RULES AND REGULATIONS
Title 58—RECREATION
PENNSYLVANIA GAMING CONTROL BOARD
[ 58 PA. CODE CH. 809 ]
General Interactive Gaming Platform Requirements; Temporary Regulations
[48 Pa.B. 2544]
[Saturday, April 28, 2018]The Pennsylvania Gaming Control Board (Board), under its specific authority in 4 Pa.C.S. § 13B03(b) (relating to regulations) and the general authority in 4 Pa.C.S. § 1202(b)(30) (relating to general and specific powers), adds the rules regarding platform operations in connection with interactive gaming in this Commonwealth to read as set forth in Annex A.
Purpose of this Temporary Rulemaking
This temporary rulemaking includes rules regarding platform operations in connection with interactive gaming in this Commonwealth intended to ensure players are not exposed to unnecessary security risks by choosing to participate in interactive gaming in this Commonwealth and to ensure the integrity and security of interactive gaming operations in this Commonwealth.
Explanation of Chapter 809
Chapter 809 (relating to interactive gaming platform requirements—temporary regulations) addresses the physical location of interactive gaming devices and associated equipment used by an interactive gaming certificate holder or an interactive gaming licensee to conduct interactive gaming in this Commonwealth as well as the physical and environmental controls that shall be implemented relative to this equipment. These temporary regulations also delineate proper access, remote or otherwise, to all components of interactive gaming systems. These temporary regulations establish the interactive gaming system requirements relative to security, integrity, data logging, monitoring, disclosure requirements regarding software and source code, system shutdown and recovery requirements, standards regarding disaster or emergency situations, and geolocation rules.
Affected Parties
Any entity that operates interactive gaming in this Commonwealth, as well as any entity or individual that will interact with platform operations in this Commonwealth, will be affected by this temporary rulemaking. This temporary rulemaking provides interested parties information relative to platform operations in connection with interactive gaming in this Commonwealth.
Fiscal Impact
Commonwealth
The Board expects that this temporary rulemaking will have minimal fiscal impact on the Board and other Commonwealth agencies. Impact should be confined to the additional personnel and expenses related to implementing these rules as well as continued oversight of expanded gaming with portions of these costs absorbed by existing Board staff.
Political subdivisions
This temporary rulemaking will not have direct fiscal impact on political subdivisions of this Commonwealth. Host municipalities and counties benefit from the local share funding mandated by the act of January 7, 2010 (P.L. 1, No. 1).
Private sector
This temporary rulemaking includes rules regarding platform operations in connection with interactive gaming in this Commonwealth. It is anticipated that this temporary rulemaking will have an impact on those individuals seeking to operate a platform in connection interactive gaming in this Commonwealth and those individuals seeking to provide services to platform operators. The fiscal impact to these parties will be offset by revenues collected through the play of interactive games.
General public
This temporary rulemaking will not have direct fiscal impact on the general public.
Paperwork Requirements
Interactive gaming certificate holders, interactive gaming operators, and individuals and entities providing service to those entities in connection with platform operations will be required to generate and maintain various types of information relative to the platform operation, including access logs, revenue information and patron complaint records.
Effective Date
This temporary rulemaking will become effective upon publication in the Pennsylvania Bulletin and expires 2 years after publication.
Public Comments
While this temporary rulemaking will be effective upon publication, the Board is seeking comments from the public and affected parties as to how these temporary regulations might be improved.
Interested persons are invited to submit written comments, suggestions or objections regarding this temporary rulemaking within 30 days after the date of publication in the Pennsylvania Bulletin to Laura R. Burd, Senior Counsel, Pennsylvania Gaming Control Board, P.O. Box 69060, Harrisburg, PA 17106-9060, Attention: Public Comment on Regulation # 125-213.
Contact Person
The contact person for questions about this temporary rulemaking is Laura R. Burd, Senior Counsel, (717) 346-8300.
Regulatory Review
Under 4 Pa.C.S. § 13B03, the Board has the authority to promulgate temporary regulations to facilitate the prompt implementation of interactive gaming in this Commonwealth. The temporary regulations adopted by the Board are not subject to sections 201—205 of the act of July 31, 1968 (P.L. 769, No. 240) (45 P.S. §§ 1201—1205), known as the Commonwealth Documents Law, the Regulatory Review Act (71 P.S. §§ 745.1—745.14) and section 204(b) of the Commonwealth Attorneys Act (71 P.S. § 732-204(b)). Under 4 Pa.C.S. § 13B03(c), these temporary regulations expire 2 years after publication in the Pennsylvania Bulletin.
