COAM Gift Card Tampering: How to Protect Your Georgia Operation in 2026

The Georgia COAM industry is under more scrutiny than ever. As the July 1, 2026 deadline under HB 353 draws near, operators are rightly focused on transitioning from cash to compliant gift card payouts. But the shift to gift cards introduces a new security surface area that bad actors are already exploiting.

In early 2026, the Georgia Amusement and Music Operators Association (GAMOA) published alerts in its January and February Georgia Amusement Journal about increased reports of tampering targeting both COAMs and player card/COAM gift cards. And those alerts weren't hypothetical—they arrived alongside a high-profile fraud case that ended with two men facing decades in prison.

The Watts Case: A 20-Year Warning for the Industry

In February 2026, a Columbia County Superior Court judge sentenced two brothers from Sparta, Georgia to 20 years each in prison. Quinton Watts, 27, and Phillip Watts, 31, were convicted on felony charges of lottery ticket fraud, theft by taking, and possession of tools for the commission of a crime.

From June 2021 through September 2024, the brothers systematically manipulated video poker-style COAMs at convenience stores and gas stations across more than a dozen Georgia counties, extracting cash or cash-equivalent value through illicit means. The court ordered them to pay more than $86,000 in restitution to the Georgia Lottery Commission.

The Georgia Bureau of Investigation's Commercial Gambling Unit, which led the investigation, issued a pointed statement: cash payouts from COAMs are illegal in Georgia, and violations will be prosecuted.

While the Watts case involved cash-era machine manipulation, the GAMOA tampering alerts signal that threat actors are already adapting their techniques to target gift cards—the payment method that will define the industry post-July 2026.

Why Gift Cards Create New Security Considerations

Cash has its own security problems—untracked transactions, disputes, employee theft—but it's also self-limiting. You can only steal what's in the drawer. Gift card systems introduce a different set of risks:

• Card skimming – Devices placed on or near kiosks to capture card data
• Card swapping – Substituting a pre-loaded fraudulent card for a legitimate one at the point of dispensing
• Value manipulation – Attempts to exploit software vulnerabilities in loading devices
• Social engineering – Convincing staff to load excessive value or bypass verification steps
• Physical card theft – Stealing unloaded or partially-loaded cards before they reach players

Under HB 353, gift cards loaded for COAM winnings must be loaded on-premises—either by location staff or a self-service kiosk—and can only receive value won through legitimate machine play. These rules create a clear audit trail, but only if operators implement them rigorously.

The Reloadable Card Transition: A New Attack Vector Starting July 1

Here's a detail that often gets missed in HB 353 discussions: starting July 1, 2026, reloadable gift cards become a legal payout method in addition to non-reloadable cards. During the current transition period (May 6, 2024 through June 30, 2026), only non-reloadable gift cards are permitted.

Non-reloadable cards are inherently simpler from a security perspective—they're loaded once and used. Reloadable cards, by contrast, maintain an ongoing value balance that can be topped up. They offer a better player experience, but they require tighter controls:

• Ongoing authentication before adding value
• Clear transaction logs showing each reload event
• Protections against unauthorized reloads by staff or third parties
• Regular reconciliation between machine winnings and card loads

If you plan to offer reloadable cards after July 1, make sure your provider's system has these controls built in—not bolted on.

Physical Security: Protecting Your Kiosk and Location

Whether you use a self-service kiosk or staff-assisted loading, physical security at your location is the first line of defense. Here's what experienced operators are doing:

For Kiosk-Based Operations

• Camera coverage – Ensure your surveillance system captures the kiosk face, card slot, and surrounding area. Footage should be stored for a minimum of 30 days.
• Tamper-evident seals – Inspect kiosk housing regularly for signs of device attachment or physical modification.
• Lighting – Well-lit kiosk areas deter tampering attempts and improve camera effectiveness.
• Regular inspections – Assign a staff member to physically inspect the kiosk at opening and closing. Document each inspection.
• Vendor contact list – Know who to call immediately if you suspect the kiosk has been compromised. Response time matters.

