La. Admin. Code tit. 42 § VI-901

Current through Register Vol. 50, No. 11, November 20, 2024
Section VI-901 - Computer Systems and Sports Wagering Platforms
A. Operators shall use a sports wagering platform to offer, conduct, or operate sports wagering in accordance with the Act and regulations set forth by the board.
1. Operators shall comply with, and the division or board adopts and incorporates by reference, the Gaming Laboratories International, LLC Standard, GLI-33: Standards for Event Wagering systems and its Appendices, version 1.1 and any future amendments and updates thereto. The GLI-33 standards are intended to supplement rather than supplant other technical standards and requirements under these rules.
2. A sports wagering platform utilized to conduct sports wagering shall meet the specifications of these rules and any additional technical specifications prescribed by the board or the division. Failure to comply with the approved specifications, internal controls, or technical specifications may be grounds for administrative action by the board.
B. Operators shall submit all equipment and software utilized with the sports wagering platform to a designated gaming laboratory approved by the division for an initial certification to ensure the sports wagering platform is in operational compliance with the Act, these regulations, division technical guidelines, and internal controls. The certification report shall, at a minimum, identify system interfaces of service providers and the applicable methods, programs, protocols and security measures implemented by the operator to ensure compliance.
C. At the discretion of the division, additional testing or re-certification of the entire sports wagering platform may be required and shall be completed by a designated gaming laboratory approved by the division. The licensee or operator shall incur all costs associated with the testing of the sports wagering platform. Failure on the part of the licensee or operator to incur these costs may be grounds for administrative action by the division.
D. Upon placing a sports wager at a cashier or sports wagering mechanism, the player shall receive an unalterable virtual or printed wager record (ticket) which shall contain, at a minimum:
1. name and address of the operator, and licensee if different, issuing the ticket;
2. the date and time the sports wager was placed;
3. the date and time the sports event is expected to occur;
4. any patron choices involved in the sports wager including, but not limited to:
a. sports wager selection(s);
b. type of sports wager and line postings;
c. any special condition(s) applying to the sports wager;
d. pay out, applicable at the time the sports wager is placed;
5. total amount wagered, including any promotional play if applicable;
6. sports event and market identifiers;
7. a barcode or similar symbol or marking as approved by the division, corresponding to the unique wager identifier; and
8. the cashier or self wagering mechanism that generated the ticket.
E. If the sports wagering platform issues and redeems a sports book voucher, the system shall be capable of recording the following information for each voucher:
1. amount of voucher;
2. date, time, and location of issuance;
3. unique voucher identifier used for redemption, at least three digits of which shall be masked on all system menus, printed reports, and displays, except when accessed by users with supervisor or higher authority, for all unredeemed and unexpired vouchers;
4. expiration date of the voucher; and
5. date, time, and location of redemption, if applicable.
F. Sports book vouchers issued by a sports wagering platform shall contain the following information:
1. date, time, and location of issuance;
2. amount of the voucher;
3. unique voucher identifier;
4. expiration date of the voucher;
5. name of permit holder; and
6. an indication that the voucher can only be redeemed in exchange for a sports wager or cash.
G. A sports wagering platform system that offers in-play wagering shall be capable of the following:
1. the accurate and timely update of odds for in-play wagers;
2. the ability to notify the patron of any change in odds after a wager is attempted that is not beneficial to the patron;
3. the ability for the patron to confirm the wager after notification of the odds change; and
4. the ability to freeze or suspend the offering of wagers, when necessary.
H. A sports wagering platform shall be capable of performing the following functions:
1. creating wagers;
2. settling wagers;
3. reprinting tickets;
4. resettling wagers;
5. voiding wagers;
6. cancelling wagers; and
7. preventing the acceptance of wagers on prohibited sports events.
I. When a sports wager is voided or cancelled, the operator shall clearly indicate that the ticket is voided or cancelled, render it nonredeemable, and make an entry in the system indicating the void or cancellation and identity of the cashier or automated process.
