[50 Pa.B. 4248]
[Saturday, August 22, 2020]
[Continued from previous Web Page]
CHAPTER 805a. INTERACTIVE GAMING MANUFACTURER Sec.
805a.1. Interactive gaming manufacturer license requirements. 805a.2. Interactive gaming manufacturer license application and standards. 805a.3. Interactive gaming manufacturer license term and renewal. 805a.4. Interactive gaming manufacturer abbreviated license process. 805a.5. Interactive gaming manufacturer licensee responsibilities. 805a.6. Interactive gaming manufacturer licensee change of control. § 805a.1. Interactive gaming manufacturer license requirements.
(a) An interactive gaming manufacturer seeking to manufacture interactive devices or associated equipment for use in this Commonwealth shall apply to the Board for an interactive gaming manufacturer license.
(b) In accordance with section 1317.1(e)(3) of the act (relating to manufacturer licenses), an applicant for or the holder of an interactive gaming manufacturer license or any of the applicant's or holder's affiliates, intermediaries, subsidiaries or holding companies may not apply for or hold a slot machine license or an interactive gaming supplier license.
§ 805a.2. Interactive gaming manufacturer license application and standards.
(a) An applicant for an interactive gaming manufacturer license shall submit all of the following:
(1) An original and one copy of the Enterprise Entity Application and Disclosure Information Form for the applicant and each of the applicant's principal affiliates.
(2) The nonrefundable application fee posted on the Board's web site.
(3) A diversity plan as set forth in section 1325(b) of the act (relating to license or permit issuance) and Chapter 481a (relating to diversity).
(4) An application from every key employee under §§ 435a.2 and 808a.3 (relating to key employee license; and interactive key employees) and principal under Chapter 433a (relating to principal licenses) and § 808a.2 (relating to interactive gaming principals) as specified by the Enterprise Entity Application and Disclosure Information Form and other persons as determined by the Board.
(5) An affirmation that neither the applicant nor any of its affiliates, intermediaries, subsidiaries or holding companies is an applicant for or holder of a slot machine license and that the applicant has neither applied for nor holds an interactive gaming supplier license.
(6) A statement that the applicant has developed and implemented internal safeguards and policies to prevent a violation of section 1513 of the act (relating to political influence) and a copy of the safeguards and policies.
(b) In addition to the materials required under subsection (a), an applicant for an interactive gaming manufacturer license shall do all of the following:
(1) Comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(2) Demonstrate that the applicant has the ability to manufacture, build, rebuild, repair, fabricate, assemble, produce, program, design or otherwise make modifications to interactive gaming devices or associated equipment which meet one or more of the following criteria:
(i) Are specifically designed for use in the operation of interactive gaming or an interactive gaming device or associated equipment.
(ii) Are needed to conduct an authorized interactive game.
(iii) Have the capacity to affect the outcome of the play of an interactive game.
(iv) Have the capacity to affect the calculation, storage, collection or control of gross interactive gaming revenue.
(c) In determining whether an applicant is suitable to be licensed as an interactive gaming manufacturer under this section, the Board will consider all of the following:
(1) The financial fitness, good character, honesty, integrity and responsibility of the applicant.
(2) If all principals of the applicant are eligible and suitable under the standards of section 1311.1 of the act (relating to licensing of principals).
(3) The integrity of all financial backers.
(4) The suitability of the applicant and the principals of the applicant based on the satisfactory results of all of the following:
(i) The background investigation of the principals.
(ii) A current tax clearance review performed by the Department.
(iii) A current Unemployment Compensation Tax clearance review and a Workers Compensation Tax clearance review performed by the Department of Labor and Industry.
§ 805a.3. Interactive gaming manufacturer license term and renewal.
(a) An interactive gaming manufacturer license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(b) A renewal application for an interactive gaming manufacturer license shall be filed at least 6 months prior to the expiration of the current license.
(c) An interactive gaming manufacturer license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
§ 805a.4. Interactive gaming manufacturer abbreviated license process.
(a) The Board may use an abbreviated licensing process if the applicant holds a license issued by the Board to manufacture slot machines, table games, table game devices or associated equipment and all of the following apply:
(1) The license was issued by the Board and is currently in good standing.
(2) The entity to whom the manufacturer license was issued affirms there has been no material change in circumstances relating to the license.
(3) The Board determines, in its sole discretion, that there has been no material change in circumstances relating to the licensee that necessitates that the abbreviated process not be used.
(b) This section may not be construed to waive any fees associated with obtaining an interactive gaming manufacturer license through the application process in this Commonwealth.
§ 805a.5. Interactive gaming manufacturer licensee responsibilities.
(a) A holder of an interactive gaming manufacturer license shall have a continuing duty to do all of the following:
(1) Comply with the general requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(2) For publicly traded interactive gaming manufacturer licensees, provide notification of all SEC filings or if the manufacturer is publicly traded on a foreign exchange, a copy of all filings submitted to the securities regulator that has jurisdiction over the foreign publicly traded corporation. The notification or copies of the filings shall be submitted to the Bureau of Licensing within 30 days after the date of filing with the SEC or securities regulator that has jurisdiction over the foreign publicly traded corporation.
(b) An employee of a licensed interactive gaming manufacturer who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a permit under § 808a.4 (relating to interactive gaming employees) or registration under § 808a.5 (relating to interactive nongaming employees).
§ 805a.6. Interactive gaming manufacturer licensee change of control.
(a) For purposes of this section, a change of control of an interactive gaming manufacturer licensee will be deemed to have occurred when a person or group of persons acquires:
(1) More than 20% of an interactive gaming manufacturer licensee's securities, assets or other ownership interests.
(2) More than 20% of the securities or other ownership interests of a corporation or other form of business entity that owns directly or indirectly at least 20% of the voting or other securities or other ownership interests of the interactive gaming manufacturer licensee.
(3) Any other interest in an interactive gaming manufacturer licensee which allows the acquirer to control the interactive gaming manufacturer licensee.
(b) An interactive gaming manufacturer licensee shall notify the Bureau and the Bureau of Licensing by filing a Notification of Proposed Transfer of Interest Form immediately upon becoming aware of any proposed or contemplated change of control of the interactive gaming manufacturer licensee.
(c) Prior to acquiring a controlling interest in an interactive gaming manufacturer licensee, the acquirer shall file a petition in accordance with § 493a.4 (relating to petitions generally) requesting Board approval of the acquisition. The petition must include all of the following:
(1) A copy of all documents governing the acquisition.
(2) Completed applications for the acquiring company, as required under this chapter, principals as required under § 808a.2 (relating to interactive gaming principals) and key employees as required under § 808a.3 (relating to interactive key employees).
(3) An affirmation that neither the acquirer nor any of its affiliates, intermediaries, subsidiaries or holding companies is a slot machine licensee or interactive gaming certificateholder and that the acquirer has neither applied for nor holds an interactive gaming supplier license.
