Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 21-1379a

[51 Pa.B. 5389]
[Saturday, August 28, 2021]

[Continued from previous Web Page]

CHAPTER 807a. INTERACTIVE GAMING
SERVICE PROVIDERS

Sec.

807a.1.General interactive gaming service provider requirements.
807a.2.Interactive gaming service provider certification applications.
807a.3.Interactive gaming service provider registration applications.
807a.4.Qualification of individuals and entities of certified interactive gaming service providers.
807a.5.Interactive gaming service provider registration and certification term and renewal.
807a.6.Authorized gaming service providers list; prohibited gaming service providers.
807a.7.Permission to conduct business prior to certification or registration.
807a.8.Emergency interactive gaming service provider.
807a.9.Duty to investigate.

§ 807a.1. General interactive gaming service provider requirements.

 (a) Except as provided in § 807a.9 (relating to duty to investigate), an interactive gaming service provider or person seeking to conduct business with an interactive gaming certificate holder or interactive gaming operator shall apply to the Board for certification if the interactive gaming service provider or person is providing any of the following:

 (1) Data hosting services unless the hosting service is in a jurisdiction, the standards of which are recognized by the Board, the owner of the hardware is licensed as an interactive gaming operator by the Board and the facility is approved by the Board.

 (2) Payment processing and related money-transmitting services with direct contact with a registered player's interactive gaming account.

 (3) Customer identity, age verification and geo-location verification used in the conduct of interactive gaming, regardless of the interactive gaming service provider or person's contractual relationship with an interactive gaming certificate holder.

 (4) Interactive affiliate goods or services and the interactive affiliate is being paid a revenue share. As used in this subsection, ''interactive affiliate'' means as an individual or entity involved in promoting, marketing and directing business to online gaming sites in exchange for compensation paid based on player activity not a flat fee.

 (5) Any other person as determined by the Board.

 (b) Except as provided in § 807a.9, a gaming service provider or person seeking to conduct business with an interactive gaming certificate holder or interactive gaming operator shall apply to the Board for a registration if the interactive gaming service provider or person is providing goods or services related to interactive gaming or interactive wagering and the interactive gaming service provider or person is not required to be certified as an interactive gaming service provider. This subsection applies to interactive affiliates involved in promoting, marketing and directing business to online gaming sites in exchange for a flat fee.

 (c) A holder of an interactive gaming service provider certification, registration or authorization shall have a continuing duty to comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).

§ 807a.2. Interactive gaming service provider certification applications.

 (a) An interactive gaming service provider seeking certification shall submit a Certification Application and Disclosure Form. The application and fee toward the cost of the investigation of the applicant, as posted on the Board's web site, shall be submitted to the Bureau of Licensing by the interactive gaming service provider unless otherwise directed by the Bureau of Licensing.

 (b) In addition to the requirements in subsection (a), an applicant for an interactive gaming service provider certification shall do all of the following:

 (1) Submit applications and release authorizations for each individual required to be qualified under § 807a.4 (relating to qualification of individuals and entities of certified interactive gaming service providers).

 (2) Comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).

 (c) An applicant for an interactive gaming service provider certification shall reimburse the Board for costs incurred in conducting the investigation of the applicant.

 (d) An interactive gaming service provider certification will not be issued until all fees and costs have been paid.

§ 807a.3. Interactive gaming service provider registration applications.

 (a) An interactive gaming service provider seeking registration shall complete a Gaming Service Provider Registration Form. The application and fee toward the cost of the investigation of the applicant, as posted on the Board's web site, shall be submitted to the Bureau of Licensing by the interactive gaming service provider unless otherwise directed by the Bureau of Licensing.

 (b) In addition to the materials required under subsection (a), an applicant for an interactive gaming service provider registration shall do all of the following:

 (1) Submit release authorizations for each individual required to be qualified under § 807a.4 (relating to qualification of individuals and entities of certified interactive gaming service providers).

 (2) Comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).

 (3) Submit fingerprints of all of the following individuals in a manner prescribed by the Bureau:

 (i) Each officer and director of the registered interactive gaming service provider applicant. For purposes of this subparagraph, ''officer'' means a president, a chief executive officer, a chief financial officer and a chief operating officer, and any person routinely performing corresponding functions with respect to an organization whether incorporated or unincorporated.

 (ii) Each individual who has a direct or indirect ownership or beneficial interest of 10% or more in the registered interactive gaming service provider applicant.

 (iii) Each salesperson of a registered interactive gaming service provider applicant who solicits business from, or has regular contact with, any representatives of an interactive certificate holder or interactive gaming operator or any employee of a registered interactive gaming service provider applicant who will be engaging in that conduct.

 (c) A person who holds any direct or indirect ownership or beneficial interest in a registered interactive gaming service provider or applicant for interactive gaming service provider registration, or has the right to any profits or distributions directly or indirectly, from the registered interactive gaming service provider or applicant for interactive gaming service provider registration may be required to submit fingerprints if the Bureau determines that the submission of fingerprints of the person is necessary to protect the public interest or to enhance the integrity of gaming in this Commonwealth.

 (d) Each of the individuals required to submit fingerprints under subsection (b)(3) shall be found qualified by the Board.

 (e) An individual who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a gaming employee occupation permit in accordance with § 808a.4 (relating to interactive gaming employees) or a nongaming employee registration in accordance with § 808a.5 (relating to interactive nongaming employees).

 (f) An applicant for an interactive gaming service provider registration shall reimburse the Board for costs incurred in conducting the investigation of the applicant.

 (g) An interactive gaming service provider registration will not be issued until all fees and costs have been paid.

§ 807a.4. Qualification of individuals and entities of certified interactive gaming service providers.

 (a) The following individuals shall submit a Pennsylvania Personal History Disclosure Form and be found qualified by the Board:

 (1) Each officer and director of a certified interactive gaming service provider or applicant for interactive gaming service provider certification. For the purposes of this paragraph, ''officer'' means a president, a chief executive officer, a chief financial officer, and a chief operating officer and any person routinely performing corresponding functions with respect to an organization whether incorporated or unincorporated.

 (2) Each individual who has a direct or indirect ownership or beneficial interest of 10% or more in the certified interactive gaming service provider or applicant for interactive gaming service provider certification. A certified interactive gaming service provider or applicant for interactive gaming service provider certification shall provide information or documentation requested by the Board necessary to determine compliance with this paragraph.

 (3) Each salesperson of a certified interactive gaming service provider or applicant for interactive gaming service provider certification who solicits business from, or has regular contact with, any representatives of an interactive gaming certificate holder or interactive gaming operator or any employee of a certified interactive gaming service provider or applicant for interactive gaming service provider certification who will be engaging in that conduct.

 (b) Each entity that directly owns 20% or more of the voting securities of a certified interactive gaming service provider or person applying for interactive gaming service provider certification shall file a Certification Form—Holding Company with the Bureau of Licensing and be found qualified by the Board.

 (c) The following persons may be required to submit a Certification Form—Holding Company or a Pennsylvania Personal History Disclosure Form and be found qualified by the Board if the Bureau of Licensing determines that the qualification of the person is necessary to protect the public interest or to enhance the integrity of gaming in this Commonwealth.

 (1) An intermediary or holding company of a certified interactive gaming service provider or person or applicant for interactive gaming service provider certification not otherwise required to be qualified.

 (2) An officer or director of an intermediary or holding company of a certified interactive gaming service provider or applicant for interactive gaming service provider certification.

 (3) An employee of a certified interactive gaming service provider or applicant for interactive gaming service provider certification.

 (4) A person who holds any direct or indirect ownership or beneficial interest in a certified interactive gaming service provider or applicant for interactive gaming service provider certification, or has the right to any profits or distribution, directly or indirectly, from the certified interactive gaming service provider or applicant for interactive gaming service provider certification.

 (5) A trustee of a trust that is required to be found qualified under this section.