J. A sports wagering platform shall prevent past posting of wagers and the cancellation of wagers after the outcome of an event is known.
K. In the event a patron has a pending sports wager and then the licensee or its operator becomes aware of the patron self-excluding, the wager shall be governed in accordance with the Act, these regulations, and internal controls.
L. A sports wagering platform shall, at least once every 24 hours, perform a self-authentication process on all software used to offer, record, and process wagers to ensure there have been no unauthorized modifications. In the event of an authentication failure, the sports wagering platform operator shall notify the appropriate casino licensee employees as provided in the internal controls using an automated process. The licensee shall notify the division of the authentication failure within 24 hours. The results of all self-authentication attempts shall be recorded by the system and maintained for a period of 90 days.
M. A sports wagering platform shall have controls in place to review the accuracy and timeliness of any data feeds used to offer or settle wagers. In the event that an incident or error occurs that results in a loss of communication with data feeds used to offer or redeem wagers, such error shall be recorded in a log capturing the date and time of the error, duration of the error, the nature of the error, and a description of its impact on the system's performance. Such information shall be maintained for a period of two years.
N. The sports wagering platform operator shall provide access to wagering transaction and related data as deemed necessary by the division in a manner approved by the division.
O. A sports wagering platform shall be capable of preventing any wager in excess of $10,000 or making a payout in excess of $10,000 until authorized by a supervisor, unless pre-approved and in accordance with internal controls or house rules.
P. A sports wagering platform shall be capable of recording and storing the following information for each wager made:
1. description of the event;
2. wager selection;
3. type of wager;
4. amount of wager;
5. amount of potential payout or an indication that it is a pari-mutuel wager;
6. date and time of wager;
7. identity of the cashier accepting the wager;
8. unique wager identifier, which shall be masked on all system menus, printed reports, and displays, except when accessed by users with supervisor or higher authority, for all unredeemed and unexpired wagers;
9. expiration date of ticket;
10. patron name, if known;
11. date, time, amount, and description of the settlement;
12. location where the wager was made;
13. location of redemption; and
14. identity of cashier settling the wager if applicable.
Q. For all lost tickets that are redeemed, a sports wagering platform shall record and maintain the following information:
1. date and time of redemption;
2. employee responsible for redeeming the ticket;
3. name of patron redeeming the wager;
4. unique ticket identifier; and
5. location of the redemption.
R. For all sports wagering accounts, a sports wagering platform shall record and maintain the following information:
1. a unique player identification;
2. the player's identity details including, but not limited to: player's legal name; date of birth; and residential address;
3. any self-restrictions;
4. any previous accounts; and
5. the date and location from which the sports wagering account was registered or accessed.
S. Operators shall provide the following information upon demand by the board or division. As appropriate, the information shall include, at a minimum, month to date and year to date:
1. total sports wagering account deposits for the requested period;
2. total sports wagering account withdrawals for the requested period;
3. total sports wagers collected from players; and
4. total winnings paid to players.
T. A sports wagering platform shall be capable of recognizing valid tickets and vouchers that contain a duplicate unique wager identifier used for redemption and require the redemption by a ticket writer.
U. A sports wagering platform shall be capable of preventing the redemption of any vouchers or tickets when the data related to the vouchers or tickets has been manually altered outside of the approved system procedures.
V. All servers necessary for the processing of sports wagers, other than backup servers, shall be physically located in Louisiana, and shall be located in a restricted area with adequate security and surveillance in accordance with internal controls and as approved by the division. Other servers used in the operation of the sports book may be located outside of the state as long as they are not used to process sports wagers. The board may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of an operator or licensee.
W. All sports wagering mechanisms shall be submitted to a designated gaming laboratory for testing and required certification prior to being placed at a licensed premise. A designated gaming laboratory shall certify that the sports wagering mechanism meets or exceeds the most current board approved version of standards for sports wagering mechanisms, or equivalent standards as approved by the board, and the standards established by the board or the division.
