Casinos entice patrons to sign up for their player tracking or rewards programs in efforts to accumulate a database of statistics and contact information. In exchange for their disclosure of personally identifying information, patrons are rewarded with the ability to earn credits while playing at their favorite casinos and receive offers, comps and services made available to members only.
Although patrons can sign up for rewards programs online, they traditionally are required to physically appear at a casino for age and identification verification in order to obtain an actual player’s card.
Frequently, casinos will collect the same type of data from patrons who wish to sign up for a rewards program. At the most basic level, all identifying information found on a driver’s license is recorded into a player tracking system, including name, address, date of birth and gender. Casinos will then attempt to record as many methods of contact as possible in order to ensure effective communication with the patron, including phone numbers and email addresses.
During the initial sign-up process and upon verifying patron identification, self-exclusion lists or other casino-specific exclusion lists are checked. If an individual appears on such a list, an account will not (or should not) be established. Verification of identity is a critical step to creating an account; disciplinary actions stemming from marketing to self-excluded persons are common, and the accompanying penalties can be severe.
A Social Security number is not required to obtain a player’s card. However, if through slot play, a patron wins a jackpot of $1,200 or more and a Form W-2G is required, a patron must provide his or her Social Security number, which will be retained in the patron’s player tracking account from that point forward. Further, if a patron requests credit from a casino, additional information on the patron and his or her bank account information will be requested and retained in the patron’s account (along with the patron having to undergo a credit check).
Beyond the basic identifying and contact information, player-tracking databases may be augmented with information cultivated from a casino’s relationship with its patrons. For example, if spouses sign up for player’s cards at the same time, their marital status will be noted and the accounts will be linked to one another.
Over time, details that a casino garners from a patron’s actions and preferences will be added to an account. If a patron visits a hotel that adjoins a casino and on each visit requests chocolate chip cookies in his room, that preference will be noted in his account. Alternatively, if multiple offers are sent to a patron for a game-day watch party and the patron never attends, a non-preference for sports may be noted. Favorite teams, foods, beverages, activities, people one normally travels with—all of these details will be added to a patron’s account. This information enables a casino to effectively and efficiently market to its patrons.
Ultimately, it is imperative for a casino to ensure that its patron information is protected—not only from third parties, but also from competitors. It is rare to hear of casino patron information being compromised via a system breach. Regulatory jurisdictions in which casinos operate impose strict standards regarding system security.
As an example, Illinois has adopted some of the strictest standards in the industry. Each casino’s approved internal control system must provide, in part, procedures for limiting access to computer programs and equipment, controlling passwords and segregating access within systems, dictating the complexity and expiration of passwords, and archiving unalterable logs of user access and security incidents.
Additionally, network security must include a strong segregation of gaming-related systems from network segments accessible from the internet, implementing and monitoring an intrusion detection system and anti-virus software, and strict firewall settings. The Illinois Gaming Board only recently allowed remote access to a casino’s systems, with highly detailed approved internal controls and only for limited employees and limited reasons. With strong computer security and limited employees who may access the systems, patron information can be protected from outside influences.
Beyond protecting the security of a computer system, a casino must also be concerned about protecting player information from employees who may take it to a competing casino. Although it is impossible to guard against an unethical employee, casinos require employees to sign non-disclosure agreements and employment agreements that reference the confidentiality of certain information. A recent disciplinary matter revoked the occupational license of an executive host at a casino who obtained internal lists of player names, play totals and account numbers and emailed them to another casino’s marketing director with whom she was interviewing for a new job. The disciplinary matter is still being resolved.
Although most executive hosts tend to accumulate their own “book” of clientele and known contact information, employees who knowingly take personally identifying information or play information that belongs to the casino are subject to disciplinary and employment action.
Overall, patrons balance the benefits of belonging to a player rewards program against the potential dangers that their confidential information will be compromised. Ultimately, they are comforted by security measures taken by casinos and their employees to protect that information.