 (d) The Bureau of Licensing may issue a temporary credential to an individual who is required to be qualified by the Board under this section if all of the following apply:

 (1) The individual's presence in an interactive gaming restricted area is needed.

 (2) The company with which the individual is associated is on the authorized gaming service provider list.

 (e) Upon request, the Bureau of Licensing will issue a credential to an individual who has been found qualified under this section if the interactive gaming service provider has been certified.

 (f) An employee of a certified or registered interactive gaming service provider who is a gaming or nongaming employee as defined in § 801a.2 (relating to definitions) shall obtain a permit under § 808a.4 (relating to interactive gaming employees) or registration under § 808a.5 (relating to interactive nongaming employees).

§ 807a.5. Interactive gaming service provider registration and certification term and renewal.

 (a) Interactive gaming service provider certifications, registrations and renewals issued under this subpart will be valid for 5 years from the date of Board approval.

 (b) Registered and certified interactive gaming service providers shall submit to the Board a completed renewal application or form and renewal fee at least 6 months prior to the expiration of a certification, registration or authorization.

 (c) A certification or registration for which a completed renewal application and fee has been received by the Bureau of Licensing will continue to be in effect until the Board sends written notification to the holder of the certification or registration that the Board has approved or denied the certification or registration.

§ 807a.6. Authorized gaming service providers list; prohibited gaming service providers.

 (a) The Board will maintain a list of authorized gaming service providers and a list of prohibited gaming service providers. The authorized list will contain the names of persons who have been:

 (1) Registered or certified.

 (2) Authorized to conduct business with interactive certificate holder or interactive gaming operator under § 437a.9 (relating to permission to conduct business prior to certification or registration).

 (b) Except as permitted under §§ 437a.1(a)(2), (d) and (g) and 437a.10 (relating to general gaming service provider requirements; and emergency gaming service provider), an interactive gaming certificate holder or interactive gaming operator may not purchase goods or services from an interactive gaming service provider unless the interactive gaming service provider is on the authorized gaming service provider list. A slot machine licensee, interactive gaming certificate holder or interactive gaming operator or applicant or any affiliate, intermediary, subsidiary or holding company thereof acting on behalf of the slot machine licensee, interactive gaming certificate holder, interactive gaming operator or applicant may not enter into an agreement or continue to do business with an interactive gaming service provider on the prohibited gaming service providers list.

 (c) The Board may place a person or provider on the prohibited gaming service provider list if any of the following apply:

 (1) The interactive gaming service provider has failed to comply with this chapter.

 (2) The interactive gaming service provider has failed to cooperate with Board staff in its review and investigation of the interactive gaming service provider's application.

 (3) The interactive gaming service provider's application for certification or registration has been denied or withdrawn with prejudice or the interactive gaming service provider has had its interactive gaming service provider certification or registration suspended or revoked.

 (4) The interactive gaming service provider has failed to provide information to a slot machine licensee, an interactive gaming certificate holder or interactive gaming operator that is necessary for the slot machine licensee, interactive gaming certificate holder or interactive gaming operator to comply with this chapter.

 (d) A person seeking to be removed from the list of prohibited gaming service providers shall file a petition for removal in accordance with § 493a.4 (relating to petitions generally) and shall be responsible for all costs associated with the person's petition for removal from the list of prohibited gaming service providers. The petition must state the specific grounds believed by the petitioner to constitute good cause for removal from the prohibited gaming service providers list and how the interactive gaming service provider has cured any deficiencies that led to the interactive gaming service provider being placed on the prohibited gaming service providers list.

 (e) The Board may impose a monetary penalty or other appropriate sanction in connection with the removal of a person from the list of prohibited gaming service providers or attach any reasonable condition to the removal of a person from the list of prohibited gaming service providers.

§ 807a.7. Permission to conduct business prior to certification or registration.

 (a) Notwithstanding § 807a.1 (relating to general interactive gaming service provider requirements), the Bureau of Licensing may authorize an applicant for an interactive gaming service provider certification or registration to conduct business with a slot machine licensee, an interactive gaming certificate holder or interactive gaming operator prior to the certification or registration of the interactive gaming service provider applicant if all of the following criteria are met:

 (1) A completed Gaming Service Provider Registration Form or a completed Gaming Service Provider Certification Application and Disclosure Information Form has been filed by the slot machine licensee, interactive gaming certificate holder or interactive gaming operator in accordance with § 807a.2 or § 807a.3 (relating to interactive gaming service provider certification applications; and interactive gaming service provider registration applications).

 (2) The applicant for an interactive gaming service provider registration or certification agrees, in writing, that the grant of permission to conduct business prior to registration or certification does not create a right to continue to conduct business and that the Bureau of Licensing may rescind, at any time, the authorization granted pursuant to this section, with or without prior notice to the applicant, if the Bureau of Licensing is informed that the suitability of the applicant may be at issue or the applicant fails to cooperate in the application or investigatory process.

 (b) If the Office of Enforcement Counsel issues a Notice of Recommendation for Denial to an applicant for certification or registration, the Bureau of Licensing may rescind the permission granted to the applicant for certification or registration to conduct business with a slot machine licensee, interactive gaming certificate holder or interactive gaming operator under subsection (a). If the permission is rescinded, the applicant for certification or registration shall cease conducting business with the slot machine licensee, interactive gaming certificate holder, interactive gaming operator or applicant by the date specified in the notice of the rescission by the Bureau of Licensing under subsection (c).

 (c) The Bureau of Licensing will notify the applicant for certification or registration and the slot machine licensee, interactive gaming certificate holder, interactive gaming operator or applicant by registered mail and e-mail that permission for the applicant for certification or registration to conduct business with the slot machine licensee, interactive gaming certificate holder, interactive gaming operator or applicant under subsection (a) has been rescinded and that the slot machine licensee, interactive gaming certificate holder, interactive gaming operator or applicant shall cease conducting business with the applicant for certification or registration by the date specified in the notice.

§ 807a.8. Emergency interactive gaming service provider.

 (a) An interactive gaming certificate holder or interactive gaming operator may utilize an interactive gaming service provider that is not registered, certified or authorized to conduct business in accordance with § 807a.7 (relating to permission to conduct business prior to certification or registration) when a threat to public health, welfare or safety exists or circumstances outside the control of the slot machine licensee, interactive gaming certificate holder or interactive gaming operator create an urgency of need which does not permit the delay involved in using the formal method of interactive gaming service provider certification or registration. A slot machine licensee, interactive gaming certificate holder or interactive gaming operator may not use an interactive gaming service provider on the prohibited list.

 (b) When using an interactive gaming service provider that is not registered, certified or authorized to conduct business to respond to an emergency, the slot machine licensee, interactive gaming certificate holder or interactive gaming operator shall do all of the following:

 (1) Immediately notify the Bureau of Licensing of the emergency and the interactive gaming service provider that was selected to provide emergency services.

 (2) File an Interactive Gaming Service Provider Emergency Notification Form with the Bureau of Licensing within 72 hours after commencement of the interactive gaming service provider's services and a written explanation of the basis for the procurement of the emergency interactive gaming service provider.

 (c) An employee of the emergency interactive gaming service provider who is providing emergency services that requires access to an interactive gaming restricted area shall obtain a temporary access credential in accordance with § 808a.7 (relating to emergency and temporary credentials) prior to performing any work.

 (d) If the slot machine licensee, interactive gaming certificate holder or interactive gaming operator continues to utilize the interactive gaming service provider after the emergency circumstances have passed or if the Bureau of Licensing determines that the circumstances did not necessitate the use of an emergency interactive gaming service provider that was not registered, certified or on the authorized list, the slot machine licensee, interactive gaming certificate holder, interactive gaming operator and interactive gaming service provider shall comply with this chapter.

§ 807a.9. Duty to investigate.

 (a) A slot machine licensee, interactive gaming certificate holder or interactive gaming operator shall investigate the background and qualifications of the applicants for interactive gaming service provider registration or certification with whom it intends to have a contractual relationship or enter into an agreement.

