Technical requirements on gambling operators for obtaining a licence to provide online gambling services in denmark v1.09
Upcoming SlideShare
Loading in...5
×
 

Technical requirements on gambling operators for obtaining a licence to provide online gambling services in denmark v1.09

on

  • 655 views

Instructions for technical requirements. Standard Records SAFE Tamper Token. The document describes the detailed technical requirements with respect to Standard Records, SAFE, Tamper Token and ROFUS. ...

Instructions for technical requirements. Standard Records SAFE Tamper Token. The document describes the detailed technical requirements with respect to Standard Records, SAFE, Tamper Token and ROFUS. The document also proposes suggestions to how Licence Holder may perform quality assurance.

Statistics

Views

Total Views
655
Views on SlideShare
655
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Technical requirements on gambling operators for obtaining a licence to provide online gambling services in denmark v1.09 Technical requirements on gambling operators for obtaining a licence to provide online gambling services in denmark v1.09 Document Transcript

  • Technical requirements on gambling operators for obtaining a licence to provide online gambling services in Denmark Version 1.09
  • 2 Contents Change log ...........................................................................................................................................2 1.0 Introduction....................................................................................................................................4 2.0 Introduction to the overall system complex...................................................................................5 3.0 General requirements .....................................................................................................................6 4.0 SAFE – The Licence Holder’s data store.......................................................................................7 4.1 Technical requirements for SAFE..............................................................................................7 4.2 Use case and process for retrieving data from SAFE ................................................................8 UC 2.1 Retrieve Standard Records from SAFE...........................................................................9 5.0 Interface to security system – Tamper Token..............................................................................11 5.1 Technical requirements in relation to Tamper Token..............................................................11 6.0 Interface to the Problem Gambling Register (ROFUS)...............................................................12 6.1 Technical requirements in connection with the Problem Gambling Register .........................12 6.2 Inquiry to ROFUS upon account opening and account login ..................................................13 6.2.1 Inquiry to ROFUS when accounts are opened..................................................................13 6.2.2 Process description – inquiry to ROFUS upon account login ..........................................14 7.0 Technical information to be given in the application form..........................................................17 8.0 Connection process ......................................................................................................................17 Change log Version Description of changes Date 1.01 Document published 20-10-2010 1.02 Minor proof corrections and name changes of services in section 5.1 26-10-2010 1.03 Change log added. Minor proof corrections and addition of section 4 and 4.1 05-11-2010 1.04 Minor proof corrections in section 4.0 (Datatransfer is done over the internet with FTPS.) ROFUS is the short version of The Problem Gambling Register. Corrections in section 6.0. Licence Holder cannot carry out entries of a person in the Problem Gambling Register (ROFUS) which is why the service GamlerCreate is no longer used. 30-06-2011 1.05 Minor corrections in the process diagram regarding the account open- ing. 1.06 Corrections regarding the checking of a players civil registration number. Adding allowed certificates for FTPS. Adding IP-addresses for accessing SAFE. 25-10-2011 1.07 Bullet 14 added to section 4.1. The bullet holds a description of the configuration of the FTPS connection to SAFE, including change of port from port 22 as previously specified. The change of port has been done in order to be consistent with common internet standards for FTPS. 18-11-2011 1.08 Section 4.1 has been updated with ip-adresses. 23-01-2012 1.09 Section 8.0. Information about the connection process can be found on Danish Gambling Authority’s website 15-02-2012
  • 3
  • 4 1.0 Introduction The purpose of this document is to describe the technical requirements to be met by the Licence Holder before a licence is granted. The requirements are described in relation to the systems that will be used in connection with the Danish Gambling Authority's control of the Licence Holder, i.e. the Licence Holder's data store - SAFE, the security system Tamper Token and the Problem Gam- bling Register (ROFUS). The individual sections contain descriptions of the requirements to be met by the Licence Holder in relation to data, processes and interfaces in connection with gambling and gambling control. Next, there is an outline of the requirements in respect of technical information in connection with the application process. The requirements stated as to information to be provided in the application process are not exhaustive at this time. Thus, it should be expected that there will be further re- quirements on gambling operators in connection with their licence applications, including a gam- bling systems approval procedure. The document will also be updated with information about the elements of the connection process upon approval.
