How to Audit Gaming Machine Performance to Catch Security Problems Early
A security problem on a gaming machine that is detected early — within the first days of the compromise — costs a fraction of what the same problem costs if detected months later. Early detection requires a performance auditing process that compares each machine’s current operational metrics against its historical baseline at a regular interval. This article describes a machine performance audit that catches security problems early, using metrics that every venue can collect without specialized equipment.
Audit Metric 1: Revenue Per Play
Revenue per play is the machine’s total revenue divided by the total number of plays during the audit period. This metric normalizes for changes in machine usage — a machine that earns less because fewer people are playing it (an operational issue) has normal revenue per play but low total revenue. A machine that earns less because each play generates less revenue (a security issue) has abnormally low revenue per play.
Calculate revenue per play weekly for each machine. Compare against the machine’s 12-week rolling average. A revenue-per-play drop of more than 15% from the rolling average is a security alert. The drop indicates that something is reducing the revenue extracted from each play — the machine is paying out more frequently (unauthorized payout manipulation), the credit counter is not incrementing correctly (unauthorized credit manipulation), or the machine is spending more cycles on non-revenue activity (interference causing processing delays). Diagnose the machine using external inspection and bus monitoring methods.
Audit Metric 2: Payout Ratio
Payout ratio is the total value paid out divided by the total value paid in during the audit period. A normal payout ratio for an amusement gaming machine is 0 (no payout — the machine is for entertainment only), for prize machines it’s 0.4-0.6, and for ticket redemption machines it’s 0.2-0.4 — but these values depend on the machine model and configuration. Calculate the specific normal payout ratio for each machine model in your venue using 12 weeks of historical data.
An abnormal payout ratio — significantly above the machine’s historical average — indicates unauthorized payout manipulation. The machine is paying out more than it should per the machine’s programmed win table. The extra payouts are triggered by an external signal that activates the payout mechanism without a legitimate win. Audit the payout ratio weekly. If the ratio exceeds the machine’s historical average by more than 20% for two consecutive weeks, the machine is suspect. Diagnose immediately.
Audit Metric 3: Credit-to-Coin Ratio
The machine’s credit counter increments when coins are inserted. Under normal operation, each increment corresponds to one coin event. Under manipulation, the credit counter increments without a corresponding coin event — the attacker’s signal adds credits directly. The credit-to-coin ratio measures how many credit increments occur per coin event. Under normal operation, the ratio is near 1.0 (one increment per coin). Under credit manipulation, the ratio exceeds 1.0 because credits are being added without coins.
Calculate the ratio by comparing the machine’s coin counter (physical coins received) against the credit counter (credits registered by the machine). The coin counter is a mechanical counter inside the coin acceptor — it increments when a physical coin passes through the acceptor. The credit counter is part of the machine’s software — it increments when the machine’s processor receives a coin-event signal. Under manipulation, the credit counter exceeds the coin counter. If the ratio exceeds 1.05 (the credit counter is more than 5% higher than the coin counter), credits are being added without coins. This is diagnostic for credit manipulation.
Audit Metric 4: Error Rate Trend
The machine’s communication bus error rate normally fluctuates within a narrow band (+/- 5 errors per hour from the average). A sustained upward trend in the error rate — increasing by 5-10 errors per hour each week for three or more weeks — indicates progressive degradation: a filter that is aging, a cable that is developing contact resistance, or an environmental RF source that is increasing in power. The trend is visible in the weekly audit weeks before the error rate reaches the threshold that triggers the machine’s diagnostic flag.
Track the error rate trend by recording the weekly average error rate for each machine. Plot the trend on a chart. An upward trend that begins on a specific date and continues is diagnostic for a new interference source that began on that date. A flat trend with a sudden step increase on a specific date is diagnostic for a compromise device that was installed on that date. A flat trend with no changes indicates a stable machine. The trend tells you the nature of the problem — gradual from environmental causes, sudden from deliberate installation.
Building the Weekly Audit Into the Venue’s Existing Workflow
The weekly audit does not require adding a new staff role or purchasing software. The metrics (revenue per play, payout ratio, credit-to-coin ratio, error rate) are already recorded by the machine’s internal counters and accessible through the service menu. The audit process is: at a scheduled time each week, the designated staff member accesses the service menu of each machine and reads the four metric counters. The values are recorded in a spreadsheet. The spreadsheet calculates the ratios automatically using formulas. The operator reviews the spreadsheet and flags any machine whose metric exceeds the threshold. Total time: 2-3 minutes per machine per week, plus 10 minutes for the operator’s review. For a 20-machine venue: 50-70 minutes per week total. The ROI is the revenue recovered from compromises detected early.
Frequently Asked Questions
Q: What is the minimum number of machines needed to make weekly auditing worthwhile?
A: The auditing process works with a single machine because the comparison is against the machine’s historical baseline, not against other machines. However, with 1-3 machines, the time investment per machine is low and the early detection benefit is the same.
Q: Can the audit be automated?
A: Machines with a digital audit data export (USB, network, or remote access) can be audited automatically by software that reads the counters and applies the threshold rules. Machines without digital export require manual counter reading through the service menu, which is the process described in this article.
Q: What should I do when the audit identifies a suspect machine?
A: Immediately perform external inspection on the machine (port condition, cable routing, physical tampering signs). If external inspection finds no indicators, install a temporary RF filter for one week and re-audit. If the metrics return to normal, the interference was RF-based and the permanent filter solves the problem. If the metrics remain abnormal, escalate to internal machine inspection by a technician.