Findings
The Board finds that:
(1) Under 4 Pa.C.S. § 13B03, the temporary regulations are exempt from the requirements of the Regulatory Review Act, sections 201—205 of the Commonwealth Documents Law and section 204(b) of the Commonwealth Attorneys Act.
(2) The adoption of the temporary regulations is necessary and appropriate for the administration and enforcement of 4 Pa.C.S. Part II (relating to Pennsylvania Race Horse Development and Gaming Act).
Order
The Board, acting under 4 Pa.C.S. Part II, orders that:
(1) The regulations of the Board, 58 Pa. Code, are amended by adding temporary §§ 809.1—809.8 to read as set forth in Annex A.
(2) The temporary regulations will be posted on the Board's web site.
(3) The temporary regulations are subject to amendment as deemed necessary by the Board.
(4) The Chairperson of the Board has certified this order and Annex A and shall deposit them with the Legislative Reference Bureau as required by law.
(5) These temporary regulations are effective upon publication in the Pennsylvania Bulletin and expire on April 28, 2020.
DAVID M. BARASCH,
ChairpersonFiscal Note: 125-213. No fiscal impact; (8) recommends adoption.
Annex A
TITLE 58. RECREATION
PART VII. GAMING CONTROL BOARD
Subpart L. INTERACTIVE GAMING
CHAPTER 809. INTERACTIVE GAMING PLATFORM REQUIREMENTS—TEMPORARY REGULATIONS Sec.
809.1. Scope. 809.2. Definitions. 809.3. Location of equipment. 809.4. Physical and environmental controls for equipment. 809.5. Access to equipment. 809.6. System requirements. 809.7. Geolocation requirements. 809.8. Security policy requirements. § 809.1. Scope.
To ensure players are not exposed to unnecessary security risks by choosing to participate in interactive gaming in this Commonwealth and to ensure the integrity and security of interactive gaming operations in this Commonwealth, the system requirements in this chapter apply to all of the following critical components of an interactive gaming system:
(1) Interactive gaming system components which record, store, process, share, transmit or retrieve sensitive player information (for example, credit and debit card details, authentication information and player account balances).
(2) Interactive gaming system components which generate, transmit or process random numbers used to determine the outcome of games or virtual events.
(3) Interactive gaming system components which store results or the current state of a player's wager.
(4) Points of entry and exit from the above systems or other systems which are able to communicate directly with core critical systems.
(5) Communication networks which transmit sensitive player information.
§ 809.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:
Domain name system—The globally distributed Internet database which maps machine names to IP numbers, and vice versa.
Player device—The device that converts communications from the interactive gaming platform into a human interpretable form and converts human decisions into a communication format understood by the interactive gaming platform. The term includes personal computers, mobile phones, tablets, and the like.
Primary server—First source for Domain Name System data and responds to queries.
Remote access—Any access from outside the interactive gaming system or interactive gaming system network, including access from other networks within the same facility.
Secondary server or redundancy server—A server that shares the same features and capabilities as the primary server serves and acts as a second or substitutive point of contact in case the primary server is unavailable, busy or overloaded.
Stateful protocol—A protocol in which the communication system utilized by the player and the primary or secondary server tracks the state of the communication session.
Stateless protocol—A protocol in which neither the player nor the primary or secondary servers communication systems tracks the state of the communication session.
§ 809.3. Location of equipment.
The Board shall approve the location of all interactive gaming devices and associated equipment used by an interactive gaming certificate holder or interactive gaming operator licensee to conduct interactive gaming. The interactive gaming devices and associated equipment may be located in a restricted area on the premises of the licensed facility, in an interactive gaming restricted area within the geographic limits of the county in this Commonwealth where the licensed facility is situated or any other area, located within the United States, provided the location adheres to all of the following limitations:
(1) The primary server used to resolve domain name service (DNS) inquiries used by an interactive gaming certificate holder or interactive gaming operator licensee to conduct interactive gaming in this Commonwealth must be physically located in a secure data center. At least one secondary server must be able to resolve DNS queries.
(2) Redundancy, secondary and emergency servers used by an interactive gaming certificate holder or interactive gaming operator licensee to conduct interactive gaming in this Commonwealth must be physically located in a secure data center at a separate premises than the primary server.
(3) The Board may require interactive gaming system data necessary to certify revenue and resolve player complaints to be maintained in this Commonwealth in a manner and location approved by the Board. The data must include data related to the calculation of revenue, player transactions, game transactions, game outcomes, responsible gaming and any other data which may be prescribed by the Board. The data must be maintained in a manner which prevents unauthorized access or modification without the prior approval of the Board.
