The French online gambling market enters the home stretch !
To enter the French market, online gambling operators have to meet many types of requirements : their market plans have to take into account regulatory, marketing and technical constraints.
Dictao, a security software publisher, offers these operators a turnkey technical solution that enables them to easily meet the traceability requirements for gambling data that have been finalized by the ARJEL, the regulatory authority.
The ARJEL-compliant Trusted Solution For Online Gambling And Betting Operators
1. White Paper
The trusted solution
for online gambling
operators in France
DICTAO
152 avenue de Malakoff
75116 PARIS, France
Tel.: +33 (0)1 73 00 26 00
www.dictao.com – info@dictao.com
2.
3. CONTENTS
FRAMEWORK .....................................................................................................
................................................................
1 THE REGULATORY FRAMEWORK ..................................................................................................... 4
1.1 The principles behind introducing competition .................................................................................................................. 4
1.2 Creation of a regulatory authority and definition of operator regulations ........................................................................... 5
The future regulatory authority's missions............................................................................................................................... 5
Regulations concerning gambling platforms, organization and services .................................................................................. 5
1.3 The ARJEL licensing procedure ........................................................................................................................................... 6
Estimated schedule.................................................................................................................................................................. 6
Licensing application content .................................................................................................................................................. 6
Transition period ..................................................................................................................................................................... 7
...................................................................................................................
................................................................
2 THE NEED FOR TRUST ................................................................................................................... 8
2.1 Gamblers ........................................................................................................................................................................... 8
2.2 Operators .......................................................................................................................................................................... 8
2.3 Authorities ......................................................................................................................................................................... 8
SOLUTION ...........................................................................................................
................................................................
3 THE TECHNICAL SOLUTION ........................................................................................................... 9
3.1 Architecture with a front-end in French territory ................................................................................................................ 9
3.2 The front-end retrieves and secures traces of transactions ................................................................................................ 9
Front-end interface ............................................................................................................................................................... 10
Capteur ................................................................................................................................................................................. 10
Back-end relay ...................................................................................................................................................................... 10
Vault (upper part of front-end) .............................................................................................................................................. 10
3.3 Vault function (upper part of front-end)........................................................................................................................... 11
A key part of supervisory and monitoring activities ............................................................................................................... 11
Mandatory FNISA certification ................................................................................................................................................ 11
Initialized by the future regulatory authority.......................................................................................................................... 11
Hosted under the responsibility of the operator..................................................................................................................... 11
................................................................................................................
................................................................
4 ARJEL SPECIFICATIONS ................................................................................................................ 12
4.1 Front-end requirements................................................................................................................................................... 12
General requirements ............................................................................................................................................................ 12
The capteur ........................................................................................................................................................................... 12
The vault ............................................................................................................................................................................... 12
4.2 Gambling application requirements.................................................................................................................................. 13
4.3 Gambling platform requirements ..................................................................................................................................... 13
4.4 Information system maturity requirements ...................................................................................................................... 13
AUTHORITY'S
5 DICTAO'S OFFER: A SOLUTION COMPLIANT WITH THE FUTURE AUTHORITY'S REGULATIONS AS
................................................................
........................................................
OF THE INTRODUCTION OF COMPETITION........................................................................................ 15
5.1 An offer technically based on our D3S solution ................................................................................................................ 15
Overview of D3S solution ....................................................................................................................................................... 15
Archiving for legal purposes .................................................................................................................................................. 16
Digital vault room layout ....................................................................................................................................................... 16
5.2 Packaging adapted for online gambling operators............................................................................................................ 17
4. The trusted solution for online gambling operators in France
D3S compliance with ARJEL requirements ................................................................................................
.............................................................. 18
Managing multiple brands and licenses ................................................................................................
................................................................. 18
User management adapted for online gambling ................................................................................................
.................................................... 19
5.3 Three versions to meet the specific needs of each operator ................................................................
............................................................. 20
Publisher offering ................................
................................................................................................................................
.................................................................. 20
Hosted service offering................................
................................................................................................................................
.......................................................... 21
Turnkey offering with support for integration and obtaining ARJEL licensing ................................
......................................................................... 21
1
5. The trusted solution for online gambling operators in France
A MESSAGE FROM
JACQUES PANTIN
CEO and Founder of Dictao
In 2010, the French online gambling market will open up to competition
with, in particular, the creation of a regulatory authority, the ARJEL.
To enter the French market, online g
gambling operators will have to meet
many types of requirements, which means that their market plans will have to take into account
regulatory, marketing and technical constraints.
Dictao, a security software publisher, would like to offer these operators a turnkey technical
solution that enables them to easily meet the traceability requirements for gambling data that are
currently being finalized by the future authority.
Security and trust make up our core area of business. To meet the needs of our clients in the
public (e.g. ministry for the economy, defense segment) and banking sectors (e.g. Banque de
France), and more generally of all stakeholders, we have developed an electronic vault solution,
Dictao Secure Storage Server (D3S), based on the Dictao signature and signature verification tools
signature
that have been qualified and certified at the EAL3+ level of the international Common Criteria
standard. We are currently the only company in Europe to have achieved this level.
Consequently, we believe that the D3S solution will easily fulfill the requirements defined in the
specifications recently published by the authority's pre configuration mission. We are currently
pre-configuration
working to have this product qualified according to a CSPN (Certification de Sécurité de Premier
Niveau) security target, which will allow us to quickly supply a compliant product.