(d) A person or group of persons seeking to acquire a controlling interest in an interactive gaming manufacturer licensee shall promptly provide any additional information requested by the Board and Board staff and cooperate with the Bureau in any investigations related to the petition filed under subsection (c).
(e) A person or group of persons may not acquire a controlling interest in an interactive gaming manufacturer licensee until the petition required under subsection (c) has been approved. A person or group of persons seeking to acquire a controlling interest in an interactive gaming manufacturer licensee and the interactive gaming manufacturer licensee may enter into an agreement of sale that is contingent on Board approval of the petition.
(f) The requirements in this section do not apply to the acquisition of a controlling interest in an interactive gaming manufacturer licensee when all of the following conditions are met:
(1) The acquirer is an existing licensed slot machine, table game or interactive gaming manufacturer.
(2) The existing licensed interactive gaming manufacturer has provided the Bureau and the Bureau of Licensing notification and a copy of all documents governing the acquisition at least 60 days prior to the acquisition.
(3) After reviewing the documentation, the Bureau and the Bureau of Licensing determine that the filing of a petition is not required.
CHAPTER 806a. INTERACTIVE GAMING SUPPLIER Sec.
806a.1. Interactive gaming supplier license requirements. 806a.2. Interactive gaming supplier application and standards. 806a.3. Interactive gaming supplier entity term and renewal. 806a.4. Interactive gaming supplier abbreviated license process. 806a.5. Interactive gaming supplier licensee responsibilities. 806a.6. Interactive gaming supplier change of control. § 806a.1. Interactive gaming supplier license requirements.
(a) A supplier seeking to sell, lease, offer or otherwise provide, distribute or service interactive gaming devices or associated equipment to an interactive gaming certificateholder or interactive gaming operator in this Commonwealth shall apply to the Board for an interactive gaming supplier license.
(b) In accordance with sections 1317 and 1317.1 of the act (relating to supplier licenses; and manufacturer licenses), an applicant for or the holder of an interactive gaming supplier license or any of the applicant's or holder's affiliates, intermediaries, subsidiaries or holding companies may not apply for or hold a slot machine license or an interactive gaming manufacturer license.
§ 806a.2. Interactive gaming supplier application and standards.
(a) An applicant for an interactive gaming supplier license shall submit all of the following:
(1) An original and one copy of the Enterprise Entity Application and Disclosure Information Form for the applicant and each of the applicant's principal affiliates.
(2) The nonrefundable application fee posted on the Board's web site.
(3) A diversity plan as set forth in section 1325(b) of the act (relating to license or permit issuance) and Chapter 481a (relating to diversity).
(4) An application from every key employee under § 808a.3 (relating to interactive key employees) and principal under § 808a.2 (relating to interactive gaming principals) as specified by the Enterprise Entity Application and Disclosure Information Form and other persons as determined by the Board.
(5) An affirmation that neither the applicant nor any of its affiliates, intermediaries, subsidiaries or holding companies is an applicant for or holder of a slot machine license and that the applicant has neither applied for nor holds an interactive gaming manufacturer license.
(6) A statement that the applicant has developed and implemented internal safeguards and policies to prevent a violation of section 1513 of the act (relating to political influence) and a copy of the safeguards and policies.
(b) In addition to the materials required under subsection (a), an applicant for an interactive gaming supplier license shall comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(c) In determining whether an applicant is suitable to be licensed as an interactive gaming supplier under this section, the Board will consider all of the following:
(1) The financial fitness, good character, honesty, integrity and responsibility of the applicant.
(2) If all principals of the applicant are eligible and suitable under the standards of section 1311.1 of the act (relating to licensing of principals).
(3) The integrity of all financial backers.
(4) The suitability of the applicant and the principals of the applicant based on the satisfactory results of all of the following:
(i) The background investigation of the principals.
(ii) A current tax clearance review performed by the Department.
(iii) A current Unemployment Compensation Tax clearance review and a Workers Compensation Tax clearance review performed by the Department of Labor and Industry.
§ 806a.3. Interactive gaming supplier entity term and renewal.
(a) An interactive gaming supplier license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(b) A renewal application for an interactive gaming supplier license shall be filed at least 6 months prior to the expiration of the current license.
(c) An interactive gaming supplier license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
§ 806a.4. Interactive gaming supplier abbreviated license process.
(a) The Board may use an abbreviated licensing process if the applicant holds a license issued by the Board to supply slot machines, table games, table game devices or associated equipment and all of the following apply:
(1) The license was issued by the Board and is currently in good standing.
(2) The entity to whom the supplier license was issued affirms there has been no material change in circumstances relating to the license.
(3) The Board determines, in its sole discretion, that there has been no material change in circumstances relating to the licensee that necessitates that the abbreviated process not be used.
(b) This section may not be construed to waive any fees associated with obtaining an interactive gaming supplier license through the application process in this Commonwealth.
§ 806a.5. Interactive gaming supplier licensee responsibilities.
(a) A supplier shall submit to the Bureau of Licensing for review any agreements with a licensed interactive gaming manufacturer, licensed interactive gaming operator, slot machine licensee or interactive gaming certificateholder. The review may include financing arrangements, technical competency, compensative agreements and other terms or conditions to ensure the financial independence of the licensed interactive gaming supplier from any licensed interactive gaming manufacturer or licensed or certified interactive gaming entity.
(b) A holder of a supplier license shall have a continuing duty to do all of the following:
(1) Comply with the general requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(2) For publicly traded interactive gaming suppliers, provide notification of all SEC filings or, if the supplier is publicly traded on a foreign exchange, a copy of all filings submitted to the securities regulator that has jurisdiction over the foreign publicly traded corporation. The notification or copies of the filings shall be submitted to the Bureau of Licensing within 30 days after the date of filing with the SEC or securities regulator that has jurisdiction over the foreign publicly traded corporation.
(c) An employee of a licensed interactive gaming supplier who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a permit under § 808a.4 (relating to interactive gaming employees) or registration under § 808a.5 (relating to interactive nongaming employees).
§ 806a.6. Interactive gaming supplier change of control.
(a) For purposes of this section, a change of control of an interactive gaming supplier licensee will be deemed to have occurred when a person or group of persons acquires:
(1) More than 20% of an interactive gaming supplier licensee's securities, assets or other ownership interests.
(2) More than 20% of the securities or other ownership interests of a corporation or other form of business entity that owns directly or indirectly at least 20% of the voting or other securities or other ownership interests of the interactive gaming supplier licensee.
(3) Any other interest in an interactive gaming supplier licensee which allows the acquirer to control the interactive gaming supplier licensee.
(b) An interactive gaming supplier licensee shall notify the Bureau and the Bureau of Licensing by filing a Notification of Proposed Transfer of Interest Form immediately upon becoming aware of any proposed or contemplated change of control of the interactive gaming supplier licensee.
(c) Prior to acquiring a controlling interest in an interactive gaming supplier licensee, the acquirer shall file a petition in accordance with § 493a.4 (relating to petitions generally) requesting Board approval of the acquisition. The petition must include all of the following:
(1) A copy of all documents governing the acquisition.