 (b) A slot machine licensee, interactive gaming certificate holder or interactive gaming operator shall have an affirmative duty to avoid agreements or relationships with persons applying for an interactive gaming service provider registration or certification whose background or associations are injurious to the public health, safety, morals, good order and general welfare of the residents of this Commonwealth, or who threaten the integrity of gaming in this Commonwealth.

 (c) A slot machine licensee, an interactive gaming certificate holder or interactive gaming operator shall have a duty to inform the Board of an action by an applicant for or holder of an interactive gaming service provider registration or certification, which the slot machine licensee, interactive gaming certificate holder or interactive gaming operator believes would constitute a violation of the act or this part.

CHAPTER 808a. INTERACTIVE GAMING PRINCIPALS AND KEY, GAMING AND NONGAMING EMPLOYEES

Sec.

808a.1.General provisions.
808a.2.Interactive gaming principals.
808a.3.Interactive key employees.
808a.4.Interactive gaming employees.
808a.5.Interactive nongaming employees.
808a.6.Board credentials.
808a.7.Emergency and temporary credentials.
808a.8.Loss, theft or destruction of credentials.

§ 808a.1. General provisions.

 (a) An individual seeking a principal license, key employee license, gaming employee occupation permit or nongaming employee registration to participate in interactive gaming in this Commonwealth shall apply to the Board as follows:

 (1) Principal and key employee applicants shall submit a completed Multi-Jurisdictional Personal History Disclosure Form as well as a completed Principal/Key Employee Form—Pennsylvania Supplement to the Multi-Jurisdictional Personal History Disclosure Form.

 (2) Gaming employee occupation permit and nongaming employee registration applicants shall submit the Gaming Employee or Nongaming Employee Registration Application using the SLOTS Link Electronic Application system.

 (3) All applicants shall submit the nonrefundable application fee posted on the Board's web site.

 (b) In addition to the materials required in subsection (a), an applicant shall comply with the general application requirements in Chapters 421a and 423a (relating to general provisions; and applications; statement of conditions; wagering restrictions).

 (c) The holder of a principal license, key employee license, gaming employee occupation permit or nongaming employee registration shall provide an updated photograph at the request of Board staff.

 (d) An applicant for a gaming employee occupation permit or nongaming employee registration shall be at least 18 years of age.

 (e) After reviewing the application and the results of the applicant's background investigation, the Board may issue a principal license, key employee license, gaming employee occupation permit or nongaming employee registration if the individual has proven that he is a person of good character, honesty and integrity, and is eligible and suitable to be licensed as a principal, key employee, gaming employee or nongaming employee.

 (f) Slot machine licensees, interactive gaming certificate holders, interactive gaming operators, interactive gaming manufacturers, interactive gaming suppliers and interactive gaming service providers that hire an individual who holds a key employee license, gaming employee occupation permit or registration issued by the Board shall contact the Bureau of Licensing to confirm that the individual's key employee license, gaming employee occupation permit or registration is in good standing prior to allowing the individual to perform work associated with interactive gaming in this Commonwealth.

 (g) An individual who holds a principal license, key employee license, gaming employee occupation permit or registration is subject to all of the following wagering restrictions relative to interactive gaming:

 (1) An individual whose job duties include interactive gaming and who holds a license, permit or registration and is currently employed by or is a principal of an interactive certificate holder may not place wagers on web sites offered by or associated with the interactive certificate holder. The licensed, permitted or registered individual shall wait at least 30 days following the date that the individual is no longer employed in a position that includes interactive gaming job duties before the individual may wager on web sites offered by or associated with the interactive certificate holder.

 (2) An individual who holds a license, permit or registration and is currently employed by or is a principal of an interactive gaming operator may not wager on web sites operated by the interactive gaming operator. The licensed, permitted or registered individual shall wait at least 30 days following the date that the individual is no longer employed by the interactive gaming operator before the individual may wager on web sites operated by the interactive gaming operator.

 (3) An individual whose job duties include interactive gaming and who holds a license, permit or registration and is currently employed by or is a principal of an interactive manufacturer or interactive supplier may not wager on web sites associated with interactive certificate holders in this Commonwealth that offer games or use equipment manufactured, supplied, developed or programmed by the interactive manufacturer or interactive supplier.

§ 808a.2. Interactive gaming principals.

 (a) Principals and principal entities, as defined in §§ 401a.3 and 433a.1 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).

 (b) A principal license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.

 (c) A renewal application for a principal license shall be filed at least 6 months prior to expiration of the current license.

 (d) A principal license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.

 (e) A principal license issued under this subpart will only be valid for the licensed or certified entity with which the principal is associated.

§ 808a.3. Interactive key employees.

 (a) Key employees, as defined in §§ 401a.3 and 801a.2 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).

 (b) A key employee license and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.

 (c) A renewal application for a key employee license shall be filed at least 6 months prior to expiration of the current license.

 (d) A key employee license for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.

 (e) A key employee license issued under this subpart will be valid for employment with any licensed or certified entity.

§ 808a.4. Interactive gaming employees.

 (a) Gaming employees, as defined in §§ 401a.3 and 801a.2 (relating to definitions), shall submit an application for licensure as described in § 808a.1 (relating to general provisions).

 (b) In addition to the materials required to be submitted under this subpart, gaming employee occupation permit applicants shall submit verification of an offer of employment from a licensed or certified entity.

 (c) A gaming employee occupation permit and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.

 (d) A renewal application for a gaming employee occupation permit shall be filed at least 6 months prior to expiration of the current permit.

 (e) A gaming employee occupation permit for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.

 (f) An individual who wishes to receive a gaming employee occupation permit under this subpart may authorize an applicant for or holder of a slot machine license, interactive gaming certificate, interactive gaming license, interactive gaming manufacturer license, interactive gaming supplier license, or interactive gaming service provider certification or registration to file an application on the individual's behalf.

 (g) A gaming employee occupation permit issued under this chapter will be valid for employment with any licensed, certified or registered entity.

§ 808a.5. Interactive nongaming employees.

 (a) Nongaming employees, as defined in § 401a.3 (relating to definitions), shall submit an application for registration as described in § 808a.1 (relating to general provisions).

 (b) In addition to the materials required to be submitted under this subpart, nongaming employee registration applicants shall submit verification of an offer of employment from a licensed or certified entity.

 (c) A nongaming employee registration and the renewal thereof is valid for 5 years from the date of approval of the application by the Board.

 (d) A renewal application for a nongaming employee registration shall be filed at least 6 months prior to expiration of the current registration.

 (e) A nongaming employee registration for which a completed renewal application and fee has been received by the Board will continue in effect until acted upon by the Board.

 (f) An individual who wishes to receive a nongaming employee registration under this subpart may authorize an applicant for or holder of a slot machine license, interactive gaming certificate, interactive gaming license, interactive gaming manufacturer license, interactive gaming supplier license, or interactive gaming service provider certification or registration to file an application on the individual's behalf.

 (g) A nongaming employee registration issued under this chapter will be valid for employment with any licensed, certified or registered entity.

§ 808a.6. Board credentials.

 The individuals required to be licensed, permitted or registered under this subpart shall obtain a Board credential as described in § 435a.6 (relating to Board credentials).

§ 808a.7. Emergency and temporary credentials.

 The individuals required to be licensed, permitted or registered under this subpart may obtain an emergency or temporary Board credential as described in §§ 435a.7 and 435a.8 (relating to emergency credentials; and temporary credentials).

§ 808a.8. Loss, theft or destruction of credentials.

 (a) As soon as possible, but no later than 24 hours following the loss, theft or destruction of a Board credential, emergency credential or temporary credential, the person to whom the credential was issued shall notify the Bureau of Licensing.

 (b) The slot machine licensee, interactive gaming certificate holder or interactive gaming operator, on behalf of an employee whose Board-issued credential was lost, stolen or destroyed, may request a replacement Board credential by submitting a Request for Duplicate PGCB Credential Form and the fee established by the Board to the Bureau of Licensing.

