58 Pa. Code § 809a.6

Current through Register Vol. 54, No.43, October 26, 2024
Section 809a.6 - System requirements
(a)Interactive gaming system methodology. An interactive gaming system shall be designed with a methodology (for example, cryptographic controls) approved by the Board to ensure secure communications between a player's device and the interactive gaming system. When reviewing the security of an interactive gaming certificate holder or interactive gaming operator's interactive gaming system methodology, the Board will consider all of the following:
(1) The interactive gaming system methodology shall be designed to ensure the integrity and confidentiality of all player communication and ensure the proper identification of the sender and receiver of all communications. If communications are performed across a third-party network, the system must either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
(2) Wireless communications between the player device and the primary or secondary server must be encrypted in transit using a method (for example, AES, IPsec and WPA2) approved by the Board.
(3) All communications that contain registered player account numbers, user identification, or passwords and PINs must utilize a secure method of transfer (for example, 128-bit key encryption) approved by the Board.
(4) Only devices authorized by the Board are permitted to establish communications between a player device and an interactive gaming system.
(5) Server-based interactive gaming systems must maintain an internal clock that reflects the current date and time that must be used to synchronize the time and date among all components that comprise the interactive gaming system. The interactive gaming system date and time must be visible to the registered player when logged on.
(b)Change or modification. Any change or modification to the interactive gaming system shall be handled in accordance with the Change Management guidelines issued and distributed to interactive gaming certificate holders, interactive gaming operators, and interactive gaming manufacturers.
(c)Standards for data logging. An interactive gaming system must meet all of the following standards regarding data logging:
(1) Interactive gaming systems must employ a mechanism capable of maintaining a separate copy of all of the information required to be logged in this section on a separate and independent logging device capable of being administered by an employee with no incompatible function. If the interactive gaming system can be configured so that any logged data is contained in a secure transaction file, a separate logging device is not required.
(2) Interactive gaming systems must provide a mechanism for the Board to query and export, in a format required by the Board, all interactive gaming system data.
(3) Interactive gaming systems must electronically log the date and time any player gaming account is created or terminated (Account Creation Log).
(4) An interactive gaming system must maintain all information necessary to recreate player game play and account activity during each player session, including any identity or location verifications, for not less than 10 years.
(5) Unless otherwise authorized by the Board, when software is installed on or removed from an interactive gaming system, the action must be recorded in a secure electronic log (Software Installation/Removal Log), which must include all of the following:
(i) The date and time of the action.
(ii) The identification of the software.
(iii) The identity of the person performing the action.
(6) Unless otherwise authorized by the Board, when a change in the availability of game software is made on an interactive gaming system, the change must be recorded in a secure electronic log (Game Availability Log), which must include:
(i) The date and time of the change.
(ii) The identification of the software.
(iii) The identity of the person performing the change.
(7) Unless otherwise exempted by the Board, an interactive gaming system must record all promotional offers (Promotions Log) issued through the system. The log must provide the information necessary as determined by the Board to audit compliance with the terms and conditions of current and previous offers.
(8) Results of all authentication attempts must be retained in an electronic log (Authentication Log) and accessible for not less than 90 days.
(9) All adjustments to an interactive gaming system data made using stored procedures must be recorded in an electronic log (Adjustments Log), which lists all of the following:
(i) The date and time.
(ii) The identification and user ID of user performing the action.
(iii) A description of the event or action taken.
(iv) The initial and ending values of any data altered as a part of the event or action performed.
(d)Security requirements.
(1) Networks should be logically separated so that there should be no network traffic on a network link which cannot be serviced by hosts on that link.
(2) Networks must meet all of the following requirements to assure security:
(i) The failure of any single item should not result in a denial of service.
(ii) An intrusion detection system/intrusion prevention system must be installed on the network which can do all of the following:
(A) Listen to both internal and external communications.
(B) Detect or prevent Distributed Denial of Service attacks.
(C) Detect or prevent shellcode from traversing the network.
(D) Detect or prevent Address Resolution Protocol spoofing.
(E) Detect other Man-in-the-Middle indicators and server communication immediately.
(iii) Each server instance in cloud and virtualized environments should perform only one function.
(iv) In virtualized environments, redundant server instances cannot run under the same hypervisor.
(v) Stateless protocols should not be used for sensitive data without stateful transport.
(vi) All changes to network infrastructure must be logged.
(vii) Virus scanners or detection programs, or both, should be installed on all pertinent information systems and should be updated regularly to scan for new strains of viruses.
(viii) Network security should be tested by a qualified and experienced individual on a regular basis.
(ix) Testing should include testing of the external interfaces and internal network.
(x) Testing of each security domain on the internal network should be undertaken separately.
(3) An annual security audit shall be performed to complement the required independent testing laboratory testing and annual encryption certification.
(i) The security audit shall cover the underlying operating systems, network components and hardware changes not included in the evaluation of the interactive gaming software.
(ii) The security audit shall be performed by an independent third party who shall provide a detailed report with remediation or mitigation plans to the board, and may take the form of any of the following:
(A) Penetration test.
(B) Vulnerability assessment.
(C) Compliance audit.