(2) Completed applications for the acquiring company, as required under this chapter, principals as required under § 808a.2 (relating to interactive gaming principals) and key employees as required under § 808a.3 (relating to interactive key employees).
(3) An affirmation that neither the acquirer nor any of its affiliates, intermediaries, subsidiaries or holding companies is a slot machine licensee or interactive gaming certificateholder and that the acquirer has neither applied for nor holds an interactive gaming manufacturer license.
(d) A person or group of persons seeking to acquire a controlling interest in an interactive gaming supplier licensee shall promptly provide any additional information requested by the Board and Board staff and cooperate with the Bureau in any investigations related to the petition filed under subsection (c).
(e) A person or group of persons may not acquire a controlling interest in an interactive gaming supplier licensee until the petition, required under subsection (c), has been approved. A person or group of persons seeking to acquire a controlling interest in an interactive gaming supplier licensee and the supplier licensee may enter into a sales agreement that is contingent on Board approval of the petition.
(f) The requirements in this section do not apply to the acquisition of a controlling interest in an interactive gaming supplier licensee when all of the following conditions are met:
(1) The acquirer is an existing licensed slot machine, table game or interactive gaming supplier.
(2) The existing licensed interactive gaming supplier has provided the Bureau and the Bureau of Licensing notification and a copy of all documents governing the acquisition at least 60 days prior to the acquisition.
(3) After reviewing the documentation, the Bureau and the Bureau of Licensing determine that the filing of a petition is not required.
CHAPTER 807a. INTERACTIVE GAMING
SERVICE PROVIDERSSec.
807a.1. General interactive gaming service provider requirements. 807a.2. Interactive gaming service provider certification applications. 807a.3. Interactive gaming service provider registration applications. 807a.4. Qualification of individuals and entities of certified interactive gaming service providers. 807a.5. Interactive gaming service provider registration and certification term and renewal. 807a.6. Authorized interactive gaming service providers list; prohibited interactive gaming service providers. 807a.7. Permission to conduct business prior to certification or registration. 807a.8. Emergency interactive gaming service provider. 807a.9. Duty to investigate. § 807a.1. General interactive gaming service provider requirements.
(a) Except as provided in § 807a.9 (relating to duty to investigate), an interactive gaming service provider or person seeking to conduct business with an interactive gaming certificateholder or interactive gaming operator shall apply to the Board for certification if the interactive gaming service provider or person is providing:
(1) Data hosting services unless the hosting service is in a jurisdiction, the standards of which are recognized by the Board, the owner of the hardware is licensed as an interactive gaming operator by the Board and the facility is approved by the Board.
(2) Payment processing and related money-transmitting services with direct contact with a patron's interactive gaming account.
(3) Customer identity, age verification and geo-location verification used in the conduct of interactive gaming, regardless of the interactive gaming service provider or person's contractual relationship with an interactive gaming certificateholder.
(4) Interactive affiliate goods or services and the interactive affiliate is being paid a revenue share. As used in this subsection, ''interactive affiliate'' means as an individual or entity involved in promoting, marketing and directing business to online gaming sites in exchange for compensation paid based on player activity not a flat fee.
(5) Any other person as determined by the Board.
(b) Except as provided in § 807a.9, a gaming service provider or person seeking to conduct business with an interactive gaming certificateholder or interactive gaming operator shall apply to the Board for a registration if the interactive gaming service provider or person is providing goods or services related to interactive gaming or interactive wagering and the interactive gaming service provider or person is not required to be certified as an interactive gaming service provider. This subsection applies to interactive affiliates involved in promoting, marketing and directing business to online gaming sites in exchange for a flat fee.
(c) A holder of an interactive gaming service provider certification, registration or authorization shall have a continuing duty to comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
§ 807a.2. Interactive gaming service provider certification applications.
(a) An interactive gaming service provider seeking certification shall submit an original and one copy of a Certification Application and Disclosure Form. The original, copy and the application fee toward the cost of the investigation of the applicant, as posted on the Board's web site, shall be submitted to the Bureau of Licensing by the interactive gaming service provider unless otherwise directed by the Bureau of Licensing.
(b) In addition to the requirements in subsection (a), an applicant for an interactive gaming service provider certification shall do all of the following:
(1) Submit applications and release authorizations for each individual required to be qualified under § 807a.4 (relating to qualification of individuals and entities of certified interactive gaming service providers).
(2) Comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(c) An applicant for an interactive gaming service provider certification shall reimburse the Board for costs incurred in conducting the investigation of the applicant.
(d) An interactive gaming service provider certification will not be issued until all fees and costs have been paid.
§ 807a.3. Interactive gaming service provider registration applications.
(a) An interactive gaming service provider seeking registration shall complete an original and one copy of a Gaming Service Provider Registration Form. The original, copy and the application fee toward the cost of the investigation of the applicant, as posted on the Board's web site, shall be submitted to the Bureau of Licensing by the interactive gaming service provider unless otherwise directed by the Bureau of Licensing.
(b) In addition to the materials required under subsection (a), an applicant for an interactive gaming service provider registration shall do all of the following:
(1) Submit release authorizations for each individual required to be qualified under § 807a.4 (relating to qualification of individuals and entities of certified interactive gaming service providers).
(2) Comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(3) Submit fingerprints of all of the following individuals in a manner prescribed by the Bureau:
(i) Each officer and director of the registered interactive gaming service provider applicant. For purposes of this subparagraph, ''officer'' means a president, a chief executive officer, a chief financial officer and a chief operating officer, and any person routinely performing corresponding functions with respect to an organization whether incorporated or unincorporated.
(ii) Each individual who has a direct or indirect ownership or beneficial interest of 10% or more in the registered interactive gaming service provider applicant.
(iii) Each salesperson of a registered interactive gaming service provider applicant who solicits business from, or has regular contact with, any representatives of an interactive certificateholder or interactive gaming operator or any employee of a registered interactive gaming service provider applicant who will be engaging in that conduct.
(c) A person who holds any direct or indirect ownership or beneficial interest in a registered interactive gaming service provider or applicant for interactive gaming service provider registration, or has the right to any profits or distributions directly or indirectly, from the registered interactive gaming service provider or applicant for interactive gaming service provider registration may be required to submit fingerprints if the Bureau determines that the submission of fingerprints of the person is necessary to protect the public interest or to enhance the integrity of gaming in this Commonwealth.
(d) Each of the individuals required to submit fingerprints under subsection (b)(3) shall be found qualified by the Board.
(e) An individual who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a gaming employee occupation permit in accordance with § 808a.4 (relating to interactive gaming employees) or a nongaming employee registration in accordance with § 808a.5 (relating to interactive nongaming employees).
(f) An applicant for an interactive gaming service provider registration shall reimburse the Board for costs incurred in conducting the investigation of the applicant.
(g) An interactive gaming service provider registration will not be issued until all fees and costs have been paid.
