.8.29 (security testing in development)

SOC 2 Type II

Trust Services Criteria CC7.1–CC7.2 require vulnerability scanning and penetration testing to evidence security-monitoring controls during the audit period

PCI DSS v4.0

Requirements 11.3 and 11.4 mandate internal and external penetration testing at least annually and after any significant change across the deposit, withdrawal, cashier and voucher flows

GDPR Article 32

requires a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures — independent penetration testing is the industry-accepted means of evidencing compliance

Methodology

Testing methodology

A tested, repeatable approach covering every layer of the modern environment relevant to this industry.

01 · PHASE

Account takeover simulation

credential stuffing, MFA bypass, password reset flaws, and session hijacking against player accounts

02 · PHASE

Bonus abuse & promo fraud testing

bonus-hunting techniques, wagering-requirement bypass, account-farm detection, and linked-account analysis

03 · PHASE

Payment fraud and cash-out testing

deposit manipulation, withdrawal abuse, chargeback flows, and KYC-spoofing resilience

04 · PHASE

Game & RNG integrity review

in-play manipulation attempts, bet settlement bypass, and RTP-affecting bugs in game logic and bet-placement APIs

05 · PHASE

API & mobile app testing

REST/GraphQL betting APIs, deep link abuse, runtime tampering, and anti-tamper evaluation of iOS/Android apps

06 · PHASE

Anti-cheat and bot protection assessment

scripted client detection, rate limit resilience, and anomaly-detection validation on high-volume endpoints

Services

Key services

Targeted services for the most common security needs in this industry.

iGaming Platform Penetration Testing

Bonus & Promo Fraud Simulation

Payment Flow & PCI DSS Security Testing

Betting API & Mobile App Security Review

ONJN / MGA / UKGC Compliance Assessment

Threat landscape

Threats facing this sector today

Every security engagement is scoped based on the attack patterns that actually hit this sector — not a generic checklist.

Account takeover

Credential stuffing, MFA bypass, and SIM swap attacks against player accounts with cashable balances.

Bonus abuse & account farms

Industrial-scale bonus hunting, multi-account farms, and wagering-requirement bypass eroding promo margins.

Payment fraud & chargebacks

Deposit manipulation, stolen-card abuse, and chargeback cycles targeting cashier and withdrawal flows.

API abuse and bet manipulation

BOLA, rate limit bypass, and business-logic flaws in betting APIs that allow bet settlement tricks or in-play exploitation.

Bot and scripted client abuse

Automated clients exploiting latency, odds movement, or VIP bonus flows to extract value at scale.

Regulatory and compliance exposure

KYC, AML, self exclusion, and responsible-gaming control failures that trigger fines and license reviews.

FAQ

Frequently asked questions

Ready to keep the house winning?

Talk to our team about a security assessment tailored to the unique risk profile of your organization.

Request a Security Assessment