CHAPTER 809a. INTERACTIVE GAMING PLATFORM REQUIREMENTS

Sec.

809a.1.Scope.
809a.2.Definitions.
809a.3.Location of equipment.
809a.4.Physical and environmental controls for equipment.
809a.5.Access to equipment.
809a.6.System requirements.
809a.7.Geolocation requirements.
809a.8.Security policy requirements.

§ 809a.1. Scope.

 To ensure players are not exposed to unnecessary security risks by choosing to participate in interactive gaming in this Commonwealth and to ensure the integrity and security of interactive gaming operations in this Commonwealth, the system requirements in this chapter apply to all of the following critical components of an interactive gaming system:

 (1) Interactive gaming system components which record, store, process, share, transmit or retrieve sensitive player information (for example, credit and debit card details, authentication information and player account balances).

 (2) Interactive gaming system components which generate, transmit or process random numbers used to determine the outcome of games or virtual events.

 (3) Interactive gaming system components which store results or the current state of a player's wager.

 (4) Points of entry and exit from the previously listed systems or other systems which are able to communicate directly with core critical systems.

 (5) Communication networks which transmit sensitive player information.

§ 809a.2. Definitions.

 The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

Domain name system—The globally distributed Internet database which maps machine names to IP numbers, and vice versa.

Player device—The device that converts communications from the interactive gaming platform into a human interpretable form and converts human decisions into a communication format understood by the interactive gaming platform. The term includes personal computers, mobile phones, tablets, and the like.

Primary server—First source for Domain Name System data and responses to queries.

Remote access—Any access from outside the interactive gaming system or interactive gaming system network, including access from other networks within the same facility.

Secondary server or redundancy server—A server that shares the same features and capabilities as the primary server serves and acts as a second or substitutive point of contact in case the primary server is unavailable, busy or overloaded.

Stateful protocol—A protocol in which the communication system utilized by the player and the primary or secondary server tracks the state of the communication session.

Stateless protocol—A protocol in which neither the player nor the primary or secondary servers communication systems tracks the state of the communication session.

§ 809a.3. Location of equipment.

 (a) The Board shall approve the location of all interactive gaming devices and associated equipment used by an interactive gaming certificate holder or interactive gaming operator to conduct interactive gaming. The interactive gaming devices and associated equipment may be located in a restricted area on the premises of the licensed facility, in an interactive gaming restricted area within the geographic limits of the county in this Commonwealth where the licensed facility is situated or any other area, located within the United States, provided the location adheres to all of the following limitations:

 (1) The primary server used to resolve domain name service inquiries used by an interactive gaming certificate holder or interactive gaming operator to conduct interactive gaming in this Commonwealth must be physically located in a secure data center.

 (2) Any redundancy, secondary and emergency servers used by an interactive gaming certificate holder or interactive gaming operator to conduct interactive gaming in this Commonwealth must be physically located in a secure data center at a separate premises than the primary server within the Commonwealth.

 (b) The Board may require interactive gaming system data necessary to certify revenue and resolve player complaints to be maintained in this Commonwealth in a manner and location approved by the Board. The data must include data related to the calculation of revenue, player transactions, game transactions, game outcomes, responsible gaming and any other data which may be prescribed by the Board. The data must be maintained in a manner which prevents unauthorized access or modification without the prior approval of the Board.

§ 809a.4. Physical and environmental controls for equipment.

 (a) An interactive gaming system and the associated communications systems must be located in facilities which provide physical protection against damage from fire, flood, hurricane, earthquake, and other forms of natural or manmade disaster by utilizing and implementing at least all of the following measures:

 (1) Security perimeters (barriers such as walls, card-controlled entry gates or manned reception desks) must be used to protect areas that contain interactive gaming systems components.

 (2) Secure areas must be protected by appropriate entry controls to ensure that access is restricted to only authorized personnel.

 (3) All access must be recorded in a secure log which is available for inspection by Board staff.

 (4) Secure areas must include an intrusion detection system. Attempts at unauthorized access must be logged.

 (b) Interactive gaming system servers must be located in server rooms which prohibit unauthorized access.

 (c) Interactive gaming system servers must be housed in racks located within a secure area.

 (d) Interactive gaming system components must provide all of the following minimum utility support:

 (1) Interactive gaming system components must be provided with adequate primary power.

 (2) Interactive gaming system components must have uninterruptible power supply equipment to support operations in the event of a power failure.

 (3) There must be adequate cooling for the equipment housed in the server area.

 (4) Power and telecommunications cabling carrying data or supporting information services must be protected from interception or damage.

 (5) There must be adequate fire protection for the interactive gaming system components housed in the server room.

§ 809a.5. Access to equipment.

 (a) The interactive gaming certificate holder and interactive gaming operator shall limit and control access to the primary server and any secondary servers by ensuring all of the following:

 (1) Maintain access codes and other computer security controls.

 (2) Maintain logs of user access, security incidents and unusual transactions.

 (3) Coordinate and develop an education and training program on information security and privacy matters for employees and other authorized users.

 (4) Ensure compliance with all State and Federal information security policies and rules.

 (5) Prepare and maintain security-related reports and data.

 (6) Develop and implement an incident reporting and response system to address security breaches, policy violations and complaints from external parties.

 (7) Develop and implement an ongoing risk assessment program that targets information security and privacy matters by identifying methods for vulnerability detection and remediation and overseeing the testing of those methods.

 (b) Remote access to an interactive gaming certificate holder or interactive gaming operator's interactive gaming system is only permitted as follows:

 (1) To Board employees upon request and without limitation.

 (2) For testing purposes with prior approval from and as limited by the Board.

 (3) By employees of an interactive gaming certificate holder or an interactive gaming operator with prior approval from and as limited by the Board.

 (c) All interactive gaming certificate holder's or interactive gaming operator's interactive gaming systems must be available for independent testing by the Board, without limitation.

§ 809a.6. System requirements.

 (a) Interactive gaming system methodology. An interactive gaming system shall be designed with a methodology (for example, cryptographic controls) approved by the Board to ensure secure communications between a player's device and the interactive gaming system. When reviewing the security of an interactive gaming certificate holder or interactive gaming operator's interactive gaming system methodology, the Board will consider all of the following:

 (1) The interactive gaming system methodology shall be designed to ensure the integrity and confidentiality of all player communication and ensure the proper identification of the sender and receiver of all communications. If communications are performed across a third-party network, the system must either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.

 (2) Wireless communications between the player device and the primary or secondary server must be encrypted in transit using a method (for example, AES, IPsec and WPA2) approved by the Board.

 (3) All communications that contain registered player account numbers, user identification, or passwords and PINs must utilize a secure method of transfer (for example, 128-bit key encryption) approved by the Board.

 (4) Only devices authorized by the Board are permitted to establish communications between a player device and an interactive gaming system.

 (5) Server-based interactive gaming systems must maintain an internal clock that reflects the current date and time that must be used to synchronize the time and date among all components that comprise the interactive gaming system. The interactive gaming system date and time must be visible to the registered player when logged on.

 (b) Change or modification. Any change or modification to the interactive gaming system shall be handled in accordance with the Change Management guidelines issued and distributed to interactive gaming certificate holders, interactive gaming operators, and interactive gaming manufacturers.

 (c) Standards for data logging. An interactive gaming system must meet all of the following standards regarding data logging:

 (1) Interactive gaming systems must employ a mechanism capable of maintaining a separate copy of all of the information required to be logged in this section on a separate and independent logging device capable of being administered by an employee with no incompatible function. If the interactive gaming system can be configured so that any logged data is contained in a secure transaction file, a separate logging device is not required.

 (2) Interactive gaming systems must provide a mechanism for the Board to query and export, in a format required by the Board, all interactive gaming system data.

 (3) Interactive gaming systems must electronically log the date and time any player gaming account is created or terminated (Account Creation Log).

 (4) An interactive gaming system must maintain all information necessary to recreate player game play and account activity during each player session, including any identity or location verifications, for not less than 10 years.