  • 5 2.0 Introduction to the overall system complex The overall system complex for gambling control is shown in the illustration below. Outline of the components of the overall gambling and control system The system complex consists of the Licence Holder's gambling system, the Licence Holder's data store (SAFE), a security system (Tamper Token) and a Problem Gambling Register (ROFUS). 1. SAFE is the Licence Holder's own data store (a file server) where the Licence Holder is required to store data - in accordance with Standard Records - for all games hosted by the Licence Holder. All Licence Holders are required to establish data storage facilities (SAFE). The Danish Gambling Authority must be able to obtain online access to the Li-
  • 6 cence Holder's data store. 2. Tamper Token is a security system which is aimed to ensure that the data saved by the Licence Holder in its SAFE data store remain unchanged while stored by the Licence Holder. Tamper Token will be implemented in the Danish Gambling Authority’s system and handle: • Creating keys (tokens) used for calculation of identification codes. • Storing identification codes for later control. • Ongoing control of compliance with time periods for termination of tokens. • Verifying that a retrieved series of data has not been changed in relation to the identi- fication code received. 3. The Problem Gambling Register (ROFUS) is a register of all players in Denmark who have voluntarily requested exclusion - temporarily or permanently - from playing online games in Denmark. The register is located at the Danish Gambling Authority, which is also responsible for keeping the register. It must be possible for all players to register through either the Licence Holder or the Danish Gambling Authority. The regis- ter will contain information about all excluded players in Denmark. Prior to opening an account for a new player, the Licence Holder must check that the person in question is not listed in the register. The Licence Holder is responsible for ensuring that players on the register are unable to play. Together, the three systems will help ensure that: • players are able to play online games with approved Licence Holders; • Licence Holders are able to legally provide online games in Denmark and prove that they meet statutory requirements; and • the Danish Gambling Authority is able to check that online gambling will meet the re- quirements of current legislation. 3.0 General requirements As outlined above, the Danish Gambling Authority develops systems to be used in the control of online gambling, and Licence Holders must ensure to develop gambling systems that are capable of using interfaces to the Danish Gambling Authority’s systems. This will allow the Danish Gambling Authority to process data and check that online gambling takes place in accordance with regulatory requirements. It is a requirement that the Licence Holder uses the specified interfaces to the Danish Gambling Authority’s systems developed by the Authority for this purpose and that the Licence Holder sets up a SAFE to which the Danish Gambling Authority will be given access. To live up to the rules laid out in the new legislation, Licence Holders must satisfy a number of technical requirements in relation to the three systems mentioned. In the sections below, these tech-
  • 7 nical requirements will be specified in greater detail. The requirements are grouped according to the system to which they belong. 4.0 SAFE – The Licence Holder’s data store The Licence Holder must establish a data store (SAFE) for the storage of gambling data. The Li- cence Holder must transfer and save gambling data in the data store according to Standard Records. The Licence Holder must store gambling data in SAFE for 12 consecutive months and data from a further 48 months must be stored on a digitally readable medium. Datatransfer is done over the internet with FTPS. The License Holder must establish a suitable con- nection to secure an unproblematic transfer of data. 4.1 Technical requirements for SAFE 1. SAFE must be established on a separate server, which is physically detached from the Li- cence Holder’s gambling system. 2. Data stored in SAFE must be separated logically and safely from any other data. 3. The Licence Holder must ensure the necessary backup of all data. SAFE and the backup of SAFE must be geographically separated. In addition, the data storage on a digitally readable medium must be geographically separated from the backup of the data thus stored. 4. SAFE must meet the same safety requirements as the gambling system. The requirements will be set during the application procedure. 5. The Licence Holder must ensure that the Danish Gambling Authority will have online ac- cess to retrieving gambling data from SAFE. The Licence Holder must establish access to SAFE via a secure connection as defined in the service description. 6. The folder structure in SAFE must be built up on the basis of the structure specified by the Danish Gambling Authority. The folder structure may be found at www.spillemyndigheden.dk. 7. Data stored in SAFE must have been saved in accordance with the specified Standard Rec- ords. The specification of Standard Records may be found at www.spillemyndigheden.dk. 8. Data stored in SAFE must be zipped in accordance with the directions for service usage. The directions may be found at www.spillemyndigheden.dk. 9. The Licence Holders must document that their respective SAFE systems comply with the requirements defined. 10. SAFE must be available 24 / 7 365 days and there should be a guaranteed uptime of at least 98.5 %. 11. Licence Holders are responsible for the operation of their own SAFE systems. 12. For the Danish Gambling Authority to access safe using FTPS, the Licence Holder must place a certificate on the FTPS connection. The certificate must be issued by one of the fol- lowing Certificate Authorities: VeriSign, Thawte, Geotrust, GoDaddy, Comodo 13. The Danish Gambling Authority will access SAFE from these ip-addresses: 91.230.68.13, 91.230.68.190, 194.239.239.10, 194.239.239.30, 194.239.239.31, 194.239.239.32, 194.239.239.33, 194.239.239.34. The Licence Holder must open SAFE for access from those ip-addresses. 14. The Licence Holder must configure SAFE such that the following connection is possible: The Danish Gambling Authority must be able to access SAFE with implicit FTPS (FTP- SSL) in passive mode on port 990 (control). As data ports should be used a port range be-
