Skip to main content

In-App Purchases, Virtual Currencies & CRA in Games

In-app purchases (IAPs) and virtual currencies are common monetization methods in games. If your game includes these, the EU Cyber Resilience Act (CRA) brings specific cybersecurity considerations to the forefront, especially concerning the protection of financial transactions and related data.

Financial Transactions and Security

While the CRA is a horizontal regulation and does not specifically detail payment processing security (which often falls under other regulations like PSD2 for payment service providers), the essential cybersecurity requirements have direct relevance. Your game, as a "product with digital elements" (PDE) (Article 3,) Point 1), must:

  • Protect Confidentiality of Data: This includes any data related to IAPs, such as transaction details or linked payment information that your game might handle or transmit, even if it's just to a third-party payment processor (Annex I, Part I, Point 2e). Encryption of data in transit and at rest is key.
  • Protect Integrity of Data: Ensure that transaction data, virtual currency balances, and item inventories cannot be illicitly manipulated (Annex I, Part I, Point 2f).
  • Ensure Availability: While not directly about financial loss, denial of service attacks could prevent legitimate purchases or access to purchased goods, impacting user experience and trust (Annex I, Part I, Point 2h).
  • Protect from Unauthorized Access: Your systems should prevent unauthorized access to accounts, which could lead to fraudulent purchases or theft of virtual goods (Annex I, Part I, Point 2d).

Due Diligence with Payment Processors

Most games use third-party payment processors. You are still responsible for exercising due diligence in selecting and integrating these services (Article 13, Paragraph 5). Ensure the integration is secure and that your game itself does not introduce vulnerabilities that could compromise the payment process or user data handled by your game client before it reaches the payment provider.

Virtual Currency Security

If your game uses virtual currencies:

  • Secure Balances: Implement robust measures to prevent unauthorized modification of currency balances.
  • Prevent Exploits: Design systems to prevent exploits that could lead to infinite currency generation or theft between accounts. This ties into ensuring your product is free of known exploitable vulnerabilities when placed on the market (Annex I, Part I, Point 2a).

Key Takeway

For games with IAPs or virtual currencies, the CRA's essential requirements for data confidentiality, integrity, and protection against unauthorized access are critical. Robust security for these systems protects your players and your business. Due diligence on any third-party payment services is also essential.