For Staff-Assisted Operations

• Card inventory controls – Track every blank card from receipt to activation. Unexplained inventory shortfalls are a red flag.
• Dual authorization for large payouts – Require a second staff member to verify payouts above a certain threshold.
• Training on social engineering – Thieves often target staff, not systems. Train employees on common manipulation tactics.
• Load logs – Every card load should generate a transaction record tied to a specific machine session. Spot-check these regularly.

Operational Red Flags to Watch For

Some tampering attempts are sophisticated enough to evade casual inspection. Train yourself and your staff to recognize these warning signs:

• A player who wins unusually large amounts in a short period across multiple visits
• Cards being presented for reload with no corresponding machine play records
• Staff reporting pressure from players to skip verification steps
• Unfamiliar devices or attachments on or near machines and kiosks
• Discrepancies between machine revenue data and gift card load totals
• Cards presented at locations other than where the winnings occurred (since under HB 353, loading must happen on-premises)

Any of these should trigger an immediate review of transaction records and a call to your payout provider and, if warranted, the Georgia Lottery Commission.

How HB 353's Digital Trail Actually Protects You

One of the underappreciated benefits of the gift card mandate is that it creates a built-in audit trail that cash never could. Every gift card transaction—loading, reloading, redemption—generates a digital record. For compliant operators using a proper platform, this means:

• Disputes are resolvable – If a player claims they didn't receive their payout, you have records. If a player claims more than they won, you have records.
• Fraud is detectable – Anomalies stand out in transaction data. A sudden spike in load amounts at one location is easy to catch and investigate.
• GLC compliance is demonstrable – If the Georgia Lottery Corporation ever audits your operation, clean transaction records show you're running a tight ship.
• Liability protection – If your operation is targeted by a fraud scheme, transaction logs establish what happened and when, protecting you legally.

This is a fundamental shift from the cash era, where a disputed payout was essentially your word against the player's.

Reporting Tampering: What Operators Should Do

If you discover or suspect tampering with your COAMs or gift card system, here's the chain of action:

1. Preserve evidence – Don't touch or reset anything until you've documented the situation with photos and pulled relevant transaction records.
2. Contact your payout provider – Your gift card provider should have a security contact or incident response process. Use it.
3. Notify the Georgia Lottery Commission – The GLC's COAM Division handles compliance and enforcement. Reporting an incident promptly demonstrates good faith and protects your license.
4. File a report with local law enforcement – Tampering with COAMs is a criminal offense in Georgia, as the Watts case makes abundantly clear.
5. Contact GAMOA – The Georgia Amusement and Music Operators Association tracks industry-wide tampering patterns. Reporting helps protect other operators.

Choosing a Provider With Security in Mind

Not all gift card payout solutions were built with COAM security requirements in mind. As you evaluate providers ahead of the July 1 deadline, ask these specific questions:

• Does the platform maintain a complete, tamper-evident log of every card load and reload?
• Can you run reconciliation reports that match card loads to specific machine sessions?
• Does the provider have a documented incident response process for suspected fraud?
• Are physical kiosks designed to detect and alert on tampering attempts?
• Does the provider have experience with Georgia COAM regulations specifically—not just general gift card processing?

A provider who can't answer these questions confidently is a provider who hasn't thought deeply about the security requirements of this specific industry. For more on evaluating providers, see our complete 2025 provider selection guide.

The Bottom Line

The Watts brothers' 20-year sentences and GAMOA's 2026 tampering alerts are a clear signal: the Georgia COAM industry is under active enforcement scrutiny, and bad actors are already probing the transition to gift card payouts for weaknesses.

The good news is that a properly implemented gift card system—with real transaction logging, reconciliation tools, and physical security measures—is significantly harder to defraud than a cash operation. The digital trail that HB 353 mandates is your protection, not just a compliance burden.

But that protection only works if you implement it correctly. With just three months until the July 1, 2026 deadline, now is the time to audit your current security posture, evaluate your payout provider's capabilities, and make sure your operation is ready—not just compliant, but hardened.