  • 8 tween 40.000 and 50.000. The Licence Holder may use a smaller port range as long as it is with in the two limits. 4.2 Use case and process for retrieving data from SAFE The Licence Holder must develop an interface for its SAFE that will allow the Danish Gambling Authority to access the SAFE to retrieve data. The required functionality for this interface is de- scribed in the ‘use case’ below. The case may be used in the development of the interface.
  • 9 UC 2.1 Retrieve Standard Records from SAFE Purpose The Danish Gambling Authority must carry through periodic control of completed and ongoing games based on Standard Records. The Standard Records are placed in the structure specified by the Danish Gambling Authority. To retrieve Standard Records the Danish Gambling Authority must be logged on to SAFE. When the transfer of data has been ended, the Danish Gambling Authority must log out of SAFE. Frequency As required. Actors The Danish Gambling Authority Starting conditions The Danish Gambling Authority is a recognised user (user name/password) on SAFE. Main path Actor Solution Service/Service operations Step 1: Log on to SAFE The actor requests access to data in SAFE by opening an FTPS connec- tion. The solution asks the actor for a user name and password. Step 2: Access to SAFE provided The actor gives correct user name and password. Access to SAFE has been provided. Step 3: Retrieve Standard Records from SAFE In the file structure the actor locates the Standard Records necessary for control and decides to download them. SAFE starts download and transmits the requested data. Step 4: Repeat step 3 The actor repeats step 3 if neces- sary. Step 5: Log out of SAFE The actor chooses to log off from the FTPS connection. The solution logs out the actor and interrupts the connection. Concluding conditions The Danish Gambling Authority has access to SAFE, has received the data transferred and logged off after the ending of the transfer. Notes Service description
  • 10 The process to be used by the Danish Gambling Authority when retrieving data from SAFE is illus- trated and described below. GamblingAuthorityLicenceHolder Flow chart – retrieve Standard Records Process survey Danish Gambling Authority Process name: Process owner: Process stakeholders UC 2.3 Retrieve Standard Records from SAFE Danish Gambling Authority Licence Holders and Danish Gambling Authority Purpose of the process The purpose of the process is to ensure that the Danish Gambling Authority can retrieve data from the Licence Holder’s SAFE. The process is to be used when the Danish Gambling Authority wants to retrieve data from SAFE to be used in its control of online gambling. Process interfaces FTPS access Input (start) The process starts when the Danish Gambling Authority requests access to SAFE giving its user name and password. SAFE has been set up by the Li- cence Holder to provide access for the Danish Gambling Authority. Output (end) The process ends when the Danish Gambling Authority has obtained the re- quested data and has logged off SAFE. Description of process flow (activities) No. Description 1. The Danish Gambling Authority requests access to SAFE.
  • 11 2. The Danish Gambling Authority ‘fills in’ its user name and password. 3. The system validates user name and password 4. If the user name and password are not valid, access to SAFE is denied 5. If the user name and password are valid, the system grants access to viewing data in SAFE and download may be commenced. 6. Data are transferred to the Danish Gambling Authority’s database. 7. The Danish Gambling Authority logs off SAFE FTPS 8. SAFE logs off the Danish Gambling Authority. 5.0 Interface to security system – Tamper Token The Danish Gambling Authority implements a security system – Tamper Token. The purpose of the Tamper Token system is to ensure that data, i.e. Standard Records, will remain unchanged while they are stored in SAFE at the Licence Holder’s end. Tamper Token will handle the following functions: • Creation of keys (tokens) to be used in the calculation of the MAC (Message Authentication Code) • Storage of MACs for later control • Continuous control to check that the period of time for terminating tokens is observed • Verifying that a retrieved series of Standard Records has not been altered relative to the re- ceived MAC The frequency of the issue of the Tamper Token will be agreed in the course of the application pro- cess. The agreed frequency may be adjusted later based on a specific assessment in relation to the particular Licence Holders. 5.1 Technical requirements in relation to Tamper Token The License holder must retrieve a token, at the designated frequency (e.g. once every 24 hours). The token must be used when saving data based on Standard Records in SAFE. For that purpose The Danish Gambling Authority will develop a service named “TamperTokenAnvend” which has two operations: 1. TamperTokenHent: The operation must be used when the License Holder has to retrieve a token. 2. TamperTokenLuk: The operation must be used when the License Holder has to finish a to- ken. It is a requirement on the Licence Holder that a token is terminated within the defined period of time. The descriptions of the particular services are published on the Danish Gambling Authority’s web- site very soon (www.spillemyndigheden.dk).