§ 809.4. Physical and environmental controls for equipment.
(a) An interactive gaming system and the associated communications systems must be located in facilities which provide physical protection against damage from fire, flood, hurricane, earthquake, and other forms of natural or manmade disaster by utilizing and implementing at least all of the following measures:
(1) Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) must be used to protect areas that contain interactive gaming systems components.
(2) Secure areas must be protected by appropriate entry controls to ensure that access is restricted to only authorized personnel.
(3) All access must be recorded in a secure log which is available for inspection by Board staff.
(4) Secure areas must include an intrusion detection system. Attempts at unauthorized access must be logged.
(b) Interactive gaming system servers must be located in server rooms which prohibit unauthorized access.
(c) Interactive gaming system servers must be housed in racks located within a secure area.
(d) Interactive gaming system components must provide all of the following minimum utility support:
(1) Interactive gaming system components must be provided with adequate primary power.
(2) Interactive gaming system components must have uninterruptible power supply equipment to support operations in the event of a power failure.
(3) There must be adequate cooling for the equipment housed in the server area.
(4) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
(5) There must be adequate fire protection for the interactive gaming system components housed in the server room.
§ 809.5. Access to equipment.
(a) The interactive gaming certificate holder and interactive gaming operator licensee shall limit and control access to the primary server and any secondary servers by ensuring all of the following:
(1) Maintain access codes and other computer security controls.
(2) Maintain logs of user access, security incidents and unusual transactions.
(3) Coordinate and develop an education and training program on information security and privacy matters for employees and other authorized users.
(4) Ensure compliance with all State and Federal information security policies and rules.
(5) Prepare and maintain security-related reports and data.
(6) Develop and implement an incident reporting and response system to address security breaches, policy violations and complaints from external parties.
(7) Develop and implement an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.
(b) Remote access to an interactive gaming certificate holder or interactive gaming operator licensee's interactive gaming system is only permitted as follows:
(1) To Board employees upon request and without limitation.
(2) For testing purposes with prior approval from and as limited by the Board.
(3) By employees of an interactive gaming certificate holder or an interactive gaming operator licensee with prior approval from and as limited by the Board.
(c) All interactive gaming certificate holder's or interactive gaming operator licensee's interactive gaming systems must be available for independent testing by the Board, without limitation.
§ 809.6. System requirements.
(a) Interactive gaming system methodology. An interactive gaming system shall be designed with a methodology (for example, cryptographic controls) approved by the Board to ensure secure communications between a player's device and the interactive gaming system. When reviewing the security of an interactive gaming certificate holder or interactive gaming operator licensee's interactive gaming system methodology, the Board will consider all of the following:
(1) The interactive gaming system methodology shall be designed to ensure the integrity and confidentiality of all player communication and ensure the proper identification of the sender and receiver of all communications. If communications are performed across a third-party network, the system must either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
(2) Wireless communications between the player device and the primary or secondary server must be encrypted in transit using a method (for example, AES, IPsec and WPA2) approved by the Board.
(3) An interactive gaming certificate holder or interactive gaming operator licensee shall mask the service set identification of the interactive gaming system network to ensure that it is unavailable to the general public.
(4) All communications that contain patron account numbers, user identification, or passwords and PINs must utilize a secure method of transfer (for example, 128-bit key encryption) approved by the Board.
(5) Only devices authorized by the Board are permitted to establish communications between a player device and an interactive gaming system.
(6) Server-based interactive gaming systems must maintain an internal clock that reflects the current date and time that must be used to synchronize the time and date among all components that comprise the interactive gaming system. The interactive gaming system date and time must be visible to the patron when logged on.
(b) Change or modification. Any change or modification to the interactive gaming system which impacts a regulated feature of an approved gaming system, unless otherwise permitted by the Board, requires submission to and approval by the Board or its designee prior to implementation of the change or modification.
(c) Standards for data logging. An interactive gaming system must meet all of the following standards regarding data logging:
(1) Interactive gaming systems must employ a mechanism capable of maintaining a separate copy of all of the information required to be logged in this section on a separate and independent logging device capable of being administered by an employee with no incompatible function. If the interactive gaming system can be configured so that any logged data is contained in a secure transaction file, a separate logging device is not required.
(2) Interactive gaming systems must provide a mechanism for the Board to query and export, in a format required by the Board, all interactive gaming system data.
(3) Interactive gaming systems must electronically log the date and time any player gaming account is created or terminated (Account Creation Log).