 (5) Unless otherwise authorized by the Board, when software is installed on or removed from an interactive gaming system, the action must be recorded in a secure electronic log (Software Installation/Removal Log), which must include all of the following:

 (i) The date and time of the action.

 (ii) The identification of the software.

 (iii) The identity of the person performing the action.

 (6) Unless otherwise authorized by the Board, when a change in the availability of game software is made on an interactive gaming system, the change must be recorded in a secure electronic log (Game Availability Log), which must include:

 (i) The date and time of the change.

 (ii) The identification of the software.

 (iii) The identity of the person performing the change.

 (7) Unless otherwise exempted by the Board, an interactive gaming system must record all promotional offers (Promotions Log) issued through the system. The log must provide the information necessary as determined by the Board to audit compliance with the terms and conditions of current and previous offers.

 (8) Results of all authentication attempts must be retained in an electronic log (Authentication Log) and accessible for not less than 90 days.

 (9) All adjustments to an interactive gaming system data made using stored procedures must be recorded in an electronic log (Adjustments Log), which lists all of the following:

 (i) The date and time.

 (ii) The identification and user ID of user performing the action.

 (iii) A description of the event or action taken.

 (iv) The initial and ending values of any data altered as a part of the event or action performed.

 (d) Security requirements.

 (1) Networks should be logically separated so that there should be no network traffic on a network link which cannot be serviced by hosts on that link.

 (2) Networks must meet all of the following requirements to assure security:

 (i) The failure of any single item should not result in a denial of service.

 (ii) An intrusion detection system/intrusion prevention system must be installed on the network which can do all of the following:

 (A) Listen to both internal and external communications.

 (B) Detect or prevent Distributed Denial of Service attacks.

 (C) Detect or prevent shellcode from traversing the network.

 (D) Detect or prevent Address Resolution Protocol spoofing.

 (E) Detect other Man-in-the-Middle indicators and server communication immediately.

 (iii) Each server instance in cloud and virtualized environments should perform only one function.

 (iv) In virtualized environments, redundant server instances cannot run under the same hypervisor.

 (v) Stateless protocols should not be used for sensitive data without stateful transport.

 (vi) All changes to network infrastructure must be logged.

 (vii) Virus scanners or detection programs, or both, should be installed on all pertinent information systems and should be updated regularly to scan for new strains of viruses.

 (viii) Network security should be tested by a qualified and experienced individual on a regular basis.

 (ix) Testing should include testing of the external interfaces and internal network.

 (x) Testing of each security domain on the internal network should be undertaken separately.

 (3) An annual security audit shall be performed to complement the required independent testing laboratory testing and annual encryption certification.

 (i) The security audit shall cover the underlying operating systems, network components and hardware changes not included in the evaluation of the interactive gaming software.

 (ii) The security audit shall be performed by an independent third party who shall provide a detailed report with remediation or mitigation plans to the board, and may take the form of any of the following:

 (A) Penetration test.

 (B) Vulnerability assessment.

 (C) Compliance audit.

 (D) Risk assessment.

 (4) Internal and external network vulnerability scans shall be run at least quarterly, or after any change or modification to the interactive gaming system that requires approval by the Board under the change management guidelines distributed under § 809a.6(b) (relating to system requirements), unless otherwise directed by the Board.

 (i) Testing procedures must verify that four quarterly internal and external scans take place every 12 months and that re-scans occur until all medium risk (CVSS4.0 or higher) vulnerabilities are resolved.

 (ii) The quarterly scans may be performed by either an independent third party or by a qualified employee of the interactive gaming certificate holder or interactive gaming operator.

 (iii) Verification of the scans shall be submitted to the Board on a quarterly basis and must include a remediation or mitigation plan for any vulnerabilities not resolved prior to the submission of the verification.

 (e) Self-monitoring of critical components. The interactive gaming system must implement the self-monitoring of critical components. A critical component that fails self-monitoring tests shall be taken out of service immediately and may not be returned to service until there is reasonable evidence that the fault has been rectified. Required self-monitoring measures include all of the following:

 (1) The clocks of all components of the interactive gaming system must be synchronized with an agreed accurate time source to ensure consistent logging. Time skew shall be checked periodically.

 (2) Audit logs recording user activities, exceptions and information security events must be produced and kept for a period of time to be determined by the Board to assist in investigations and access control monitoring.

 (3) System administrators and system operator activities must be logged.

 (4) Logging facilities and log information must be protected against tampering and unauthorized access.

 (5) Any modifications, attempted modifications, read access, or other change or access to any interactive gaming system record, audit or log must be detectable by the interactive gaming system. It must be possible to see who has viewed or altered a log and when.

 (6) Logs generated by monitoring activities shall be reviewed periodically using a documented process. A record of each review must be maintained.

 (7) Interactive gaming system faults shall be logged, analyzed and appropriate actions taken.

 (8) Network appliances with limited onboard storage must disable all communication if the audit log becomes full or offload logs to a dedicated log server.

 (f) System disclosure requirements.

 (1) A petitioner for or holder of an interactive gaming certificate, an applicant for or holder of an interactive gaming license, and an applicant for or holder of an interactive gaming manufacturer license shall seek Board approval of all source code used to conduct interactive gaming in this Commonwealth.

 (2) All documentation relating to software and application development should be available for Board inspection and retained for the duration of its lifecycle.

 (3) All software used to conduct interactive gaming in this Commonwealth shall be designed with a method, approved by the Board, that permits remote validation of software.

 (g) Shutdown and recovery capabilities. The interactive gaming system must have all of the following shutdown and recovery capabilities to maintain the integrity of the hardware, software and data contained therein in the event of a shutdown:

 (1) The interactive gaming system must be able to perform a graceful shutdown and only allow automatic restart on power up after all of the following procedures have been performed:

 (i) The program resumption routine, including self-tests, completes successfully.

 (ii) All critical control program components of the interactive gaming system have been authenticated using a method approved by the Board.

 (iii) Communication with all components necessary for the interactive gaming system operation have been established and similarly authenticated.

 (2) The interactive gaming system must be able to identify and properly handle the situation when master resets have occurred on other remote gaming components which affect game outcome, win amount or reporting.

 (3) The interactive gaming system must have the ability to restore the system from the last backup.

 (4) The interactive gaming system must be able to recover all critical information from the time of the last backup to the point in time at which the interactive gaming system failure or reset occurred.

 (h) Recovery plan. An interactive gaming certificate holder or interactive gaming operator shall have a plan in place, approved by the Board, to recover interactive gaming operations in the event that the interactive gaming system is rendered inoperable (that is, Disaster/Emergency Recovery Plan). When reviewing the sufficiency of an interactive gaming certificate holder or interactive gaming operator's plan to recover interactive gaming system operations in the event the interactive gaming system is rendered inoperable, the Board will consider all of the following:

 (1) The method of storing player account information and gaming data to minimize loss in the event the interactive gaming system is rendered inoperable.

 (2) If asynchronous replication is used, the method for recovering data should be described or the potential loss of data should be documented.

 (i) Recovery plan requirements. An interactive gaming certificate holder's or interactive gaming operator's Disaster/Emergency Recovery Plan must also:

 (1) Delineate the circumstances under which it will be invoked.

 (2) Address the establishment of a recovery site physically separated from the interactive gaming system site.

 (3) Contain recovery guides detailing the technical steps required to re-establish gaming functionality at the recovery site.

 (4) Include a Business Continuity Plan that addresses the process required to resume administrative operations of interactive gaming activities after the activation of the recovered platform for a range of scenarios appropriate for the operations context of the interactive gaming system.

 (j) Location of equipment. Equipment used by a server-based interactive gaming system for the sole purpose of restoring data following a disaster must be located in a location within the United States as approved by the Board.

 (k) Player self-exclusion. The interactive gaming system must provide an easy and obvious mechanism for players to access the Board's self-exclusion database to self-exclude from interactive gaming.