  • 12 6.0 Interface to the Problem Gambling Register (ROFUS) In connection with the introduction of the new Gambling Regulation Act, a legal requirement has been introduced to ensure that it is possible for a player to opt for exclusion – temporarily or per- manently – from being able to play online games in Denmark. The Danish Gambling Authority is the data controller. It must be possible for players to register both via the Danish Gambling Authori- ty and via the Licence Holder’s website. The register must include data about all players in Denmark who wish to exclude themselves from playing online games in Denmark. The information held in the register must include: a. The Licence Holder’s name (from which a player has chosen exclusion temporarily or permanently). b. The player’s civil registration number. c. The date and hour of exclusion. d. The date when temporary exclusion ends (only if the exclusion is temporary). A player who has been entered in the register as permanently excluded may always, but not earlier than one year from the date of entry on the register, ask a Licence Holder or the Danish Gambling Authority to be deleted from the Register. In connection with the Problem Gambling Register, the Licence Holder must meet a number of re- quirements for functions that must be made available to players. The Licence Holder must ensure to make the following options possible: • A player can request exclusion and registration in the Problem Gambling Register via a link on the Licence Holders website. • A player’s status is checked against the Problem Gambling Register in connection with ac- count opening and all account logins • A player’s civil registration number is checked before he opens an account. 6.1 Technical requirements in connection with the Problem Gambling Register The Danish Gambling Authority will develop the following services to be used for registration on the Problem Gambling Register. 1. GamblerCheck – a service to be used when a player wants to open an account and for each login. 2. GamblerCSRPValidation – a service to be used to check a player’s age prior to account opening. The services also returns an answer whether the player’s civil registration number exists. This answer is not to be used, as the player’s identity is checked with NemId. Descriptions of the particular services are published on the Danish Gambling Authority’s website www.spillemyndigheden.dk. The processes to be used for opening accounts and for login are illustrated and described below in a flow chart and a process survey, respectively, to give precise information about the functions to be developed by the Licence Holder in order to enable the process to be carried through. The Licence Holder is under an obligation to make this option available.
  • 13 6.2 Inquiry to ROFUS upon account opening and account login To gamble on a Licence Holder’s website players must have an account. New players must open a new gambling account and existing players must log onto their gambling accounts before being allowed to play. 6.2.1 Inquiry to ROFUS when accounts are opened This section describes the process for an inquiry to the Problem Gambling Register when a new player opens an account. The process is illustrated by a flow chart and subsequently described step by step in a Process survey. The purpose is to give precise information about the functionalities the Licence Holder must develop to allow this process to be carried through. When a new player wants to open an account on the Licence Holder’s website, the Licence Holder must check, before the account opening has been completed, the player’s identity via NemId, the player’s age and whether the player is registered on the Problem Gambling Register. If the player cannot log in via NemId, the player is younger than 18 years old or the player is registered on the Problem Gambling Register, a player cannot open an account. The process for inquiries to the Problem Gambling Register when an account is opened is illustrated and described below. Inquiry to the Problem Gambling Register Gambling Authority Gambling AuthorityLicenceHolderLicenceHolder 1. Player opens new account 2. Checking of player’s age agains CSRP 3. Is the player older than 18 years? 4a. Player cannot open an account 4b. Inquiry sent to Problem Gambling Register to check if the player is registered as excluded 5. Checking of whether the player is registered in the Problem Gambling Register as excluded 6. Excluded? 7a. Deny opening of new account 7b. Open new account No Yes Yes No Flow chart – account opening Process survey Danish Gambling Authority Process name: Process owner: Process stakeholders UC 1.3 Query about a person to the Problem Gambling Register Danish Gambling Authority Licence Holders and Danish Gambling Authority Purpose of the process The purpose of the process is to ensure that the Licence Holder can make in- quiries to the Problem Gambling Register when a player opens a new gambling account. If the player cannot log in via NemId, or if the player is younger than