§ 807a.4. Qualification of individuals and entities of certified interactive gaming service providers.
(a) The following individuals shall submit a Pennsylvania Personal History Disclosure Form and be found qualified by the Board:
(1) Each officer and director of a certified interactive gaming service provider or applicant for interactive gaming service provider certification. For the purposes of this paragraph, ''officer'' means a president, a chief executive officer, a chief financial officer, and a chief operating officer and any person routinely performing corresponding functions with respect to an organization whether incorporated or unincorporated.
(2) Each individual who has a direct or indirect ownership or beneficial interest of 10% or more in the certified interactive gaming service provider or applicant for interactive gaming service provider certification. A certified interactive gaming service provider or applicant for interactive gaming service provider certification shall provide information or documentation requested by the Board necessary to determine compliance with this paragraph.
(3) Each salesperson of a certified interactive gaming service provider or applicant for interactive gaming service provider certification who solicits business from, or has regular contact with, any representatives of an interactive gaming certificateholder or interactive gaming operator or any employee of a certified interactive gaming service provider or applicant for interactive gaming service provider certification who will be engaging in that conduct.
(b) Each entity that directly owns 20% or more of the voting securities of a certified interactive gaming service provider or person applying for interactive gaming service provider certification shall file a Certification Form—Holding Company with the Bureau of Licensing and be found qualified by the Board.
(c) The following persons may be required to submit a Certification Form—Holding Company or a Pennsylvania Personal History Disclosure Form and be found qualified by the Board if the Bureau of Licensing determines that the qualification of the person is necessary to protect the public interest or to enhance the integrity of gaming in this Commonwealth.
(1) An intermediary or holding company of a certified interactive gaming service provider or person or applicant for interactive gaming service provider certification not otherwise required to be qualified.
(2) An officer or director of an intermediary or holding company of a certified interactive gaming service provider or applicant for interactive gaming service provider certification.
(3) An employee of a certified interactive gaming service provider or applicant for interactive gaming service provider certification.
(4) A person who holds any direct or indirect ownership or beneficial interest in a certified interactive gaming service provider or applicant for interactive gaming service provider certification, or has the right to any profits or distribution, directly or indirectly, from the certified interactive gaming service provider or applicant for interactive gaming service provider certification.
(5) A trustee of a trust that is required to be found qualified under this section.
(d) The Bureau of Licensing may issue a temporary credential to an individual who is required to be qualified by the Board under this section if all of the following apply:
(1) The individual's presence in an interactive gaming restricted area is needed.
(2) The company with which the individual is associated is on the authorized gaming service provider list.
(e) Upon request, the Bureau of Licensing will issue a credential to an individual who has been found qualified under this section if the interactive gaming service provider has been certified.
(f) An employee of a certified or registered interactive gaming service provider who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a permit under § 808a.4 (relating to interactive gaming employees) or registration under § 808a.5 (relating to interactive nongaming employees).
§ 807a.5. Interactive gaming service provider registration and certification term and renewal.
(a) Interactive gaming service provider certifications, registrations and renewals issued under this subpart will be valid for 5 years from the date of Board approval.
(b) Registered and certified interactive gaming service providers shall submit to the Board a completed renewal application or form and renewal fee at least 180 days prior to the expiration of a certification, registration or authorization.
(c) A certification or registration for which a completed renewal application and fee has been received by the Bureau of Licensing will continue to be in effect until the Board sends written notification to the holder of the certification or registration that the Board has approved or denied the certification or registration.
§ 807a.6. Authorized interactive gaming service providers list; prohibited interactive gaming service providers.
(a) The Board will maintain a list of authorized interactive gaming service providers and a list of prohibited interactive gaming service providers. The authorized list will contain the names of persons who have been:
(1) Registered or certified.
(2) Authorized to conduct business with interactive certificateholder or interactive gaming operator under § 437a.9 (relating to permission to conduct business prior to certification or registration).
(b) Except as permitted under §§ 437a.1(a)(2), (d) and (g) and 437a.10 (relating to general gaming service provider requirements; and emergency gaming service provider), an interactive gaming certificateholder or interactive gaming operator may not purchase goods or services from an interactive gaming service provider unless the interactive gaming service provider is on the authorized interactive gaming service provider list. A slot machine licensee, interactive gaming certificateholder or interactive gaming operator or applicant or any affiliate, intermediary, subsidiary or holding company thereof acting on behalf of the slot machine licensee, interactive gaming certificateholder, interactive gaming operator or applicant may not enter into an agreement or continue to do business with an interactive gaming service provider on the prohibited gaming service providers list.
(c) The Board may place a person or provider on the prohibited interactive gaming service provider list if any of the following apply:
(1) The interactive gaming service provider has failed to comply with this chapter.
(2) The interactive gaming service provider has failed to cooperate with Board staff in its review and investigation of the interactive gaming service provider's application.
(3) The interactive gaming service provider's application for certification or registration has been denied or withdrawn with prejudice or the interactive gaming service provider has had its interactive gaming service provider certification or registration suspended or revoked.
(4) The interactive gaming service provider has failed to provide information to a slot machine licensee, an interactive gaming certificateholder or interactive gaming operator that is necessary for the slot machine licensee, interactive gaming certificateholder or interactive gaming operator to comply with this chapter.
(d) A person seeking to be removed from the list of prohibited interactive gaming service providers shall file a petition for removal in accordance with § 493a.4 (relating to petitions generally) and shall be responsible for all costs associated with the person's petition for removal from the list of prohibited interactive gaming service providers. The petition must state the specific grounds believed by the petitioner to constitute good cause for removal from the prohibited interactive gaming service providers list and how the interactive gaming service provider has cured any deficiencies that led to the interactive gaming service provider being placed on the prohibited interactive gaming service providers list.
(e) The Board may impose a monetary penalty or other appropriate sanction in connection with the removal of a person from the list of prohibited interactive gaming service providers or attach any reasonable condition to the removal of a person from the list of prohibited interactive gaming service providers.
§ 807a.7. Permission to conduct business prior to certification or registration.
(a) Notwithstanding § 807a.1 (relating to general interactive gaming service provider requirements), the Bureau of Licensing may authorize an applicant for an interactive gaming service provider certification or registration to conduct business with a slot machine licensee, an interactive gaming certificateholder or interactive gaming operator prior to the certification or registration of the interactive gaming service provider applicant if all of the following criteria are met:
(1) A completed Gaming Service Provider Registration Form or a completed Gaming Service Provider Certification Application and Disclosure Information Form has been filed by the slot machine licensee, interactive gaming certificateholder or interactive gaming operator in accordance with §§ 807a.2 or 807a.3 (relating to interactive gaming service provider certification applications; and interactive gaming service provider registration applications).
(2) The slot machine licensee, interactive gaming certificateholder or interactive gaming operator certifies that it has performed due diligence on the interactive gaming service provider.
