Current through Register Vol. 50, No. 9, September 20, 2024
A. Operators shall use a sports wagering
platform to offer, conduct, or operate sports wagering in accordance with the
Act and regulations set forth by the board.
1. Operators shall comply with, and the
division or board adopts and incorporates by reference, the Gaming Laboratories
International, LLC Standard, GLI-33: Standards for Event Wagering systems and
its Appendices, version 1.1 and any future amendments and updates thereto. The
GLI-33 standards are intended to supplement rather than supplant other
technical standards and requirements under these rules.
2. A sports wagering platform utilized to
conduct sports wagering shall meet the specifications of these rules and any
additional technical specifications prescribed by the board or the division.
Failure to comply with the approved specifications, internal controls, or
technical specifications may be grounds for administrative action by the
board.
B. Operators
shall submit all equipment and software utilized with the sports wagering
platform to a designated gaming laboratory approved by the division for an
initial certification to ensure the sports wagering platform is in operational
compliance with the Act, these regulations, division technical guidelines, and
internal controls. The certification report shall, at a minimum, identify
system interfaces of service providers and the applicable methods, programs,
protocols and security measures implemented by the operator to ensure
compliance.
C. At the discretion of
the division, additional testing or re-certification of the entire sports
wagering platform may be required and shall be completed by a designated gaming
laboratory approved by the division. The licensee or operator shall incur all
costs associated with the testing of the sports wagering platform. Failure on
the part of the licensee or operator to incur these costs may be grounds for
administrative action by the division.
D. Upon placing a sports wager at a cashier
or sports wagering mechanism, the player shall receive an unalterable virtual
or printed wager record (ticket) which shall contain, at a minimum:
1. name and address of the operator, and
licensee if different, issuing the ticket;
2. the date and time the sports wager was
placed;
3. the date and time the
sports event is expected to occur;
4. any patron choices involved in the sports
wager including, but not limited to:
a.
sports wager selection(s);
b. type
of sports wager and line postings;
c. any special condition(s) applying to the
sports wager;
d. pay out,
applicable at the time the sports wager is placed;
5. total amount wagered, including any
promotional play if applicable;
6.
sports event and market identifiers;
7. a barcode or similar symbol or marking as
approved by the division, corresponding to the unique wager identifier;
and
8. the cashier or self wagering
mechanism that generated the ticket.
E. If the sports wagering platform issues and
redeems a sports book voucher, the system shall be capable of recording the
following information for each voucher:
1.
amount of voucher;
2. date, time,
and location of issuance;
3. unique
voucher identifier used for redemption, at least three digits of which shall be
masked on all system menus, printed reports, and displays, except when accessed
by users with supervisor or higher authority, for all unredeemed and unexpired
vouchers;
4. expiration date of the
voucher; and
5. date, time, and
location of redemption, if applicable.
F. Sports book vouchers issued by a sports
wagering platform shall contain the following information:
1. date, time, and location of
issuance;
2. amount of the
voucher;
3. unique voucher
identifier;
4. expiration date of
the voucher;
5. name of permit
holder; and
6. an indication that
the voucher can only be redeemed in exchange for a sports wager or
cash.
G. A sports
wagering platform system that offers in-play wagering shall be capable of the
following:
1. the accurate and timely update
of odds for in-play wagers;
2. the
ability to notify the patron of any change in odds after a wager is attempted
that is not beneficial to the patron;
3. the ability for the patron to confirm the
wager after notification of the odds change; and
4. the ability to freeze or suspend the
offering of wagers, when necessary.
H. A sports wagering platform shall be
capable of performing the following functions:
1. creating wagers;
2. settling wagers;
3. reprinting tickets;
4. resettling wagers;
5. voiding wagers;
6. cancelling wagers; and
7. preventing the acceptance of wagers on
prohibited sports events.
I. When a sports wager is voided or
cancelled, the operator shall clearly indicate that the ticket is voided or
cancelled, render it nonredeemable, and make an entry in the system indicating
the void or cancellation and identity of the cashier or automated
process.
J. A sports wagering
platform shall prevent past posting of wagers and the cancellation of wagers
after the outcome of an event is known.
