SGC-42-16-00004-P To Set Forth the Standards for Electronic Table Game Systems
10/19/16 N.Y. St. Reg. SGC-42-16-00004-P
NEW YORK STATE REGISTER
VOLUME XXXVIII, ISSUE 42
October 19, 2016
RULE MAKING ACTIVITIES
NEW YORK STATE GAMING COMMISSION
PROPOSED RULE MAKING
NO HEARING(S) SCHEDULED
I.D No. SGC-42-16-00004-P
To Set Forth the Standards for Electronic Table Game Systems
PURSUANT TO THE PROVISIONS OF THE State Administrative Procedure Act, NOTICE is hereby given of the following proposed rule:
Proposed Action:
Addition of sections 5317.41 and 5319.60 to Title 9 NYCRR.
Statutory authority:
Racing, Pari-Mutuel Wagering and Breeding Law, sections 104(19), 1307(1) and 1335(8)
Subject:
To set forth the standards for electronic table game systems.
Purpose:
To prescribe the technical standards for the testing and certification of electronic table game systems.
Text of proposed rule:
A new section 5317.41 would be added to 9 NYCRR as follows:
§ 5317.41. Electronic table games system.
(a) This section shall apply when an electronic table game (ETG) or games operate as a part of a table game system that is independent of any external gaming system.
(b) All electronic table games systems shall meet the requirements set forth in sections 5317.16, 5317.17, 5317.26, 5317.33, and 5317.36 of this Part.
(c) All communications in ETGs shall pass through at least one application-level firewall approved by the commission and shall not have a facility that allows for an alternate network path.
(1) A firewall application shall:
(i) maintain an audit log of the following information:
(a) all changes to configuration of the firewall;
(b) all successful and unsuccessful connection attempts through the firewall; and
(c) the source and destination IP addresses, port numbers and MAC addresses; and
(ii) disable all communications and generate an error event if the audit log becomes full.
(2) The system shall provide for interrogation that enables online comprehensive searching of the significant-event log.
(3) The system shall contain an access-level control structure that is capable of limiting access to programs, menu items or other secure areas of the system by means of a user name and login combination, personal identification number or other equivalent means.
(4) The system shall not permit the alteration of any significant log information without supervised access control.
(5) There shall be a system administrator notification and user lockout or audit trail entry after a set number of unsuccessful login attempts.
(6) The system shall record:
(i) date and time of the login attempt;
(ii) username supplied; and
(iii) success or failure.
(7) The use of generic user accounts on servers is not permitted.
(8) The system shall not permit the alteration of any accounting or significant event log information without supervised access controls. In the event financial data is changed, an audit log shall be capable of being produced to document:
(i) data element altered;
(ii) data element value prior to alteration;
(iii) data element value after alteration;
(iv) time and date of alteration; and
(v) user login.
(d) In addition to the requirements set forth in section 5317.36 of this Part, a gaming facility licensee or a licensed manufacturer shall submit to the commission for review and approval procedures to be established in the use of remote access as set forth in subdivision (b) of section 5321.10 of this Subchapter. Such procedures shall designate, at a minimum, authorized users and authorized settings of the electronic table game or games.
(1) Remote access shall authenticate all computer systems based on the authorized settings of the electronic table game and firewall application that establishes a connection with the electronic table game pursuant to the following requirements:
(i) a remote access user activity log is maintained by both the gaming facility and the licensed manufacturer, depicting the following information:
(a) authorizing individual;
(b) purpose;
(c) user login;
(d) time and date; and
(e) duration and activity while logged in;
(ii) unauthorized remote user administration functionality is prohibited;
(iii) unauthorized access to the database is prohibited;
(iv) unauthorized access to the operating system is prohibited; and
(v) if remote access is to be on a continuous basis, then a network filter shall be installed to protect access, as approved by the commission.
(2) The system shall implement self-monitoring of all critical interface elements and shall have the ability to notify effectively the system administrator of any error condition, provided the condition is not catastrophic.
(3) The system shall be able to perform the operation prescribed in paragraph (2) of this section with a frequency of at least once in every 24-hour period and during each power-up and power reset.
(e) A gaming facility licensee shall report any requirements that cannot be met as a result of manual intervention from a live dealer to the commission prior to submission for required testing as set forth in Part 5318 of this Subchapter.
A new section 5319.60 would be added to 9 NYCRR as follows:
§ 5319.60. Electronic table games.
All electronic table games (ETGs) shall meet the requirements set forth in sections 5319.12, 5319.13, 5319.14 and 5319.35 of this Part.
(a) Communication protocol. Each component of an ETG system shall function as indicated by the communication protocol implemented. All protocols shall use communication techniques that have proper error detection and/or recovery mechanisms that are designed to prevent unauthorized access or tampering, employing data encryption standards or equivalent encryption with secure seeds or algorithms. Any alternative measures shall require approval of the commission in writing.
(b) System integrity. The server or system component or components shall reside in a secure area where access is limited to authorized staff as set forth in the gaming facility licensee’s approved system of internal controls. Access to the logic components of the game shall be logged on the system or on a computer or other logging device that resides outside the secure area and is not accessible to the employee or employees gaining access to the secure area.
(1) The logged data shall include time and date and user login.
(2) The resulting logs shall be retained for a minimum of 90 days.
(c) RNG. Each RNG shall meet the requirements set forth in section 5319.35 of this Part and the following requirements:
(1) In the game selection process:
(i) each possible permutation or combination of game elements that produces winning or losing game outcomes shall be available for random selection at the initiation of each play, unless otherwise denoted by the game;
(ii) after selection of the game outcome, the ETG shall not make a variable secondary decision that affects the result shown to the player; and
(iii) an ETG shall use protocols that effectively protect the RNG and random selection process from influence by associated equipment that may be communicating with the ETG.