(D) Risk assessment.
(4) Internal and external network vulnerability scans shall be run at least quarterly, or after any change or modification to the interactive gaming system that requires approval by the Board under the change management guidelines distributed under § 809a.6(b) (relating to system requirements), unless otherwise directed by the Board.
(i) Testing procedures must verify that four quarterly internal and external scans take place every 12 months and that re-scans occur until all medium risk (CVSS4.0 or higher) vulnerabilities are resolved.
(ii) The quarterly scans may be performed by either an independent third party or by a qualified employee of the interactive gaming certificate holder or interactive gaming operator.
(iii) Verification of the scans shall be submitted to the Board on a quarterly basis and must include a remediation or mitigation plan for any vulnerabilities not resolved prior to the submission of the verification.
(e)Self-monitoring of critical components. The interactive gaming system must implement the self-monitoring of critical components. A critical component that fails self-monitoring tests shall be taken out of service immediately and may not be returned to service until there is reasonable evidence that the fault has been rectified. Required self-monitoring measures include all of the following:
(1) The clocks of all components of the interactive gaming system must be synchronized with an agreed accurate time source to ensure consistent logging. Time skew shall be checked periodically.
(2) Audit logs recording user activities, exceptions and information security events must be produced and kept for a period of time to be determined by the Board to assist in investigations and access control monitoring.
(3) System administrators and system operator activities must be logged.
(4) Logging facilities and log information must be protected against tampering and unauthorized access.
(5) Any modifications, attempted modifications, read access, or other change or access to any interactive gaming system record, audit or log must be detectable by the interactive gaming system. It must be possible to see who has viewed or altered a log and when.
(6) Logs generated by monitoring activities shall be reviewed periodically using a documented process. A record of each review must be maintained.
(7) Interactive gaming system faults shall be logged, analyzed and appropriate actions taken.
(8) Network appliances with limited onboard storage must disable all communication if the audit log becomes full or offload logs to a dedicated log server.
(f)System disclosure requirements.
(1) A petitioner for or holder of an interactive gaming certificate, an applicant for or holder of an interactive gaming license, and an applicant for or holder of an interactive gaming manufacturer license shall seek Board approval of all source code used to conduct interactive gaming in this Commonwealth.
(2) All documentation relating to software and application development should be available for Board inspection and retained for the duration of its lifecycle.
(3) All software used to conduct interactive gaming in this Commonwealth shall be designed with a method, approved by the Board, that permits remote validation of software.
(g)Shutdown and recovery capabilities. The interactive gaming system must have all of the following shutdown and recovery capabilities to maintain the integrity of the hardware, software and data contained therein in the event of a shutdown:
(1) The interactive gaming system must be able to perform a graceful shutdown and only allow automatic restart on power up after all of the following procedures have been performed:
(i) The program resumption routine, including self-tests, completes successfully.
(ii) All critical control program components of the interactive gaming system have been authenticated using a method approved by the Board.
(iii) Communication with all components necessary for the interactive gaming system operation have been established and similarly authenticated.
(2) The interactive gaming system must be able to identify and properly handle the situation when master resets have occurred on other remote gaming components which affect game outcome, win amount or reporting.
(3) The interactive gaming system must have the ability to restore the system from the last backup.
(4) The interactive gaming system must be able to recover all critical information from the time of the last backup to the point in time at which the interactive gaming system failure or reset occurred.
(h)Recovery plan. An interactive gaming certificate holder or interactive gaming operator shall have a plan in place, approved by the Board, to recover interactive gaming operations in the event that the interactive gaming system is rendered inoperable (that is, Disaster/Emergency Recovery Plan). When reviewing the sufficiency of an interactive gaming certificate holder or interactive gaming operator's plan to recover interactive gaming system operations in the event the interactive gaming system is rendered inoperable, the Board will consider all of the following:
(1) The method of storing player account information and gaming data to minimize loss in the event the interactive gaming system is rendered inoperable.
(2) If asynchronous replication is used, the method for recovering data should be described or the potential loss of data should be documented.
(i)Recovery plan requirements. An interactive gaming certificate holder's or interactive gaming operator's Disaster/Emergency Recovery Plan must also:
(1) Delineate the circumstances under which it will be invoked.
(2) Address the establishment of a recovery site physically separated from the interactive gaming system site.
(3) Contain recovery guides detailing the technical steps required to re-establish gaming functionality at the recovery site.
(4) Include a Business Continuity Plan that addresses the process required to resume administrative operations of interactive gaming activities after the activation of the recovered platform for a range of scenarios appropriate for the operations context of the interactive gaming system.
(j)Location of equipment. Equipment used by a server-based interactive gaming system for the sole purpose of restoring data following a disaster must be located in a location within the United States as approved by the Board.
(k)Player self-exclusion. The interactive gaming system must provide an easy and obvious mechanism for players to access the Board's self-exclusion database to self-exclude from interactive gaming.
(l)Mechanism for temporary suspension. The interactive gaming system must provide a mechanism by which a player may elect to temporarily suspend his or her interactive gaming account for a period of no less than 72 hours in accordance with the terms and conditions agreed to by the player upon registration.

58 Pa. Code § 809a.6

This section cited in 58 Pa. Code §809a.6 (relating to system requirements).