(4) An interactive gaming system must maintain all information necessary to recreate player game play and account activity during each player session, including any identity or location verifications, for not less than 6 years.
(5) Unless otherwise authorized by the Board, when software is installed on or removed from an interactive gaming system, the action must be recorded in a secure electronic log (Software Installation/Removal Log), which must include all of the following:
(i) The date and time of the action.
(ii) The identification of the software.
(iii) The identity of the person performing the action.
(6) Unless otherwise authorized by the Board, when a change in the availability of game software is made on an interactive gaming system, the change must be recorded in a secure electronic log (Game Availability Log), which must include:
(i) The date and time of the change.
(ii) The identification of the software.
(iii) The identity of the person performing the change.
(7) Unless otherwise exempted by the Board, an interactive gaming system must record all promotional offers (Promotions Log) issued through the system. The log must provide the information necessary as determined by the Board to audit compliance with the terms and conditions of current and previous offers.
(8) Results of all authentication attempts must be retained in an electronic log (Authentication Log) and accessible for not less than 90 days.
(9) All adjustments to an interactive gaming system data made using stored procedures must be recorded in an electronic log (Adjustments Log), which lists all of the following:
(i) The date and time.
(ii) The identification and user ID of user performing the action.
(iii) A description of the event or action taken.
(iv) The initial and ending values of any data altered as a part of the event or action performed.
(d) Security requirements.
(1) Networks should be logically separated so that there should be no network traffic on a network link which cannot be serviced by hosts on that link.
(2) Networks must meet all of the following requirements to assure security:
(i) The failure of any single item should not result in a denial of service.
(ii) An intrusion detection system/intrusion prevention system must be installed on the network which can do all of the following:
(A) Listen to both internal and external communications.
(B) Detect or prevent Distributed Denial of Service attacks.
(C) Detect or prevent shellcode from traversing the network.
(D) Detect or prevent Address Resolution Protocol spoofing.
(E) Detect other Man-in-the-Middle indicators and server communication immediately if detected.
(iii) Each server instance in cloud and virtualized environments should perform only one function.
(iv) In virtualized environments, redundant server instances cannot run under the same hypervisor.
(v) Stateless protocols should not be used for sensitive data without stateful transport.
(vi) All changes to network infrastructure must be logged.
(vii) Virus scanners or detection programs, or both, should be installed on all pertinent information systems and should be updated regularly to scan for new strains of viruses.
(viii) Network security should be tested by a qualified and experienced individual on a regular basis.
(viv) Testing should include testing of the external interfaces and internal network.
(x) Testing of each security domain on the internal network should be undertaken separately.
(e) Self-monitoring of critical components. The interactive gaming system must implement the self-monitoring of critical components. A critical component that fails self-monitoring tests shall be taken out of service immediately and may not be returned to service until there is reasonable evidence that the fault has been rectified. Required self-monitoring measures include all of the following:
(1) The clocks of all components of the interactive gaming system must be synchronized with an agreed accurate time source to ensure consistent logging. Time skew shall be checked periodically.
(2) Audit logs recording user activities, exceptions and information security events must be produced and kept for a period of time to be determined by the Board to assist in investigations and access control monitoring.
(3) System administrators and system operator activities must be logged.
(4) Logging facilities and log information must be protected against tampering and unauthorized access.
(5) Any modifications, attempted modifications, read access, or other change or access to any interactive gaming system record, audit or log must be detectable by the interactive gaming system. It must be possible to see who has viewed or altered a log and when.
(6) Logs generated by monitoring activities shall be reviewed periodically using a documented process. A record of each review must be maintained.
(7) Interactive gaming system faults shall be logged, analyzed and appropriate actions taken.
(8) Network appliances with limited onboard storage must disable all communication if the audit log becomes full or offload logs to a dedicated log server.
(f) System disclosure requirements.
(1) A petitioner for or holder of an interactive gaming certificate, an applicant for or holder of an interactive gaming operator license, and an applicant for or holder of an interactive gaming manufacturer license shall seek Board approval of all source code used to conduct interactive gaming in this Commonwealth.
(2) All documentation relating to software and application development should be available for Board inspection and retained for the duration of its lifecycle.
(3) All software used to conduct interactive gaming in this Commonwealth shall be designed with a method, approved by the Board, that permits remote validation of software.