(3) The applicant for an interactive gaming service provider registration or certification agrees, in writing, that the grant of permission to conduct business prior to registration or certification does not create a right to continue to conduct business and that the Bureau of Licensing may rescind, at any time, the authorization granted pursuant to this section, with or without prior notice to the applicant, if the Bureau of Licensing is informed that the suitability of the applicant may be at issue or the applicant fails to cooperate in the application or investigatory process.
(b) If the Office of Enforcement Counsel issues a Notice of Recommendation for Denial to an applicant for certification or registration, the Bureau of Licensing may rescind the permission granted to the applicant for certification or registration to conduct business with a slot machine licensee, interactive gaming certificateholder or interactive gaming operator under subsection (a). If the permission is rescinded, the applicant for certification or registration shall cease conducting business with the slot machine licensee, interactive gaming certificateholder, interactive gaming operator or applicant by the date specified in the notice of the rescission by the Bureau of Licensing under subsection (c).
(c) The Bureau of Licensing will notify the applicant for certification or registration and the slot machine licensee, interactive gaming certificateholder, interactive gaming operator or applicant by registered mail and e-mail that permission for the applicant for certification or registration to conduct business with the slot machine licensee, interactive gaming certificateholder, interactive gaming operator or applicant under subsection (a) has been rescinded and that the slot machine licensee, interactive gaming certificateholder, interactive gaming operator or applicant shall cease conducting business with the applicant for certification or registration by the date specified in the notice.
§ 807a.8. Emergency interactive gaming service provider.
(a) An interactive gaming certificateholder or interactive gaming operator may utilize an interactive gaming service provider that is not registered, certified or authorized to conduct business in accordance with § 807a.7 (relating to permission to conduct business prior to certification or registration) when a threat to public health, welfare or safety exists or circumstances outside the control of the slot machine licensee, interactive gaming certificateholder or interactive gaming operator create an urgency of need which does not permit the delay involved in using the formal method of interactive gaming service provider certification or registration. A slot machine licensee, interactive gaming certificateholder or interactive gaming operator may not use an interactive gaming service provider on the prohibited list.
(b) When using an interactive gaming service provider that is not registered, certified or authorized to conduct business to respond to an emergency, the slot machine licensee, interactive gaming certificateholder or interactive gaming operator shall do all of the following:
(1) Immediately notify the Bureau of Licensing of the emergency and the interactive gaming service provider that was selected to provide emergency services.
(2) File an Interactive Gaming Service Provider Emergency Notification Form with the Bureau of Licensing within 72 hours after commencement of the interactive gaming service provider's services and a written explanation of the basis for the procurement of the emergency interactive gaming service provider.
(c) An employee of the emergency interactive gaming service provider who is providing emergency services that requires access to an interactive gaming restricted area shall obtain a temporary access credential in accordance with § 808a.7 (relating to emergency and temporary credentials) prior to performing any work.
(d) If the slot machine licensee, interactive gaming certificateholder or interactive gaming operator continues to utilize the interactive gaming service provider after the emergency circumstances have passed or if the Bureau of Licensing determines that the circumstances did not necessitate the use of an emergency interactive gaming service provider that was not registered, certified or on the authorized list, the slot machine licensee, interactive gaming certificateholder, interactive gaming operator and interactive gaming service provider shall comply with this chapter.
§ 807a.9. Duty to investigate.
(a) A slot machine licensee, interactive gaming certificateholder or interactive gaming operator shall investigate the background and qualifications of the applicants for interactive gaming service provider registration or certification with whom it intends to have a contractual relationship or enter into an agreement.
(b) A slot machine licensee, interactive gaming certificateholder or interactive gaming operator shall have an affirmative duty to avoid agreements or relationships with persons applying for an interactive gaming service provider registration or certification whose background or associations are injurious to the public health, safety, morals, good order and general welfare of the residents of this Commonwealth, or who threaten the integrity of gaming in this Commonwealth.
(c) A slot machine licensee, an interactive gaming certificateholder or interactive gaming operator shall have a duty to inform the Board of an action by an applicant for or holder of an interactive gaming service provider registration or certification, which the slot machine licensee, interactive gaming certificateholder or interactive gaming operator believes would constitute a violation of the act or this part.
CHAPTER 808a. INTERACTIVE GAMING PRINCIPALS AND KEY, GAMING AND NONGAMING EMPLOYEES Sec.
808a.1. General provisions. 808a.2. Interactive gaming principals. 808a.3. Interactive key employees. 808a.4. Interactive gaming employees. 808a.5. Interactive nongaming employees. 808a.6. Board credentials. 808a.7. Emergency and temporary credentials. 808a.8. Loss, theft or destruction of credentials. § 808a.1. General provisions.
(a) An individual seeking a principal license, key employee license, gaming employee occupation permit or nongaming employee registration to participate in interactive gaming in this Commonwealth shall apply to the Board as follows:
(1) Principal and key employee applicants shall submit an original and one copy of a completed Multi-Jurisdictional Personal History Disclosure Form as well as an original and one copy of a completed Principal/Key Employee Form—Pennsylvania Supplement to the Multi-Jurisdictional Personal History Disclosure Form.
(2) Gaming employee occupation permit and nongaming employee registration applicants shall submit the Gaming Employee or Nongaming Employee Registration Application using the SLOTS Link Electronic Application system.
(3) All applicants shall submit the nonrefundable application fee posted on the Board's web site.
(b) In addition to the materials required in subsection (a), an applicant shall comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).
(c) The holder of a principal license, key employee license, gaming employee occupation permit or nongaming employee registration shall provide an updated photograph at the request of Board staff.
(d) An applicant for a gaming employee occupation permit or nongaming employee registration shall be at least 18 years of age.
(e) After reviewing the application and the results of the applicant's background investigation, the Board may issue a principal license, key employee license, gaming employee occupation permit or nongaming employee registration if the individual has proven that he is a person of good character, honesty and integrity, and is eligible and suitable to be licensed as a principal, key employee, gaming employee or nongaming employee.
(f) Slot machine licensees, interactive gaming certificateholders, interactive gaming operators, interactive gaming manufacturers, interactive gaming suppliers and interactive gaming service providers that hire an individual who holds a key employee license, gaming employee occupation permit or registration issued by the Board shall contact the Bureau of Licensing to confirm that the individual's key employee license, gaming employee occupation permit or registration is in good standing prior to allowing the individual to perform work associated with interactive gaming in this Commonwealth.
(g) An individual who holds a principal license, key employee license, gaming employee occupation permit or registration is subject to all of the following wagering restrictions relative to interactive gaming:
(1) An individual whose job duties include interactive gaming and who holds a license, permit or registration and is currently employed by or is a principal of an interactive certificateholder may not place wagers on web sites offered by or associated with the interactive certificateholder. The licensed, permitted or registered individual shall wait at least 30 days following the date that the individual is no longer employed in a position that includes interactive gaming job duties before the individual may wager on web sites offered by or associated with the interactive certificateholder.