  • 14 18 years, or the player is registered on the problem Gambling Register a new account cannot be opened. The process must be used each time a player wants to open an account with the Licence Holder. Input (start) The process starts when the player decides to open a new account via a link on the Licence Holder’s website. Player is logged in via NemId. Output (end) If the player could log in via NemId, if the player is not younger than 18 years old, and the player is not registered on the Problem Gambling Register the pro- cess ends with the player having opened a (temporary) account and being able to gamble on the Licence Holder’s website. If the player cannot log in via NemId, if the player is younger than 18 years old, or the player is registered on the Problem Gambling Register the process ends with denial of the opening of an account. Description of process flow (activities) No. Description 1. The player keys in the necessary information and chooses ”ok”. 2. It is checked in the CSRP registry if the player is younger than 18 years. 3. The CSRP registry processes the inquiry. 4a. If the player is younger than 18 years, this is reported back to the Licence Holder/player. Account opening is denied. 4b. If the player is not younger than 18 years, the Licence Holder will make an inquiry to the Problem Gam- bling Register to check if the player is registered as excluded. 5. The Problem Gambling Register processes the inquiry. If the Problem Gambling Register does not respond it will not have any suspending effect. The lack of response may therefore be considered to mean that the player is not excluded and the process continues to step 6b. 6a. If the player is excluded, the opening of an account is denied on the Licence Holder’s website. 6b. If the player is not excluded a temporary account will be opened. 6.2.2 Process description – inquiry to ROFUS upon account login This section describes the process for an inquiry to the Problem Gambling Register upon a player’s account login. The process is illustrated by a flow chart and then described step by step in a Process survey. The purpose is to give precise information about he functions which the Licence Holder must develop to enable this process to be carried through. When an existing player wants to log into his/her gambling account on the Licence Holder’s web- site, the Licence Holder must check, before the login has been carried through, whether the player has been registered on the Problem Gambling Register since his/her last login. If so, the player can- not log into his/her account because it has been either deactivated or closed.
  • 15 The process when an inquiry is made to the Problem Gambling Register upon account login is illus- trated and described below. Inquiry to the Problem Gambling Register - player login to account Gambling Authority LicenceHolder 1. Player logs in 2. Checking of whether player has registered cooling off period or exclusion from Licence Holder 3. Excluded? 4a./5a. Deny login.Yes 4b. Inquiry transmitted to the Problem Gambling Register to check if player is registered as excluded No 5. Excluded? Yes 5b. Allow login No Flow chart – account login Process survey The Danish Gambling Authority Process name: Process owner: Process stakeholders UC 1.3 Inquiry about a person to the Problem Gambling Register The Danish Gambling Authority Licence Holders and Danish Gambling Authority Purpose of the process The purpose of the process is to ensure that the Licence Holder can make inquir- ies to the Problem Gambling Register when a player logs into his/her gambling account. If the player is registered on the Problem Gambling Register, the ac- count must be deactivated or closed and the player cannot log on. The process must be used each time a player wants to log into his/her account with the Licence Holder. Input (start) The process starts when the player logs into his/her existing account with the Licence Holder. Output (end) If the player is not registered on the Problem Gambling Register, the process will end with the player being logged into his/her account and the player can gamble on the Licence Holder’s website. If the player is registered, login and gambling on the Licence Holder’s website will be denied and the account will be deactivated or closed. Description of process flow (activities)
  • 16 No. Description 1. The player logs on to his/her account with the Licence Holder. 2. A check is made in the Licence Holder’s system to see if the Licence Holder has registered the player with a cooling-off period or as excluded. 3. The Licence Holder’s system processes the inquiry. 4a. If the player is excluded ‘locally’ in the system of the Licence Holder, login to the account is denied. 4b. If the player is not excluded ‘locally’ in the Licence Holder’s system it is checked against the Problem Gambling Register whether the player is temporarily or permanently excluded (the civil registration num- ber is not checked here because this check was carried out when the account was opened). 5. The Problem Gambling Register processes the inquiry. If the Register does not respond it will not have any suspending effect. The lack of response may therefore be considered to mean that the player is not excluded and the process continues to step 5b. 5a. If the player is excluded the player is denied logon to his/her account and it will be deactivated or closed. 5b. If the player is not excluded, the player is logged into his/her account.
  • 17 7.0 Technical information to be given in the application form The application for permission will involve a number of requirements for technical information, including information such as: 1. Domain name 2. IP address 3. Address of the location of the gambling system and SAFE 4. Address of the location of backup systems 5. Technical description of the gambling system with an illustration 6. Information about licences in other countries, if any - Identification on RNG(s) - Gambling software - Information about use of a network provider - Description of backup systems, including business rules defining how errors etc. will be handled 7. Possible certifications of hardware, software and security 8. Technical contact person As stated above, the list should not be considered exhaustive and further requirements to be met by the Licence Holder may therefore be added. 8.0 Connection process The application phase will include a process around the connection to the Danish Gambling Author- ity’s systems, including testing, exchange of passwords, etc. Further information about this process can be found on the Danish Gambling Authority’s website (www.spillemyndigheden.dk).