K. In the event a patron has a pending sports
wager and then the licensee or its operator becomes aware of the patron
self-excluding, the wager shall be governed in accordance with the Act, these
regulations, and internal controls.
L. A sports wagering platform shall, at least
once every 24 hours, perform a self-authentication process on all software used
to offer, record, and process wagers to ensure there have been no unauthorized
modifications. In the event of an authentication failure, the sports wagering
platform operator shall notify the appropriate casino licensee employees as
provided in the internal controls using an automated process. The licensee
shall notify the division of the authentication failure within 24 hours. The
results of all self-authentication attempts shall be recorded by the system and
maintained for a period of 90 days.
M. A sports wagering platform shall have
controls in place to review the accuracy and timeliness of any data feeds used
to offer or settle wagers. In the event that an incident or error occurs that
results in a loss of communication with data feeds used to offer or redeem
wagers, such error shall be recorded in a log capturing the date and time of
the error, duration of the error, the nature of the error, and a description of
its impact on the system's performance. Such information shall be maintained
for a period of two years.
N. The
sports wagering platform operator shall provide access to wagering transaction
and related data as deemed necessary by the division in a manner approved by
the division.
O. A sports wagering
platform shall be capable of preventing any wager in excess of $10,000 or
making a payout in excess of $10,000 until authorized by a supervisor, unless
pre-approved and in accordance with internal controls or house rules.
P. A sports wagering platform shall be
capable of recording and storing the following information for each wager made:
1. description of the event;
2. wager selection;
3. type of wager;
4. amount of wager;
5. amount of potential payout or an
indication that it is a pari-mutuel wager;
6. date and time of wager;
7. identity of the cashier accepting the
wager;
8. unique wager identifier,
which shall be masked on all system menus, printed reports, and displays,
except when accessed by users with supervisor or higher authority, for all
unredeemed and unexpired wagers;
9.
expiration date of ticket;
10.
patron name, if known;
11. date,
time, amount, and description of the settlement;
12. location where the wager was
made;
13. location of redemption;
and
14. identity of cashier
settling the wager if applicable.
Q. For all lost tickets that are redeemed, a
sports wagering platform shall record and maintain the following information:
1. date and time of redemption;
2. employee responsible for redeeming the
ticket;
3. name of patron redeeming
the wager;
4. unique ticket
identifier; and
5. location of the
redemption.
R. For all
sports wagering accounts, a sports wagering platform shall record and maintain
the following information:
1. a unique player
identification;
2. the player's
identity details including, but not limited to: player's legal name; date of
birth; and residential address;
3.
any self-restrictions;
4. any
previous accounts; and
5. the date
and location from which the sports wagering account was registered or
accessed.
S. Operators
shall provide the following information upon demand by the board or division.
As appropriate, the information shall include, at a minimum, month to date and
year to date:
1. total sports wagering account
deposits for the requested period;
2. total sports wagering account withdrawals
for the requested period;
3. total
sports wagers collected from players; and
4. total winnings paid to players.
T. A sports wagering platform
shall be capable of recognizing valid tickets and vouchers that contain a
duplicate unique wager identifier used for redemption and require the
redemption by a ticket writer.
U. A
sports wagering platform shall be capable of preventing the redemption of any
vouchers or tickets when the data related to the vouchers or tickets has been
manually altered outside of the approved system procedures.
V. All servers necessary for the processing
of sports wagers, other than backup servers, shall be physically located in
Louisiana, and shall be located in a restricted area with adequate security and
surveillance in accordance with internal controls and as approved by the
division. Other servers used in the operation of the sports book may be located
outside of the state as long as they are not used to process sports wagers. The
board may approve of the use of internet or cloud-based hosting of duplicate
data or data not related to transactional wagering data upon written request of
an operator or licensee.
W. All
sports wagering mechanisms shall be submitted to a designated gaming laboratory
for testing and required certification prior to being placed at a licensed
premise. A designated gaming laboratory shall certify that the sports wagering
mechanism meets or exceeds the most current board approved version of standards
for sports wagering mechanisms, or equivalent standards as approved by the
board, and the standards established by the board or the division.