(2) An individual who holds a license, permit or registration and is currently employed by or is a principal of an interactive gaming operator may not wager on web sites operated by the interactive gaming operator. The licensed, permitted or registered individual shall wait at least 30 days following the date that the individual is no longer employed by the interactive gaming operator before the individual may wager on web sites operated by the interactive gaming operator.
(3) An individual whose job duties include interactive gaming and who holds a license, permit or registration and is currently employed by or is a principal of an interactive manufacturer or interactive supplier may not wager on web sites associated with interactive certificateholders in this Commonwealth that offer games or use equipment manufactured, supplied, developed or programmed by the interactive manufacturer or interactive supplier.
§ 808a.2. Interactive gaming principals.
(a) Principals and principal entities, as defined in §§ 401a.3 and 433a.1 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).
(b) A principal license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(c) A renewal application for a principal license shall be filed at least 6 months prior to expiration of the current license.
(d) A principal license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
(e) A principal license issued under this subpart will be only be valid for the licensed or certified entity with which the principal is associated.
§ 808a.3. Interactive key employees.
(a) Key employees, as defined in §§ 401a.3 and 801a.2 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).
(b) A key employee license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(c) A renewal application for a key employee license shall be filed at least 6 months prior to expiration of the current license.
(d) A key employee license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
(e) A key employee license issued under this subpart will be valid for employment with any licensed or certified entity.
§ 808a.4. Interactive gaming employees.
(a) Gaming employees, as defined in §§ 401a.3 and 801a.2 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).
(b) In addition to the materials required to be submitted under this subpart, gaming employee occupation permit applicants shall submit verification of an offer of employment from a licensed or certified entity.
(c) A gaming employee occupation permit and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(d) A renewal application for a gaming employee occupation permit shall be filed at least 6 months prior to expiration of the current permit.
(e) A gaming employee occupation permit for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
(f) An individual who wishes to receive a gaming employee occupation permit under this subpart may authorize an applicant for or holder of a slot machine license, interactive gaming certificate, interactive gaming license, interactive gaming manufacturer license, interactive gaming supplier license, or interactive gaming service provider certification or registration to file an application on the individual's behalf.
(g) A gaming employee occupation permit issued under this chapter will be valid for employment with any licensed, certified or registered entity.
§ 808a.5. Interactive nongaming employees.
(a) Nongaming employees, as defined in § 401a.3 (relating to definitions), shall submit an application for registration as described in § 808a.1 (relating to general provisions).
(b) In addition to the materials required to be submitted under this subpart, nongaming employee registration applicants shall submit verification of an offer of employment from a licensed or certified entity.
(c) A nongaming employee registration and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.
(d) A renewal application for a nongaming employee registration shall be filed at least 6 months prior to expiration of the current registration.
(e) A nongaming employee registration for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.
(f) An individual who wishes to receive a nongaming employee registration under this subpart may authorize an applicant for or holder of a slot machine license, interactive gaming certificate, interactive gaming license, interactive gaming manufacturer license, interactive gaming supplier license, or interactive gaming service provider certification or registration to file an application on the individual's behalf.
(g) A nongaming employee registration issued under this chapter will be valid for employment with any licensed, certified or registered entity.
§ 808a.6. Board credentials.
The individuals required to be licensed, permitted or registered under this subpart shall obtain a Board credential as described in § 435a.6 (relating to Board credentials).
§ 808a.7. Emergency and temporary credentials.
The individuals required to be licensed, permitted or registered under this subpart may obtain an emergency or temporary Board credential as described in §§ 435a.7 and 435a.8 (relating to emergency credentials; and temporary credentials).
§ 808a.8. Loss, theft or destruction of credentials.
(a) As soon as possible, but no later than 24 hours following the loss, theft or destruction of a Board credential, emergency credential or temporary credential, the person to whom the credential was issued shall notify the Bureau of Licensing.
(b) The slot machine licensee, interactive gaming certificateholder or interactive gaming operator, on behalf of an employee whose Board-issued credential was lost, stolen or destroyed, may request a replacement Board credential by submitting a Request for Duplicate PGCB Credential Form and the fee established by the Board to the Bureau of Licensing.
CHAPTER 809a. INTERACTIVE GAMING PLATFORM REQUIREMENTS Sec.
809a.1. Scope. 809a.2. Definitions. 809a.3. Location of equipment. 809a.4. Physical and environmental controls for equipment. 809a.5. Access to equipment. 809a.6. System requirements. 809a.7. Geolocation requirements. 809a.8. Security policy requirements. § 809a.1. Scope.
To ensure players are not exposed to unnecessary security risks by choosing to participate in interactive gaming in this Commonwealth and to ensure the integrity and security of interactive gaming operations in this Commonwealth, the system requirements in this chapter apply to all of the following critical components of an interactive gaming system:
(1) Interactive gaming system components which record, store, process, share, transmit or retrieve sensitive player information (for example, credit and debit card details, authentication information and player account balances).
(2) Interactive gaming system components which generate, transmit or process random numbers used to determine the outcome of games or virtual events.
(3) Interactive gaming system components which store results or the current state of a player's wager.
(4) Points of entry and exit from the previously listed systems or other systems which are able to communicate directly with core critical systems.
(5) Communication networks which transmit sensitive player information.
§ 809a.2. Definitions.
The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:
Domain name system—The globally distributed Internet database which maps machine names to IP numbers, and vice versa.
Player device—The device that converts communications from the interactive gaming platform into a human interpretable form and converts human decisions into a communication format understood by the interactive gaming platform. The term includes personal computers, mobile phones, tablets, and the like.
Primary server—First source for Domain Name System data and responses to queries.
Remote access—Any access from outside the interactive gaming system or interactive gaming system network, including access from other networks within the same facility.
Secondary server or redundancy server—A server that shares the same features and capabilities as the primary server serves and acts as a second or substitutive point of contact in case the primary server is unavailable, busy or overloaded.
Stateful protocol—A protocol in which the communication system utilized by the player and the primary or secondary server tracks the state of the communication session.
Stateless protocol—A protocol in which neither the player nor the primary or secondary servers communication systems tracks the state of the communication session.
§ 809a.3. Location of equipment.
(a) The Board shall approve the location of all interactive gaming devices and associated equipment used by an interactive gaming certificateholder or interactive gaming operator to conduct interactive gaming. The interactive gaming devices and associated equipment may be located in a restricted area on the premises of the licensed facility, in an interactive gaming restricted area within the geographic limits of the county in this Commonwealth where the licensed facility is situated or any other area, located within the United States, provided the location adheres to all of the following limitations:
(1) The primary server used to resolve domain name service inquiries used by an interactive gaming certificateholder or interactive gaming operator to conduct interactive gaming in this Commonwealth must be physically located in a secure data center.
(2) Any redundancy, secondary and emergency servers used by an interactive gaming certificateholder or interactive gaming operator to conduct interactive gaming in this Commonwealth must be physically located in a secure data center at a separate premises than the primary server within the Commonwealth.