X. System Integrity and Security Assessment
1. Operators of online sports wagering shall, within 90 days of commencing sports wagering operations in this state and annually thereafter, perform a system integrity and security assessment of sports wagering platforms and systems which shall be conducted by an independent professional selected by the licensee and subject to approval of the division. The scope shall include, at a minimum: a vulnerability assessment of digital platforms, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering platform, and applications transferring, storing, and/or processing personal identifying information and other sensitive information connected to or present on the networks; a penetration test of all digital platforms, mobile applications, internal, external, and wireless networks to confirm if identified vulnerability of all devices, the sports wagering platform, and applications are susceptible to compromise; a review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all the perimeter firewalls and the internal firewalls; a technical security control assessment against the provisions adopted in these rules with generally accepted professional standards and as approved by the board; an evaluation of information security services, cloud services, payment services (financial institutions, payment processors, etc.), location services, and any other services which may be offered directly by the operator or involve the use of third parties; and any other specific criteria or standards for the sports wagering platform integrity and security assessment as prescribed by the board. The assessment report shall be submitted to the division no later than 30 days after the assessment is conducted (and in no event later than July 1) and shall include, at a minimum: scope of review; name and company of affiliation of who conducted the assessment; date of assessment findings; recommended corrective action, if any; and the operator's response to the findings and recommended corrective action.
2. Consistent with Chapter 28 of Part III of this Title, licensees conducting sports wagering at its licensed premises shall perform a system integrity and security assessment of sports wagering platforms and systems used for conducting retail sports wagering, which shall be completed by an independent professional selected by the licensee and subject to approval of the division. No later than 36 months from its last assessment, the licensee shall submit the results of an independent system integrity and security assessment to the division for review, subject to the following requirements:
a. the testing organization must be independent of the licensee and casino operator;
b. results from the network security risk assessment shall be submitted to the division no later than 90 days after the assessment is conducted;
c. at the discretion of the division, additional network security risk assessments may be required; and
d. a licensee shall periodically, but no later than 36 months from its last assessment, assess the risk to operations, assets, patrons, employees, and other individuals or entities resulting from the operation of the casino's computer systems and the processing, storage, or transmission of information and data. The assessment shall be documented and recorded in a manner that can be displayed or printed upon demand by the board or division and shall be maintained for a period of five years. Licensees shall assess the collection of personnel and patron data annually to ensure that only information necessary for the operation of the business is collected and maintained. No unnecessary personal information shall be retained.
3. The licensee may submit for approval a request to the division to leverage the results of prior assessments within the past year conducted by the same independent professional against standards such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, the NIST Cybersecurity Framework (CSF), the Payment Card Industry Data Security Standards (PCI-DSS), or equivalent. Such leveraging shall be noted in the independent professional's report. This leveraging does not include critical components unique to the state which will require more current and separate assessments.
Y. Sports wagering platforms and systems shall provide a mechanism for the board or division to query and export, in a format approved by the board or division, all sports wagering platform data.
Z. The sports wagering platform and systems shall be designed in a way to comply with all federal requirements including, but not limited to suspicious wagering activity; Title 31 of the United States Code; and W-2G reporting.
AA. Upon request by the division, sports wagering operators shall create test accounts for the division's use to conduct compliance inspections and testing of the sports wagering platform.
BB. The licensee may establish test accounts to be used to test the various components and operation of a sports wagering platform pursuant to its division approved internal control procedures which must address procedures for identifying test accounts, issuing funds, maintaining proper records for all test accounts and conducting audits of all test activity to ensure proper adjustments to gross sports wagering revenue and any additional requirements specified by the division.

La. Admin. Code tit. 42, § VI-901

Promulgated by the Department of Public Safety and Corrections, Gaming Control Board, LR 47, Promulgated by the Department of Public Safety and Corrections, Gaming Control Board, LR 4867 (1/1/2022).
AUTHORITY NOTE: Promulgated in accordance with R.S. 27:15 and 24.