(g) Shutdown and recovery capabilities. The interactive gaming system must have all of the following shutdown and recovery capabilities to maintain the integrity of the hardware, software and data contained therein in the event of a shutdown:
(1) The interactive gaming system must be able to perform a graceful shutdown and only allow automatic restart on power up after all of the following procedures have been performed:
(i) The program resumption routine, including self-tests, completes successfully.
(ii) All critical control program components of the interactive gaming system have been authenticated using a method approved by the Board.
(iii) Communication with all components necessary for the interactive gaming system operation have been established and similarly authenticated.
(2) The interactive gaming system must be able to identify and properly handle the situation when master resets have occurred on other remote gaming components which affect game outcome, win amount or reporting.
(3) The interactive gaming system must have the ability to restore the system from the last backup.
(4) The interactive gaming system must be able to recover all critical information from the time of the last backup to the point in time at which the interactive gaming system failure or reset occurred.
(h) Recovery plan. An interactive gaming certificate holder or interactive gaming operator licensee shall have a plan in place, approved by the Board, to recover interactive gaming operations in the event that the interactive gaming system is rendered inoperable (that is, Disaster/Emergency Recovery Plan). When reviewing the sufficiency of an interactive gaming certificate holder or interactive gaming operator licensee's plan to recover interactive gaming system operations in the event the interactive gaming system is rendered inoperable, the Board will consider all of the following:
(1) The method of storing player account information and gaming data to minimize loss in the event the interactive gaming system is rendered inoperable.
(2) If asynchronous replication is used, the method for recovering data should be described or the potential loss of data should be documented.
(i) Recovery plan requirements. An interactive gaming certificate holder's or interactive gaming licensee's Disaster/Emergency Recovery Plan must also:
(1) Delineate the circumstances under which it will be invoked.
(2) Address the establishment of a recovery site physically separated from the interactive gaming system site.
(3) Contain recovery guides detailing the technical steps required to re-establish gaming functionality at the recovery site.
(4) Include a Business Continuity Plan that addresses the process required to resume administrative operations of interactive gaming activities after the activation of the recovered platform for a range of scenarios appropriate for the operations context of the interactive gaming system.
(j) Location of equipment. Equipment used by a server-based interactive gaming system for the sole purpose of restoring data following a disaster must be located in a location within the United States as approved by the Board.
(k) Player self-exclusion. The interactive gaming system must provide an easy and obvious mechanism for players to self-exclude from interactive gaming.
(l) Mechanism for self-exclusion. The interactive gaming system must provide a mechanism by which a player may be excluded from interactive gaming according to the terms and conditions agreed to by the player upon registration.
§ 809.7. Geolocation requirements.
(a) An interactive gaming system must employ a mechanism to detect the physical location of a player upon logging into the interactive gaming system and as frequently as specified in the Board's technical standards and the interactive gaming certificate holder's or interactive gaming operator licensee's approved internal controls submission. If the system detects that the physical location of the player is in an area unauthorized for an interactive gaming system, the system may not accept wagers and must disable any interactive gaming activity for that player until the player is in an authorized location.
(b) The geolocation system must be equipped to dynamically monitor the player's location and block unauthorized attempts to access the interactive gaming system throughout the duration of the gaming session.
(c) An interactive gaming certificate holder or interactive gaming operator licensee must prevent registered players within a licensed facility from accessing authorized interactive games on the registered player's own computers or other devices through the use of geolocation technologies.
(d) Interactive gaming shall only occur within this Commonwealth unless the conduct of gaming is not inconsistent with Federal law, law of the jurisdiction, including any foreign nation, in which the participating player is located, or the gaming activity is conducted pursuant to a reciprocal agreement to which the Commonwealth is a party that is not inconsistent with Federal law.
§ 809.8. Security policy requirements.
Interactive gaming certificate holders and interactive gaming operator licensees shall adopt and maintain a Board-approved information security policy which describes the certificate holder's or licensee's approach to managing information security and its implementation. This policy is required in addition to any similar requirements that may be imposed as part of the certificate holder's or licensee's internal controls. The information security policy must:
(1) Have a provision requiring review when changes occur to the interactive gaming system or the processes which alter the risk profile of the interactive gaming system.
(2) Be approved by the certificate holder's or licensee's management.
(3) Be communicated to all employees and relevant external parties.
(4) Undergo review at planned intervals.
(5) Delineate the responsibilities of the certificate holder's or licensee's staff and the staff of any third parties for the operation, service and maintenance of the interactive gaming system and its components.
[Pa.B. Doc. No. 18-668. Filed for public inspection April 27, 2018, 9:00 a.m.]
No part of the information on this site may be reproduced for profit or sold for profit.This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.