X. System Integrity and Security Assessment
1. Operators of online sports wagering shall,
within 90 days of commencing sports wagering operations in this state and
annually thereafter, perform a system integrity and security assessment of
sports wagering platforms and systems which shall be conducted by an
independent professional selected by the licensee and subject to approval of
the division. The scope shall include, at a minimum: a vulnerability assessment
of digital platforms, mobile applications, internal, external, and wireless
networks with the intent of identifying vulnerabilities of all devices, the
sports wagering platform, and applications transferring, storing, and/or
processing personal identifying information and other sensitive information
connected to or present on the networks; a penetration test of all digital
platforms, mobile applications, internal, external, and wireless networks to
confirm if identified vulnerability of all devices, the sports wagering
platform, and applications are susceptible to compromise; a review of the
firewall rules to verify the operating condition of the firewall and the
effectiveness of its security configuration and rule sets performed on all the
perimeter firewalls and the internal firewalls; a technical security control
assessment against the provisions adopted in these rules with generally
accepted professional standards and as approved by the board; an evaluation of
information security services, cloud services, payment services (financial
institutions, payment processors, etc.), location services, and any other
services which may be offered directly by the operator or involve the use of
third parties; and any other specific criteria or standards for the sports
wagering platform integrity and security assessment as prescribed by the board.
The assessment report shall be submitted to the division no later than 30 days
after the assessment is conducted (and in no event later than July 1) and shall
include, at a minimum: scope of review; name and company of affiliation of who
conducted the assessment; date of assessment findings; recommended corrective
action, if any; and the operator's response to the findings and recommended
corrective action.
2. Consistent
with Chapter 28 of Part III of this Title, licensees conducting sports wagering
at its licensed premises shall perform a system integrity and security
assessment of sports wagering platforms and systems used for conducting retail
sports wagering, which shall be completed by an independent professional
selected by the licensee and subject to approval of the division. No later than
36 months from its last assessment, the licensee shall submit the results of an
independent system integrity and security assessment to the division for
review, subject to the following requirements:
a. the testing organization must be
independent of the licensee and casino operator;
b. results from the network security risk
assessment shall be submitted to the division no later than 90 days after the
assessment is conducted;
c. at the
discretion of the division, additional network security risk assessments may be
required; and
d. a licensee shall
periodically, but no later than 36 months from its last assessment, assess the
risk to operations, assets, patrons, employees, and other individuals or
entities resulting from the operation of the casino's computer systems and the
processing, storage, or transmission of information and data. The assessment
shall be documented and recorded in a manner that can be displayed or printed
upon demand by the board or division and shall be maintained for a period of
five years. Licensees shall assess the collection of personnel and patron data
annually to ensure that only information necessary for the operation of the
business is collected and maintained. No unnecessary personal information shall
be retained.
3. The
licensee may submit for approval a request to the division to leverage the
results of prior assessments within the past year conducted by the same
independent professional against standards such as ISO/IEC 27001, ISO/IEC
27017, ISO/IEC 27018, the NIST Cybersecurity Framework (CSF), the Payment Card
Industry Data Security Standards (PCI-DSS), or equivalent. Such leveraging
shall be noted in the independent professional's report. This leveraging does
not include critical components unique to the state which will require more
current and separate assessments.
Y. Sports wagering platforms and systems
shall provide a mechanism for the board or division to query and export, in a
format approved by the board or division, all sports wagering platform
data.
Z. The sports wagering
platform and systems shall be designed in a way to comply with all federal
requirements including, but not limited to suspicious wagering activity; Title
31 of the United States Code; and W-2G reporting.
AA. Upon request by the division, sports
wagering operators shall create test accounts for the division's use to conduct
compliance inspections and testing of the sports wagering platform.
BB. The licensee may establish test accounts
to be used to test the various components and operation of a sports wagering
platform pursuant to its division approved internal control procedures which
must address procedures for identifying test accounts, issuing funds,
maintaining proper records for all test accounts and conducting audits of all
test activity to ensure proper adjustments to gross sports wagering revenue and
any additional requirements specified by the division.
AUTHORITY NOTE:
Promulgated in accordance with
R.S.
27:15 and 24.