(b) The Board may require interactive gaming system data necessary to certify revenue and resolve player complaints to be maintained in this Commonwealth in a manner and location approved by the Board. The data must include data related to the calculation of revenue, player transactions, game transactions, game outcomes, responsible gaming and any other data which may be prescribed by the Board. The data must be maintained in a manner which prevents unauthorized access or modification without the prior approval of the Board.
§ 809a.4. Physical and environmental controls for equipment.
(a) An interactive gaming system and the associated communications systems must be located in facilities which provide physical protection against damage from fire, flood, hurricane, earthquake, and other forms of natural or manmade disaster by utilizing and implementing at least all of the following measures:
(1) Security perimeters (barriers such as walls, card-controlled entry gates or manned reception desks) must be used to protect areas that contain interactive gaming systems components.
(2) Secure areas must be protected by appropriate entry controls to ensure that access is restricted to only authorized personnel.
(3) All access must be recorded in a secure log which is available for inspection by Board staff.
(4) Secure areas must include an intrusion detection system. Attempts at unauthorized access must be logged.
(b) Interactive gaming system servers must be located in server rooms which prohibit unauthorized access.
(c) Interactive gaming system servers must be housed in racks located within a secure area.
(d) Interactive gaming system components must provide all of the following minimum utility support:
(1) Interactive gaming system components must be provided with adequate primary power.
(2) Interactive gaming system components must have uninterruptible power supply equipment to support operations in the event of a power failure.
(3) There must be adequate cooling for the equipment housed in the server area.
(4) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.
(5) There must be adequate fire protection for the interactive gaming system components housed in the server room.
§ 809a.5. Access to equipment.
(a) The interactive gaming certificateholder and interactive gaming operator shall limit and control access to the primary server and any secondary servers by ensuring all of the following:
(1) Maintain access codes and other computer security controls.
(2) Maintain logs of user access, security incidents and unusual transactions.
(3) Coordinate and develop an education and training program on information security and privacy matters for employees and other authorized users.
(4) Ensure compliance with all State and Federal information security policies and rules.
(5) Prepare and maintain security-related reports and data.
(6) Develop and implement an incident reporting and response system to address security breaches, policy violations and complaints from external parties.
(7) Develop and implement an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.
(b) Remote access to an interactive gaming certificateholder or interactive gaming operator's interactive gaming system is only permitted as follows:
(1) To Board employees upon request and without limitation.
(2) For testing purposes with prior approval from and as limited by the Board.
(3) By employees of an interactive gaming certificateholder or an interactive gaming operator with prior approval from and as limited by the Board.
(c) All interactive gaming certificateholder's or interactive gaming operator's interactive gaming systems must be available for independent testing by the Board, without limitation.
§ 809a.6. System requirements.
(a) Interactive gaming system methodology. An interactive gaming system shall be designed with a methodology (for example, cryptographic controls) approved by the Board to ensure secure communications between a player's device and the interactive gaming system. When reviewing the security of an interactive gaming certificateholder or interactive gaming operator's interactive gaming system methodology, the Board will consider all of the following:
(1) The interactive gaming system methodology shall be designed to ensure the integrity and confidentiality of all player communication and ensure the proper identification of the sender and receiver of all communications. If communications are performed across a third-party network, the system must either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.
(2) Wireless communications between the player device and the primary or secondary server must be encrypted in transit using a method (for example, AES, IPsec and WPA2) approved by the Board.
(3) An interactive gaming certificateholder or interactive gaming operator shall mask the service set identification of the interactive gaming system network to ensure that it is unavailable to the general public.
(4) All communications that contain patron account numbers, user identification, or passwords and PINs must utilize a secure method of transfer (for example, 128-bit key encryption) approved by the Board.
(5) Only devices authorized by the Board are permitted to establish communications between a player device and an interactive gaming system.
(6) Server-based interactive gaming systems must maintain an internal clock that reflects the current date and time that must be used to synchronize the time and date among all components that comprise the interactive gaming system. The interactive gaming system date and time must be visible to the patron when logged on.
(b) Change or modification. Any change or modification to the interactive gaming system shall be handled in accordance with the Change Management guidelines issued and distributed to interactive gaming certificateholders, interactive gaming operators, and interactive gaming manufacturers.
(c) Standards for data logging. An interactive gaming system must meet all of the following standards regarding data logging:
(1) Interactive gaming systems must employ a mechanism capable of maintaining a separate copy of all of the information required to be logged in this section on a separate and independent logging device capable of being administered by an employee with no incompatible function. If the interactive gaming system can be configured so that any logged data is contained in a secure transaction file, a separate logging device is not required.
(2) Interactive gaming systems must provide a mechanism for the Board to query and export, in a format required by the Board, all interactive gaming system data.
(3) Interactive gaming systems must electronically log the date and time any player gaming account is created or terminated (Account Creation Log).
(4) An interactive gaming system must maintain all information necessary to recreate player game play and account activity during each player session, including any identity or location verifications, for not less than 10 years.
(5) Unless otherwise authorized by the Board, when software is installed on or removed from an interactive gaming system, the action must be recorded in a secure electronic log (Software Installation/Removal Log), which must include all of the following:
(i) The date and time of the action.
(ii) The identification of the software.
(iii) The identity of the person performing the action.
(6) Unless otherwise authorized by the Board, when a change in the availability of game software is made on an interactive gaming system, the change must be recorded in a secure electronic log (Game Availability Log), which must include:
(i) The date and time of the change.
(ii) The identification of the software.
(iii) The identity of the person performing the change.
(7) Unless otherwise exempted by the Board, an interactive gaming system must record all promotional offers (Promotions Log) issued through the system. The log must provide the information necessary as determined by the Board to audit compliance with the terms and conditions of current and previous offers.
(8) Results of all authentication attempts must be retained in an electronic log (Authentication Log) and accessible for not less than 90 days.
(9) All adjustments to an interactive gaming system data made using stored procedures must be recorded in an electronic log (Adjustments Log), which lists all of the following:
(i) The date and time.
(ii) The identification and user ID of user performing the action.
(iii) A description of the event or action taken.
(iv) The initial and ending values of any data altered as a part of the event or action performed.
(d) Security requirements.
(1) Networks should be logically separated so that there should be no network traffic on a network link which cannot be serviced by hosts on that link.
(2) Networks must meet all of the following requirements to assure security:
(i) The failure of any single item should not result in a denial of service.
(ii) An intrusion detection system/intrusion prevention system must be installed on the network which can do all of the following:
(A) Listen to both internal and external communications.
(B) Detect or prevent Distributed Denial of Service attacks.
(C) Detect or prevent shellcode from traversing the network.
(D) Detect or prevent Address Resolution Protocol spoofing.
(E) Detect other Man-in-the-Middle indicators and server communication immediately.
(iii) Each server instance in cloud and virtualized environments should perform only one function.
(iv) In virtualized environments, redundant server instances cannot run under the same hypervisor.
(v) Stateless protocols should not be used for sensitive data without stateful transport.