 (l) Mechanism for temporary suspension. The interactive gaming system must provide a mechanism by which a player may elect to temporarily suspend his or her interactive gaming account for a period of no less than 72 hours in accordance with the terms and conditions agreed to by the player upon registration.

§ 809a.7. Geolocation requirements.

 (a) An interactive gaming system must employ a mechanism to detect the physical location of a player upon logging into the interactive gaming system and as frequently as specified in the Board's technical standards and the interactive gaming certificate holder's or interactive gaming operator's approved internal controls submission. If the system detects that the physical location of the player is in an area unauthorized for an interactive gaming system, the system shall not accept wagers and must disable any interactive gaming activity for that player until the player is in an authorized location.

 (b) The geolocation system must be equipped to dynamically monitor the player's location and block unauthorized attempts to access the interactive gaming system throughout the duration of the gaming session.

 (c) An interactive gaming certificate holder or interactive gaming operator must prevent registered players within a licensed facility from accessing authorized interactive games on the registered player's own computers or other devices through the use of geolocation technologies.

 (d) Interactive gaming shall only occur within this Commonwealth unless the conduct of gaming is not inconsistent with Federal law, law of the jurisdiction, including any foreign nation, in which the participating player is located, or the gaming activity is conducted pursuant to a reciprocal agreement to which the Commonwealth is a party that is not inconsistent with Federal law.

§ 809a.8. Security policy requirements.

 Interactive gaming certificate holders and interactive gaming operators shall adopt and maintain a Board-approved information security policy which describes the certificate holder's or licensee's approach to managing information security and its implementation. This policy is required in addition to any similar requirements that may be imposed as part of the certificate holder's or licensee's internal controls. The information security policy must:

 (1) Conform to the standards of the most recent version of the NIST cybersecurity framework.

 (2) Be reviewed annually as well as when significant changes occur to the interactive gaming system or the processes which alter the risk profile of the interactive gaming system.

 (3) Be approved annually by the certificate holder's or operator's management.

 (4) Be communicated to all employees and relevant external parties.

 (5) Delineate the responsibilities of the certificate- holder's or licensee's staff and the staff of any third parties for the operation, service and maintenance of the interactive gaming system and its components.

CHAPTER 810a. INTERACTIVE GAMING
TESTING AND CONTROLS

Sec.

810a.1.Scope.
810a.2.Definitions.
810a.3.Minimum game standards.
810a.4.Minimum display standards.
810a.5.Random number generator standards.
810a.6.Software authentication.
810a.7.Changes to game.
810a.8.Game rules.
810a.9.Fairness.
810a.10.Prohibitions.
810a.11.Controls.
810a.12.Test accounts.

§ 810a.1. Scope.

 To ensure players are not exposed to unnecessary security risks by choosing to participate in interactive gaming in this Commonwealth and to ensure the integrity and security of interactive gaming operations in this Commonwealth, this chapter applies to all games an interactive gaming certificate holder or interactive gaming operator seeks to offer to players in this Commonwealth.

§ 810a.2. Definitions.

 The following words and terms, when used in this chapter, have the following meanings, unless the context clearly indicates otherwise:

Artwork or art—Graphical and auditory information that is sent to the player device for presentation to the player.

Game cycle—The finite set of all possible combinations.

Personal progressive—A progressive jackpot which only one player contributes to with qualifying progressive wagers and which only that player can win.

Player interface—The interface within the software in which the player interacts. The term is also referred to as the gaming window.

Progressive jackpot

 (i) An increasing prize based on a function of credits that are wagered.

 (ii) A monetary prize that increases in value based on a function of credits wagered.

 (iii) The term includes prizes that are awarded based on criteria other than obtaining winning outcomes in the game, such as mystery progressives.

§ 810a.3. Minimum game standards.

 All of the following requirements apply to the game information, artwork, paytables and help screens which include all written, graphical and auditory information provided to the player either directly from the game interface or from a page accessible to the player from the game interface through a hyperlink located in a conspicuous location.

 (1) All statements and graphics within the gaming information, artwork, paytables and help screens must be accurate and not misleading.

 (2) All game rules and paytable information must be available to the player directly on the player interface or accessible from the player interface through a hyperlink without the need for funds to be deposited or funds to be staked.

 (3) All game rules and paytable information must be sufficient to explain all the applicable rules and how to participate in all stages of the game.

 (4) Paytable information must include all possible winning outcomes, patterns, rankings and combinations, and their corresponding payouts with a designated denomination or currency. All displayed payouts must be theoretically possible.

 (5) The rules of the game must inform the players of the imperfections of the communications medium for the game and how this affects them.

 (6) There must be sufficient information regarding any award payout adjustments such as fees, rakes, commissions, and the like.

 (7) If the artwork contains game instructions specifying a maximum win then it must be possible to win this amount from a single game (including features or other game options).

 (8) For games that offer bonus bets that require a base game bet, the minimum percentage return to player of the bonus bet must take into account that a base game bet must be placed.

 (9) If random/mystery prizes are offered, the maximum value obtainable from the random/mystery prize must be indicated. If the value of the random/mystery prize depends on credits wagered or any other factors, this must be stated.

 (10) The artwork should clearly state the rules for payments of prizes when multiple wins are possible.

 (i) A description of what combinations will be paid when a pay line may be interpreted to have more than one individual winning combination (''only highest paid win per line'').

 (ii) When the game supports multiple pay lines, the artwork should display a message indicating wins on different pay lines are added or equivalent.

 (iii) When the game supports scatters, artwork should display a message indicating that scattered wins are added to pay line wins, or equivalent, if this is the rule of the game.

 (iv) The artwork should clearly communicate the treatment of coinciding scattered wins with respect to other possible scattered wins. For example, the artwork should state whether combinations of scattered symbols pay all possible prizes or only the highest prize.

 (v) The artwork should clearly communicate the treatment of coinciding game outcome (that is, straight flush can be a flush and a straight, three red 7s can be any three 7s).

 (11) If it is possible to bet on multiple lines and it is not clear which reel positions are part of each of the possible lines, then the additional lines must be clearly displayed on the artwork and appropriately labeled. The additional lines must either be shown on the displayed artwork, be available for display on a help screen or permanently displayed on all game-play screens in a location separate from the actual reels.

 (12) When multiplier instructions are displayed on artwork, there must be no question as to whether the multiplier applies.

 (13) All game symbols and objects must be clearly displayed to the player and not be misleading in any way. Game symbols and objects must retain their shape throughout all artwork, except while animation is in progress.

 (14) The artwork must clearly state which symbols and objects may act as a substitute or wild and in which winning combinations the substitute/wild may be applied.

 (15) The artwork must clearly state which symbols and objects may act as scatter and in which winning combinations the scatter may be applied.

 (16) The game may not advertise upcoming wins unless the advertisement is accurate and mathematically demonstrable.

 (17) All of the following requirements apply to games depicting cards being drawn from a deck:

 (i) A game which utilizes multiple decks of cards must clearly indicate the number of cards and card decks in play.

 (ii) Once removed from the deck, cards may not be returned to the deck except as provided by the rules of the game depicted.

 (iii) The deck may not be reshuffled except as provided by the rules of the game depicted.

 (18) All of the following requirements apply to multiwager games:

 (i) Each individual wager to be played must be clearly indicated to inform the player as to which wagers have been made and the credits bet per wager.

 (ii) Each winning prize obtained must be displayed to the player in a way that clearly associates the prices to the appropriate wager. When there are wins associated with multiple wagers, each winning wager must be indicated in turn.

§ 810a.4. Minimum display standards.

 All of the following game information must be visible or easily accessible to the player at all times during a player session:

 (1) The name of the game being played.

 (2) Restrictions on play or betting such as any play duration limits, maximum win values, and the like.

 (3) The player's current session balance.

 (4) The current bet amount. This is only during the phase of the game when the player can add to or place additional bets for that phase.

 (5) Current placement of all bets.

 (6) The denomination of the bet.

