New Jersey Administrative Code
Title 17 - TREASURY - GENERAL
Chapter 20 - RULES OF THE LOTTERY COMMISSION
Subchapter 12 - COURIER SERVICES
Section 17:20-12.11 - General requirements for courier service website, mobile application, and system
Current through Register Vol. 56, No. 24, December 18, 2024
(a) Technologies related to courier service customer accounts and ticket sales, including data warehouse, redundant/failover system, or backup systems relating to the courier service website or mobile application shall be physically located in the United States. Any redundant/failover system, or backup systems shall be located on an alternative power grid within the United States. Other supporting or ancillary technologies are not subject to the requirements of this section.
(b) The courier service system, including website and mobile application, shall adhere to cyber security best practices for the security of its systems, including the data, servers, and network(s) contained within, and shall have sufficient audit logs for purposes of tracking activity within the courier service system by both courier service employees and courier customers.
(c) The courier service system shall at all times deploy a geolocation software system that will permit courier customer orders for ticket purchases be made only from within the borders of the State of New Jersey. Once logged on, the geolocation software shall detect the physical location of the courier customer every 10 minutes. If the system detects that the physical location of the courier customer is in an area unauthorized for ordering tickets, the system shall not accept orders for ticket purchases until such time that the courier customer is within the borders of New Jersey. Geolocation is not required for creating an account, logging into an account, funding an account, or any other action that does not involve ordering tickets. The geolocation software that the courier deploys must be tested and approved pursuant to N.J.A.C. 17:20-12.14. Such testing and approval shall be obtained at the courier's expense. In the event that the courier service system is not deploying the geolocation software, the courier service system shall suspend all orders for ticket purchases until such time the geolocation software is functioning properly.
(d) The courier service shall at all times deploy age verification software that will permit logon and purchases to be made only by those 18 years of age and older. In the event that the courier service system is not deploying the age verification software, the courier service system shall suspend all courier services to courier customers until such time the age verification software is functioning properly. Any sale of a ticket or share to any person under 18 is a disorderly person offense, pursuant to the State Lottery Law, and in addition to the consequences for the disorderly persons offense, such sale shall also be grounds for suspension, revocation, or termination of the courier service. Additionally, the Director may impose fines, penalties, and/or a corrective action plan pursuant to N.J.A.C. 17:20-5.1(e), 5.3, and 9, in addition to other actions permitted under the law.
(e) A courier service system shall, at a minimum, include the following features consistent with its application as approved by the Director:
(f) The courier service system used for taking orders from courier customers to purchase tickets shall not contain unauthorized data collection, file extraction, malware, or any other feature that compromises the integrity of the courier customer electronic devices or the data contained therein.
(g) The courier service system shall allow a courier customer to order tickets only after the courier customer has established a courier service customer account in accordance with N.J.A.C. 17:20-12.15.
(h) If a courier customer has suspended or self-excluded his or her account, a courier service shall not send any form of gaming-related correspondence, whether by electronic mail, postal mail, delivery service, or by any other means to such courier customer while the account is suspended or self-excluded.
(i) If a courier service system allows a courier quick pick process, the courier service shall propose its quick pick process during the application process. The courier service quick pick process can be accomplished either through a random number generator (RNG) that is resident on a courier service's system or the RNG that is resident in the dedicated terminal. Should a courier service propose to utilize the RNG resident on its system, the courier service shall have the RNG independently certified. A certification report from a qualified company or the New Jersey Division of Gaming Enforcement shall be provided to the Division as part of the initial application and renewal process. Any changes to or malfunction of the RNG shall be reported immediately to the Division and the Division may, at the discretion of the Director, require the courier service to obtain a re-certification from a qualified company or the New Jersey Division of Gaming Enforcement. Initial certification and re-certification shall be at the expense of the courier service. Certification is not necessary if the courier service is utilizing the RNG resident in the dedicated terminal.
(j) As technology and industry best practices advances, at the discretion of the Director, the Division may impose additional technological requirements for the courier service system upon reasonable written notice provided to the courier service to insure the security and integrity of the courier service system.
(k) The courier service system shall be subject to random and scheduled audits by the Lottery or independent auditors representing the Division. Random audits shall be conducted without advance notice.
(l) The courier customer shall be provided with a prominent notice if he or she navigates away from the official courier service website or mobile application and the website and mobile application shall require that the courier customer acknowledge he or she is leaving the courier service website or mobile application and the risk associated with same, prior to the courier customer leaving the courier service's website or mobile application.
(m) The message "If you or someone you know has a gambling problem and wants help, call 1-800-Gambler" shall be displayed prominently within the website and/or mobile log on screen and a command to display this message on the log off screen shall be transmitted whenever the system detects a log off. The courier service is also encouraged to also employ technology to include in-app text messaging to 1-800-Gambler.
(n) A courier service may employ a method or means to print play slips or facsimiles thereof, after approval by the Director. No such approval shall be granted by the Director until the courier-produced play slip or facsimile performs at least as accurately as the Division's official play slips.
(o) All courier service system communications that contain courier customer account numbers, user identification, or passwords and PINs shall utilize a secure method of transfer per current security best practices (for example, as of August 6, 2018, 128-bit key encryption) and approved by the Division. This requirement is subject to subsection (j) above. The method of transfer will be reviewed during the initial registration application process and each registration renewal to assure that security best practices are followed.
(p) The courier service system shall electronically log the date and time any website or mobile courier customer account is created, suspended, terminated, deleted, or any other material status changes, including changes indicative of anomalous activity.
(q) A courier service system shall maintain all information necessary to recreate courier customer orders for tickets and account activity during each courier customer session, including any identity or location verifications, for a period of no less than seven years.
(r) The courier service system shall provide a courier customer with the following:
(s) A courier service shall provide to the Division, in an electronic format acceptable to the Division, the following data in regard to each drawing for which such courier service provides a ticket. The Division shall receive the data outlined below no later than 15 minutes before the drawing to which such data relates. The submission of such data to the Division does not constitute ticket processing and shall not be sufficient evidence of a purchased ticket. Ticket processing must occur pursuant to the requirements of N.J.A.C. 17:20-12.16in order to generate a ticket that may be submitted for a prize claim. Method of preferred submission will be provided by the Lottery in the courier service registration approval letter. See N.J.A.C. 17:20-12.16.
(t) A courier service shall report immediately all significant incidents related to the operation of such courier service's system, either personally or by telephone, within one hour of the discovery of the incident, followed by a letter addressed to the Director within 24 hours of the incident. At a minimum, the courier service shall provide a written report for each of the following types of events: