The objective of the requirements in this section is to ensure the Gaming Management System provides accounting, monitoring, cashless wagering, or a combination of these functions in an auditable manner while maintaining integrity and security.

12.1 General Requirements

12.1.1 The Gaming Management System must be protected from unauthorized access.

12.1.2 Sensitive data, including player personal information and data relevant to determining Game outcomes, must be protected from unauthorized access at all times.

12.1.3 Communication of sensitive Game data must be protected for integrity.

12.1.4 Gaming Management Systems must comply with the standards in section 6.1 entitled, “General Communication”.

12.2 Critical Software Integrity

12.2.1 In order to ensure compromised Critical Software is not executed by the Gaming Management System, the Gaming Management System must verify the integrity of its Critical Software prior to the Critical Software being executed, and verify the integrity of its Critical Software automatically thereafter.

The system interface devices deployed at the Gaming Site to communicate directly between the Gaming Devices and the Gaming Management System are considered part of the Gaming Management System, and the software on the system interface devices is considered part of the Critical Software of the Gaming Management System.

Note: This standard will become effective July 1, 2020.

12.2.2 The integrity of Critical Software must be safeguarded during its execution.

12.3 On-Demand Authentication

12.3.1 All software critical to the integrity of the Gaming Management System must be able to be securely authenticated on-demand using a mechanism provided by the Gaming-Related Supplier that meets industry good practices when deployed at Gaming Sites to ensure only approved Gaming Management System software is installed.

12.4 Access Control

12.4.1 The Gaming Management System must limit access to only authorized personnel, for various functions, based on segregation of duties.

12.4.2 All user accounts on the Gaming Management System must be uniquely assigned to a single individual.

12.4.3 The Gaming Management System must automatically lock out user accounts should identification and authorization requirements not be met after a defined number of attempts.

12.5 Records and Reporting

12.5.1 The Gaming Management System must accurately record all activities related to additions, changes, or deletions made to user accounts and critical Gaming Management System features, functions, settings, and parameters for audit purposes.

12.5.2 All transactions initiated, captured and maintained by the Gaming Management System must include the origin (e.g. the Gaming Device, the Gaming Management System user account, etc.) of the activity, transaction, event, or any combination of these, and date and time stamping.

12.5.3 Reporting capability must be available to satisfy audit and reconciliation of the Gaming Devices transactions captured by the Gaming Management System as well as the Gaming Management System transactions.

12.6 Slot Accounting Systems

12.6.1 Slot Accounting Systems must comply with the standards from the following sections:  12.1 entitled “General Requirements”, 12.2 entitled “Critical Software Integrity”, 12.3 entitled “On-Demand Authentication”, 12.4 entitled “Access Control”, and 12.5 entitled “Records and Reporting”.

12.6.2 The Slot Accounting System must accurately receive, accurately record, accurately maintain, and securely store each connected Gaming Devices’ accounting meters in accordance with section 5 entitled, “Accounting Meters” to enable reconciliation, reporting, and audit to be performed

Guidance:

An acceptable approach to meet this standard is by accurately receiving, accurately maintaining, and securely storing each connected Gaming Devices’ accounting meters in accordance with industry standard protocols (e.g. SAS, G2S).

12.7 Slot Monitoring Systems

12.7.1 Slot Monitoring Systems must comply with the standards from the following sections:  12.1 entitled “General Requirements”, 12.2 entitled “Critical Software Integrity”, 12.3 entitled “On-Demand Authentication”, 12.4 entitled “Access Control”, and 12.5 entitled “Records and Reporting”.

12.7.2 The Slot Monitoring System must be capable of receiving, recording, and alerting the Operator in real-time of all events and error conditions that may impact Game integrity, security or otherwise warrant Operator intervention such as unauthorized door opened status, jackpot events, etc.

12.7.3 The Slot Monitoring System must be capable of detecting, recording, and alerting the Operator in real-time of any communication loss and door access events at all times including during power loss to Gaming Devices.

12.7.4 The Slot Monitoring System must be capable of initiating the authentication of the Critical Software of all Gaming Devices it interfaces with (e.g. via SAS LP21 or Read-Only Memory Signature (ROMSig)), recording the results of authentications of Critical Software on the Gaming Devices performed in comparison with the expected results stored in the Slot Monitoring System, and initiating the disabling of the Gaming Devices or another action to enable the Operator to ensure only approved Critical Software is being used by the Gaming Devices.

12.7.5 The Slot Monitoring System must be capable of remotely initiating the disabling of the Gaming Devices it is monitoring on demand.

12.7.6 Slot Monitoring Systems (including multi-site Slot Monitoring Systems) must not allow alteration of any critical configurations or settings that affect the security, integrity or accounting capabilities of the Gaming Management System or the Gaming Devices.  This includes but is not limited to disabling of the Critical Software authentication. 

12.8 Cashless Wagering Systems

12.8.1 Cashless Wagering Systems must comply with the standards from the following sections:  12.1 entitled “General Requirements”, 12.2 entitled “Critical Software Integrity”, 12.3 entitled “On-Demand Authentication”, 12.4 entitled “Access Control”, and 12.5 entitled “Records and Reporting”.

12.8.2 The Cashless Wagering System must securely and accurately process, record, capture, communicate, monitor status and store all connected Gaming Devices’ cashless transactions for reconciliation and audit purposes.

12.8.3 The Cashless Wagering System must accurately issue, record, maintain, validate, and redeem only valid cashless Wagering Instruments.

12.8.4 The Cashless Wagering System must accurately distinguish between cashable and non-cashable transactions, if applicable, and between different categories of the player’s account such as player deposit funds and promotional funds.

12.8.5 The Cashless Wagering System must have a settable limit for the maximum value of a Wagering Instrument (e.g. Voucher) that can be accepted by or produced by any connected Gaming Devices.

12.8.6 Sufficient information to identify the following must be included on all wagering Vouchers and Coupons produced by Gaming Devices connected to the Cashless Wagering System:

  1. Gaming Site;
  2. Gaming Device identifier or printer station identifier, as applicable;
  3. Date and time of issuance; and
  4. Unique Identifiers (e.g. bar code, validation and sequence numbers, etc.).

12.8.7 Information which could compromise Voucher integrity when displayed on electronic devices including, but not limited to, Gaming Devices must not be available to unauthorized individuals (e.g. information that could be used to counterfeit unredeemed Vouchers).

Guidance:

One of the acceptable approaches to meet this standard is by appropriately masking the validation numbers of unredeemed Vouchers when viewable through any display, aside from on the Voucher itself, to prevent generation of counterfeit Vouchers.

12.8.8 In case of power loss of communication between Cashless Wagering System and the Gaming Device, an offline Voucher may be issued provided that:

  1. The Voucher is capable of being authenticated by the Cashless Wagering System as a unique and valid Voucher; and
  2. The Voucher amount can be validated.

12.8.9 For Cashless Wagering Systems that include Wagering Accounts, the Cashless Wagering System must securely and accurately record, communicate, maintain and process all transactions associated with player accounts, and accurately record and maintain each player’s account balance including, but not limited to, deposits, withdrawals, and transfers between Gaming Devices.