 (7) The amount won for the last completed game (until the next game starts or betting options are modified).

 (8) The player options selected for the last completed game (until the next game starts or a new selection is made).

 (9) Initial player section options are to be described. Player selection options once the game has commenced should be clearly shown on the screen.

 (10) The winning amount for each separate wager and total winning amount are to be displayed on the screen.

§ 810a.5. Random number generator standards.

 (a) The random number generator must be cryptographically strong at the time of submission for approval. When more than one instance of a random number generator is used in an interactive gaming system, each instance must be separately evaluated and certified. When each instance is identical but involves a different implementation within a game/application, each implementation shall also be separately evaluated and certified. Any outcomes from the random number generator used for game symbol selection/game outcome determination must be shown, by data analysis and a source code read, to:

 (1) Be statistically independent, unless the submission has been approved for a persistent-state outcome determination.

 (2) Be fairly distributed (within statistically expected bounds) over their range.

 (3) Pass various recognized statistical tests.

 (4) Be cryptographically strong.

 (b) Random number generators must adhere to standards in § 461a.7 (relating to slot machine minimum design standards).

 (c) The gaming laboratory may employ the use of various recognized tests to determine whether or not the random values produced by the random number generator pass the desired confidence level of 95%. These tests include the following:

 (1) Chi-square test.

 (2) Equi-distribution (frequency) test.

 (3) Gap test.

 (4) Overlaps test.

 (5) Poker test.

 (6) Coupon collectors test.

 (7) Permutation test.

 (8) Kolmogorov-Smirnov test.

 (9) Adjacency criterion tests.

 (10) Order statistic test.

 (11) Runs tests (patterns of occurrences should not be recurrent).

 (12) Interplay correlation test.

 (13) Serial correlation test potency and degree of serial correlation (outcomes should be independent of the previous game, unless the submission has been approved for a persistent-state outcome determination).

 (14) Tests on subsequences.

 (15) Poisson distribution.

 (d) The scaling method may not compromise the cryptographic strength of the random number generator. The scaling method must preserve the distribution of the scaled values. For example, if a 32-bit random number generator with a range of the set of integers in the closed interval (0, 232-1) were to be scaled to the range of the set of integers in the closed interval (1, 6) so that the scaled values can be used to simulate the roll of a standard six-sided die, then each integer in the scaled range should theoretically appear with equal frequency. In the example given, if the theoretical frequency for each value is not equal, then the scaling method is considered to have a bias. Thus, a compliant scaling method must have bias equal to zero.

 (e) If the interactive gaming system utilizes hard-based random number generators, there must be dynamic/active, real-time monitoring of the output with a sample size large enough to allow for reasonably high statistically powerful testing so that game play is disabled when an output testing failure is detected.

 (f) If the interactive gaming system utilizes a software-based random number generator, it must adhere to all of the following:

 (1) The period of the random number generator, in conjunction with the methods of implementing the random number generator outcomes, must be sufficiently large to ensure that all game independent outcome combinations/permutations are possible for the given game/application, unless the submission has been approved for a persistent-state outcome determination.

 (2) The methods of seeding/reseeding must ensure that all seed values are determined in a manner that does not compromise the cryptographic security of the random number generator.

 (3) To ensure that random number generator outcomes cannot be predicted, adequate background cycling/activity must be implemented in between games. Whenever a game outcome is made up of multiple mapped random number generator values, background cycling/activity must be implemented during the game (that is, in between the selection of each mapped random number generator value) to ensure that the game outcome is not comprised of sequential mapped random number generator outcomes. The rate of background cycling/activity must be sufficiently random in and of itself to prevent prediction.

§ 810a.6. Software authentication.

 The acquisition and development of new software must follow defined processes in accordance with the information security policy.

 (1) The production environment must be logically and physically separated from the development and test environments.

 (2) Development staff shall be precluded from having access to promote code changes into the production environment. If, due to staffing limitations, this requirement cannot be met by the entity, the internal controls submitted to the Board shall describe what measures will be implemented to ensure the integrity of interactive games in the production environment.

 (3) There must be a documented method to verify that test software is not deployed to the production environment.

 (4) To prevent leakage of personal identifiable information, there must be a documented method to ensure that raw production data is not used in testing.

 (5) All documentation relating to software and application development should be available and retained for the duration of its lifecycle.

§ 810a.7. Changes to game.

 A change or modification to an interactive game shall be handled in accordance with the Change Management guidelines issued and distributed to interactive gaming certificate holders, interactive gaming operators and interactive gaming manufacturers.

§ 810a.8. Game rules.

 (a) Interactive gaming certificate holders and interactive gaming operators shall adopt and adhere to written, comprehensive house rules governing wagering transactions by and between authorized players that are available for review at all times by players through a conspicuously displayed link. House rules must include all of the following:

 (1) Clear and concise explanation of all fees.

 (2) The rules of play of a game.

 (3) Any monetary wagering limits.

 (4) Any time limits pertaining to the play of a game.

 (b) House rules must be approved by the Board.

 (c) House rules that deviate from Board regulations shall be submitted to the Board's Office of Gaming Laboratory Operations for review and approval prior to submission to the Board for approval prior to implementation.

§ 810a.9. Fairness.

 (a) All critical functions including the generation of the result of any game (and the return to the player) must be generated by the interactive gaming platform and be independent of the player device. All of the following also apply:

 (1) Game outcome may not be affected by the effective bandwidth, link utilization, bit error rate or other characteristic of the communications channel between the interactive gaming platform and the player device.

 (2) Determination of events of chance that result in a monetary award may not be influenced, affected or controlled by anything other than numerical values derived in an approved manner from the certified random number generator when applicable and in conjunction with the rules of the game.

 (3) Each possible permutation or combination of game elements that produces winning or losing game outcomes must be available for random selection at the initiation of each play, unless otherwise denoted by the game.

 (4) As game symbols are selected or game outcomes are determined, they must be immediately used as directed by the rules of the game.

 (5) When the game requires a sequence or mapping of symbols or outcomes to be set up in advance, the symbols or outcomes should not be resequenced or remapped, except as provided for in the rules of the game.

 (6) After selection of the game outcome, the game may not make a variable secondary decision which affects the result shown to the player.

 (7) Except as provided by the rules of the game, events of chance within games should be independent and not correlated with any other events within the game or events within the previous game, unless the submission has been approved for a persistent-state outcome determination.

 (8) For game types such as a spinning reel game, unless otherwise disclosed to the player, the mathematical probability of a symbol appearing in a position for any game outcome must be constant.

 (b) A game may not be designed to give the player a false expectation of better odds by misrepresenting any occurrence or event.

 (1) Games that are designed to give the player the perception that they have control over the game due to player skill when they actually do not must fully address this behavior in the game help screens.

 (2) The final outcome of each game must be displayed for a sufficient length of time that permits a player to verify the outcome of the game.

§ 810a.10. Prohibitions.

 (a) Forced game play.

 (1) The player may not be forced to play a game just by selecting that game.

 (2) It must not be possible to start a new game in the same player interface instance before all relevant meters have been updated on the interactive game system and all other relevant connections and player session balance or, if applicable, the player's total balance has been updated.

 (3) If an auto play mode is incorporated, it must be possible to turn this mode off at any time during game play.

 (b) Bots and computerized players. Bots or computerized players are only permitted when employed by the interactive gaming system in free play or training mode, or if use of the bot or computerized player satisfies all of the following:

 (1) The use of artificial intelligence software must be clearly explained in the help menus.

 (2) All computerized players must be clearly marked at the tables so that players are aware of which players are not human.

 (c) Incomplete games. A game is incomplete when the game outcome remains unresolved or the outcome cannot be properly seen by the player.

 (1) The interactive gaming certificate holder or interactive gaming operator may provide a mechanism for a player to complete an incomplete game.

 (2) Incomplete games shall be resolved before a player is permitted to participate in another instance of the same game.