(vi) All changes to network infrastructure must be logged.
(vii) Virus scanners or detection programs, or both, should be installed on all pertinent information systems and should be updated regularly to scan for new strains of viruses.
(viii) Network security should be tested by a qualified and experienced individual on a regular basis.
(ix) Testing should include testing of the external interfaces and internal network.
(x) Testing of each security domain on the internal network should be undertaken separately.
(3) Networks shall be assessed by an independent, third-party auditor on an annual basis to evaluate the effectiveness of the information technology security measures in place for the network, with a report to be provided to the Board outlining any weaknesses or deficiencies and recommendations on how such issues may be remedied.
(e) Self-monitoring of critical components. The interactive gaming system must implement the self-monitoring of critical components. A critical component that fails self-monitoring tests shall be taken out of service immediately and may not be returned to service until there is reasonable evidence that the fault has been rectified. Required self-monitoring measures include all of the following:
(1) The clocks of all components of the interactive gaming system must be synchronized with an agreed accurate time source to ensure consistent logging. Time skew shall be checked periodically.
(2) Audit logs recording user activities, exceptions and information security events must be produced and kept for a period of time to be determined by the Board to assist in investigations and access control monitoring.
(3) System administrators and system operator activities must be logged.
(4) Logging facilities and log information must be protected against tampering and unauthorized access.
(5) Any modifications, attempted modifications, read access, or other change or access to any interactive gaming system record, audit or log must be detectable by the interactive gaming system. It must be possible to see who has viewed or altered a log and when.
(6) Logs generated by monitoring activities shall be reviewed periodically using a documented process. A record of each review must be maintained.
(7) Interactive gaming system faults shall be logged, analyzed and appropriate actions taken.
(8) Network appliances with limited onboard storage must disable all communication if the audit log becomes full or offload logs to a dedicated log server.
(f) System disclosure requirements.
(1) A petitioner for or holder of an interactive gaming certificate, an applicant for or holder of an interactive gaming license, and an applicant for or holder of an interactive gaming manufacturer license shall seek Board approval of all source code used to conduct interactive gaming in this Commonwealth.
(2) All documentation relating to software and application development should be available for Board inspection and retained for the duration of its lifecycle.
(3) All software used to conduct interactive gaming in this Commonwealth shall be designed with a method, approved by the Board, that permits remote validation of software.
(g) Shutdown and recovery capabilities. The interactive gaming system must have all of the following shutdown and recovery capabilities to maintain the integrity of the hardware, software and data contained therein in the event of a shutdown:
(1) The interactive gaming system must be able to perform a graceful shutdown and only allow automatic restart on power up after all of the following procedures have been performed:
(i) The program resumption routine, including self-tests, completes successfully.
(ii) All critical control program components of the interactive gaming system have been authenticated using a method approved by the Board.
(iii) Communication with all components necessary for the interactive gaming system operation have been established and similarly authenticated.
(2) The interactive gaming system must be able to identify and properly handle the situation when master resets have occurred on other remote gaming components which affect game outcome, win amount or reporting.
(3) The interactive gaming system must have the ability to restore the system from the last backup.
(4) The interactive gaming system must be able to recover all critical information from the time of the last backup to the point in time at which the interactive gaming system failure or reset occurred.
(h) Recovery plan. An interactive gaming certificateholder or interactive gaming operator shall have a plan in place, approved by the Board, to recover interactive gaming operations in the event that the interactive gaming system is rendered inoperable (that is, Disaster/Emergency Recovery Plan). When reviewing the sufficiency of an interactive gaming certificateholder or interactive gaming operator's plan to recover interactive gaming system operations in the event the interactive gaming system is rendered inoperable, the Board will consider all of the following:
(1) The method of storing player account information and gaming data to minimize loss in the event the interactive gaming system is rendered inoperable.
(2) If asynchronous replication is used, the method for recovering data should be described or the potential loss of data should be documented.
(i) Recovery plan requirements. An interactive gaming certificateholder's or interactive gaming operator's Disaster/Emergency Recovery Plan must also:
(1) Delineate the circumstances under which it will be invoked.
(2) Address the establishment of a recovery site physically separated from the interactive gaming system site.
(3) Contain recovery guides detailing the technical steps required to re-establish gaming functionality at the recovery site.
(4) Include a Business Continuity Plan that addresses the process required to resume administrative operations of interactive gaming activities after the activation of the recovered platform for a range of scenarios appropriate for the operations context of the interactive gaming system.
(j) Location of equipment. Equipment used by a server-based interactive gaming system for the sole purpose of restoring data following a disaster must be located in a location within the United States as approved by the Board.
(k) Player self-exclusion. The interactive gaming system must provide an easy and obvious mechanism for players to access the Board's self-exclusion database to self-exclude from interactive gaming.
(l) Mechanism for temporary suspension. The interactive gaming system must provide a mechanism by which a player may elect to temporarily suspend his or her interactive gaming account for a period of no less than 72 hours in accordance with the terms and conditions agreed to by the player upon registration.
§ 809a.7. Geolocation requirements.
(a) An interactive gaming system must employ a mechanism to detect the physical location of a player upon logging into the interactive gaming system and as frequently as specified in the Board's technical standards and the interactive gaming certificateholder's or interactive gaming operator's approved internal controls submission. If the system detects that the physical location of the player is in an area unauthorized for an interactive gaming system, the system shall not accept wagers and must disable any interactive gaming activity for that player until the player is in an authorized location.
(b) The geolocation system must be equipped to dynamically monitor the player's location and block unauthorized attempts to access the interactive gaming system throughout the duration of the gaming session.
(c) An interactive gaming certificateholder or interactive gaming operator must prevent registered players within a licensed facility from accessing authorized interactive games on the registered player's own computers or other devices through the use of geolocation technologies.
(d) Interactive gaming shall only occur within this Commonwealth unless the conduct of gaming is not inconsistent with Federal law, law of the jurisdiction, including any foreign nation, in which the participating player is located, or the gaming activity is conducted pursuant to a reciprocal agreement to which the Commonwealth is a party that is not inconsistent with Federal law.
§ 809a.8. Security policy requirements.
Interactive gaming certificateholders and interactive gaming operators shall adopt and maintain a Board-approved information security policy which describes the certificateholder's or licensee's approach to managing information security and its implementation. This policy is required in addition to any similar requirements that may be imposed as part of the certificateholder's or licensee's internal controls. The information security policy must:
(1) Have a provision requiring review when changes occur to the interactive gaming system or the processes which alter the risk profile of the interactive gaming system.
(2) Be approved by the certificateholder's or licensee's management.
(3) Be communicated to all employees and relevant external parties.
(4) Undergo review at planned intervals.
(5) Delineate the responsibilities of the certificate- holder's or licensee's staff and the staff of any third parties for the operation, service and maintenance of the interactive gaming system and its components.
[Continued on next Web Page]
No part of the information on this site may be reproduced for profit or sold for profit.This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.