(2) The RNG shall be cycled continuously in the background between games and during game play at a speed that cannot be timed by the player. Periods when the RNG may not be cycled (e.g., interrupts) shall be kept to a minimum.
(3) The first seed shall be determined randomly by an uncontrolled event such that the seed randomly changes after every game. A licensed manufacturer is not required to use a random seed so long as such manufacturer shall ensure that games do not synchronize.
(4) Games depicting cards being drawn from a deck shall meet the following requirements:
(i) at the start of each hand, the cards shall be drawn from a randomly shuffled deck;
(ii) replacement cards shall not be drawn until needed and allow for multi-deck and depleting decks in accordance with game rules;
(iii) cards once removed from the deck shall not be returned to the deck except as provided by the rules of the game depicted; and
(iv) as cards are removed from the deck, such cards shall be used immediately as directed by the rules of the game.
(d) Maintenance of critical memory. Critical memory storage may be maintained by the player terminal or the system, where applicable.
(e) Player interface terminal requirements. Player interface terminals may either be a display mechanism where the system performs all operations of the game (also known as thin client) or a mechanism that contains its own logic function in conjunction with the ETG (also known as thick client). Such player interface terminals shall meet the hardware and software requirements set forth in this Part.
(f) Notification of non-compliance. A gaming facility shall report any requirements that cannot be met as a result of manual intervention from a live dealer to the commission prior to submission for required testing as set forth in Part 5318 of this Subchapter.
Text of proposed rule and any required statements and analyses may be obtained from:
Kristen Buckley, New York State Gaming Commission, One Broadway Center, 6th Floor, Schenectady, NY 12305, (518) 388-3407, email: kristen.buckley@gaming.ny.gov
Data, views or arguments may be submitted to:
Same as above.
Public comment will be received until:
45 days after publication of this notice.
Regulatory Impact Statement
1. STATUTORY AUTHORITY: Racing, Pari-Mutuel Wagering and Breeding Law (“Racing Law”) section 104(19) grants authority to the Gaming Commission (“Commission”) to promulgate rules and regulations that it deems necessary to carry out its responsibilities. Racing Law section 1307(1) authorizes the Commission to adopt regulations that it deems necessary to protect the public interest in carrying out the provisions of Racing Law Article 13.
Racing Law section 1335(8) authorizes the Commission to regulate the testing of gaming devices and associated equipment.
Racing Law section 1335(8) authorizes the Commission to establish technical standards for the testing and certification of gaming devices and associated equipment.
2. LEGISLATIVE OBJECTIVES: The above referenced statutory provisions carry out the legislature’s stated goal “to tightly and strictly” regulate casinos “to guarantee public confidence and trust in the credibility and integrity of all casino gambling in the state and to prevent organized crime from any involvement in the casino industry” as set forth in Racing Law section 1300(10).
3. NEEDS AND BENEFITS: The proposed rules implement the above listed statutory directives regarding the technical specifications for the testing and certification of electronic table game systems. The rules represent the best practices in areas of communication protocol, system integrity, random number generators, maintenance of critical memory, player interface terminals and notification in case of non-conformance.
4. COSTS:
(a) Costs to the regulated parties for the implementation of and continuing compliance with these rules: The gaming facilities are required to have electronic table game systems tested and certified by an independent testing laboratory. The total fee for an independent testing laboratory’s inspection and certification will be approximately $500,000 to $750,000 annually.
(b) Costs to the regulating agency, the State, and local governments for the implementation of and continued administration of the rule: The costs to the Commission for the implementation of and continued administration of the rule will be negligible given that all such costs are the responsibility of the gaming facility. These rules will not impose any additional costs on local governments.
(c) The information, including the source or sources of such information, and methodology upon which the cost analysis is based: The cost estimates are based on the Commission’s experience regulating racing and gaming activities within the State.
5. LOCAL GOVERNMENT: There are no local government mandates associated with these rules.
6. PAPERWORK: The rule is not expected to impose any significant paperwork or reporting requirements for regulated entities.
7. DUPLICATION: These rules do not duplicate, overlap or conflict with any existing State or federal requirements.
8. ALTERNATIVES: The Commission consulted stakeholders and reviewed other gambling jurisdiction best practices and regulation. Alternatives were discussed and considered with stakeholders and compared to other jurisdictions regulations. These include clarifications on the definition of an authorized person, remote access procedures and denotation of games where winning and losing game outcomes are not available for random selection at the initiation of each play.
9. FEDERAL STANDARDS: There are no federal standards applicable to the licensing of gaming facilities in New York; it is purely a matter of New York State law.
10. COMPLIANCE SCHEDULE: The Commission anticipates that the affected parties will be able to achieve compliance with these rules upon adoption.
Regulatory Flexibility Analysis, Rural Area Flexibility Analysis and Job Impact Statement
These rules establish the standards for electronic table game systems and will not have any adverse impact on small businesses, local governments, jobs or rural areas.
These rules do not impact local governments or small businesses as it is not expected that any local government or small business will hold a gaming facility license.
These rules impose no adverse impact on rural areas. These rules apply uniformly throughout the state and solely apply to licensed gaming facilities.
These rules will have no adverse impact on job opportunities.
These rules will not adversely impact small businesses, local governments, jobs, or rural areas. Accordingly, a full Regulatory Flexibility Analysis, Rural Area Flexibility Analysis, and Job Impact Statement are not required and have not been prepared.