 (3) Wagers associated with an incomplete game must be voided within 30 days and the wagers can be forfeited or returned to the player provided that:

 (i) The terms and conditions or the game rules, or both, must clearly define how wagers will be handled when they remain undecided beyond the specified time period and the interactive gaming system must be capable of returning or forfeiting the wagers, as appropriate.

 (ii) In the event that a game cannot be continued due to an interactive gaming system action, all wagers must be returned to the players of that game.

 (d) Auto play prohibited. Game play shall be initiated only after a registered player has affirmatively placed a wager and activated play. An auto play feature is not permitted in game software unless authorized by the Board, and if permitted shall not exceed 50 spins.

§ 810a.11. Controls.

 (a) A replay last game feature either as a re-enactment or by description must be available to players. The replay must clearly indicate that it is a replay of the entire previous game cycle, and must provide, at a minimum, all of the following information:

 (1) The date and time the game started or ended, or both.

 (2) The display associated with the final outcome of the game, either graphically or by a clear text message.

 (3) Total player cash/credits at start or end of play, or both.

 (4) Total amount bet.

 (5) Total cash/credits won for the prize (including progressive jackpots).

 (6) The results of any player choices involved in the game outcome.

 (7) Results of any intermediate game phases, such as gambles or feature games.

 (8) Amount of any promotional awards received, if applicable.

 (b) For each individual game played, all of the following information must be recorded, maintained and easily demonstrable by the interactive gaming system:

 (1) Unique player ID.

 (2) Contributions to progressive jackpot pools, if applicable.

 (3) Game status (in progress, complete, and the like).

 (4) The table number, if applicable, at which the game was played.

 (5) The paytable used.

 (6) Game identifier and version.

 (c) An organized event that permits a player to either purchase or be awarded the opportunity to engage in competitive play against other players may be permitted providing all of the following rules are met:

 (1) While enabled for tournament play, a game may not accept real money from any source, nor pay out real money in any way, but must utilize tournament specific credits, points or chips which have no cash value.

 (2) Interactive gaming contest/tournament rules are available to a player on the web site where the interactive gaming contest/tournament is being conducted. The rules must include, at a minimum, all of the following:

 (i) All conditions players shall meet to qualify for entry into and advancement through the contest/tournament.

 (ii) Any conditions concerning late arrivals or complete tournament no-shows and how auto-blind posting or initial entry purchase, or both, is handled.

 (iii) Specific information pertaining to any single contest/tournament, including the amount of money placed in the prize pool.

 (iv) The distribution of funds based on specific outcomes.

 (v) The name of the organization or person that conducted the contest/tournament on behalf of, or in conjunction with, the operator, if applicable.

 (3) The results of each contest/tournament shall be made available on the interactive gaming web site for the players to review. Subsequent to being posted on the web site, the results of each contest/tournament shall be available upon request. The recording must include all of the following:

 (i) Name of the event.

 (ii) Date of event.

 (iii) Total number of entries.

 (iv) Amount of entry fees.

 (v) Total prize pool.

 (vi) Amount paid for each winning category.

 (d) All of the following requirements apply to the disabling and re-enabling of gambling on the interactive gaming system:

 (1) The interactive gaming system must be able to disable or enable all gambling on command.

 (2) When any gambling is disabled or enabled on the interactive gaming system an entry must be made in an audit log that includes the reason for any disable or enable.

 (e) When a game or gaming activity is disabled:

 (1) The game is not to be accessible to a player once the player's game has fully concluded.

 (2) The player should be permitted to conclude the game in play (that is, bonus rounds, double up/gamble and other game features related to the initial game wager should be fully concluded).

 (3) If wagers have been placed on pending real-life events:

 (i) The terms and conditions must clearly define what happens to the wagers if the gaming activity is to remain disabled and the corresponding real-life event is completed, and the interactive gaming system must be capable of returning all bets to the players or settling all bets, as appropriate.

 (ii) The terms and conditions must clearly define what happens to the wagers if the gaming activity is to re-enable before the corresponding real-life event is completed, and the interactive gaming system must be capable of returning all bets to the players, or leaving all bets active, as appropriate.

 (f) When one or more feature/bonus prize may be paid to the player, the bonus game must be part of the overall paytable theoretical return to player.

 (g) All progressive jackpots must adhere to all of the following:

 (1) All players that play progressive jackpot games must be made aware of actions which would make them eligible to win the progressive jackpot.

 (2) When progressive jackpot contributions are part of the return to player calculation, the contributions may not be assimilated into revenue. If a cap is established on any progressive jackpot all additional contributions once that cap is reached are to be credited to a diversion pool.

 (3) The rules of the game must incorporate how the progressive jackpot is funded and determined.

 (4) If a minimum bet amount exists for a player to win a progressive jackpot, then the return to player (excluding the progressive jackpot) must meet the minimum player return in accordance with § 461a.7(a) (relating to slot machine minimum design standards). The calculation of the theoretical payout percentage may not include the amount of any progressive jackpot in excess of the initial reset amount.

 (5) The current progressive jackpot amount should be displayed on all player devices participating in the progressive jackpot. This display should be updated on all participating player devices at least every 30 seconds.

 (6) The rules of the game must inform the players of any maximum awards or time limits, or both, which may exist for each progressive jackpot.

 (7) For progressive jackpots offering multiple levels of awards, the player must always be paid the higher amount if a particular combination is won that should trigger the higher paying award. This may occur when a winning combination may be evaluated as more than one of the available paytable combinations (that is, a flush is a form of a straight flush and a straight flush is a form of a royal flush). There may be situations when the progressive jackpot levels must be swapped to ensure the player is being awarded the highest possible value based on all combinations the outcome may be defined as.

 (8) If multiple progressive jackpots occur at approximately the same time and there is no definitive way of knowing which jackpot occurred first, the operator shall adopt procedures, approved by the Board, for resolution. The rules of the game must include information which addresses the resolution of this possibility.

 (9) All progressive jackpots must adhere to standards in §§ 461a.12 and 461a.13 (relating to progressive slot machines; and wide area progressive systems), except for any physical requirements deemed inapplicable by the Board and subject to the following modifications:

 (i) Notice of intent to transfer a progressive jackpot must be conspicuously displayed on the interactive game icon and at all times during a gameplay by means of methodology approved by the Board for a period at least 10 days immediately preceding the transfer of the progressive jackpot.

 (ii) Within § 461a.12, the term ''gaming floor'' used regarding land-based progressives shall be analogous to the term ''interactive gaming platform'' used regarding interactive gaming progressives.

 (10) If a progressive jackpot is offered as a personal progressive that only one player contributes to and only that player can win, the player's contributions to the progressive jackpot must be refunded to the player within 30 days if the player's interactive gaming account is closed for any reason.

§ 810a.12. Test accounts.

 (a) Interactive gaming certificate holders and interactive gaming operators may establish test accounts to be used to test the various components and operation of an interactive gaming system in accordance with internal controls, which, at a minimum, address all of the following:

 (1) The procedures for the issuance of funds used for testing, including the identification of who is authorized to issue the funds and the maximum amount of funds that may be issued.

 (2) The procedures for assigning each test account for use by only one person.

 (3) The maintenance of a record for all test accounts to include when they are active, to whom they are issued and the employer of the person to whom they are issued.

 (4) The procedures for the auditing of testing activity by the interactive gaming certificate holder or interactive gaming operator to ensure the accountability of funds used for testing and proper adjustments to gross interactive gaming revenue.

 (5) The ability to withdraw funds from a test account without the Board's prior approval must be disabled by the interactive gaming system.

 (6) For testing of peer-to-peer games:

 (i) A person may utilize multiple test accounts.

 (ii) Test account play shall be conducted without the participation of players.

 (b) In addition to the required internal controls in subsection (a)(1)—(6), for any wagering on test accounts conducted outside the boundaries of this Commonwealth, the procedures for auditing of testing activity must include the method for ascertaining the location from which persons using test accounts access the interactive gaming system.

[Continued on next Web Page]



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.