Dictao's offering, based on the D3S solution, will allow online gambling operators to abide by
Article 22 of the French bill on introducing competition to this market, which imposes the use of a
which
technical device, located in metropolitan France, for traceability purposes:
"Operators shall be required to archive, in real time and on a physical medium located in
France, all data mentioned...All data exchanged between the gambler and the operator
gambler
shall pass through this medium." (Unofficial translation)
We are already prepared to meet your needs by providing, independently or with our partners, a
high-quality solution that we are committed to bringing into line with the specific
quality specifications and any
future requirements issued by the regulatory authority, and that can meet the highest objectives in
terms of performance and availability.
2
6. The trusted solution for online gambling operators in France
As a software solution publisher, we offer Dictao's D3S solution under a paid
paid-up license
agreement based solely on the number of processors chosen for implementation, not on the
sed
number of transactions.
At the same time, we have developed partnerships with a view to offering operators a hosted
turnkey solution that will enable them to directly meet the future authority's requirements at a
future
fixed annual cost based on the levels of performance and availability requested by the operators.
We can also offer an integration service to develop the capteur function required for tracing
"gambler/operator" data streams, and support in compiling the technical documentation that must
ams,
be included in the licensing application submitted to the future authority.
By building on our competencies –which we consider unique in the security industry and our
which industry–
expertise in electronic vault functions in particular, we are pleased to offer, independently or with
onic
our partners, the technical solution best suited to your needs. We look forward to developing a
long-term partnership with you.
This latest version of our white paper has been updated to reflect the specifications recently
been
published by the future authority.
Jacques Pantin, CEO and Founder of Dictao
1
3
7. The trusted solution for online gambling operators in France
1. THE REGULATORY FRAME
FRAMEWORK
1.1 THE PRINCIPLES BEHIND INTRODUCING COMPETITION
Faced with the risks involved in gambling and games of chance for both citizens and society,
France made the choice to carefully open the online gambling market to competition by limiting
the supply side, at least initially, and by aiming to monitor operations as necessary. Online
gambling operators wishing to enter the French market must obtain a license from the online
gambling regulatory authority (the ARJEL).
Under the bill on introducing competition into the online gambling market, the French government
will only grant operating licenses to companies who meet the conditions set out by the law. The
companies
main objectives of these conditions are to ensure the:
• Protection of gamblers (preventing both addiction and access of minors to the gambling
sites);
• Integrity, security, reliability and transparency of gambling activities;
• Prevention of fraud and money laundering;
• Preservation of tax resources.
The bill specifies the following operating conditions as part of the strategy to carefully open the
French online gambling market:
• A licensing system must be in place;
• A regulatory authority, the ARJEL, must be established; its activities shall include:
Processing license applications;
Supervising and monitoring the gambling operations;
• Three types of gambling will be open to competition: pari mutuel betting on horses, sports
pari-mutuel
pools and non-banking games (poker);
banking
• Licensed operators must have a .fr site for gamblers based in French territory;
• Operators must provide data to the authority for supervisory and monitoring purposes;
• A certain subset of these data must be archived on a secure medium located in
be
metropolitan France.
4
8. The trusted solution for online gambling operators in France
1.2 CREATION OF A REGULATORY AUTHORITY AND DEFINITION OF
OPERATOR REGULATIONS
The future regulatory authority's missions
Initially, the main roles of the future authority will be examining the license applications, checking
license
whether candidates meet all the requirements and issuing licenses.
The ARJEL will be organized such that it can effectively carry out other roles:
• Defining the technical specifications for gambling platforms and software, whi
which it must
also approve;
• Verifying the certification eligibility of licensed companies over time;
• Supervising online gambling and betting operations;
• Contributing to the prevention of fraud and unauthorized sites.
Regulations concerning gambling platforms, organization and services
Authorized gambling services will be limited to:
• Sports pools for competitions included in a catalog compiled by the authority; bets can
only concern the outcome of these sporting events;
• Betting on horse races included in a catalog compiled by the authority; only pari
catalog pari-mutuel
bets will be authorized;
• Non-banking games; at first only Texas Hold'em poker will be allowed.
banking
The future regulatory authority will establish rules for licensed operators based on the following
principles:
• The obligation to generate a profit;
he
• A maximum player rate of return;
• The prohibition of underage gambling;
• Taxation on bets;
• The respect of gambling bans;
• The mandatory presence of moderators;
• Transparency with regard to partners and sub
sub-contractors;
• Advertising guidelines;
• Guidelines regarding the marketing actions that operators may use to attract and retain
clients;
• Regular reporting on responsible gambling, and prevention of fraud and money laundering.
Once it is created, the future regulatory authority will formalize technical specifications for
authority
gambling platforms (a draft version is currently available) with which operators must comply. Such
specifications include:
• A site dedicated to the French market, with an address ending in ".fr";
5
9. The trusted solution for online gambling operators in France
• A "front-end" for archiving gambling traces in France in real time;
or
• The conditions for guaranteeing secure hosting and operation.
The ARJEL's pre-configuration mission published this first version of the specifications on March 1,
configuration
2010.
Companies that obtain licenses will have one year to be certified by a recognized audit firm as
will
meeting the requirements defined in the specifications.
1.3 THE ARJEL LICENSING PROCEDURE
Estimated schedule
October February March 30, Early April Mid-April Early May Early June
13, 2009 24, 2010 2010 2010 2010 2010 2010
•Vote at first •Vote at first •Adoption at
Adoption •Promulgation •Publication of •Submission of
Submission •Licensing of
reading reading second of the law orders licensing first batch of
(Assemblée (Sénat) reading •Creation of respecting the applications operators by
Nationale) (Assemblée the ARJEL application of the ARJEL
Nationale) the law •Actual
introduction
of competition
into the
market
This schedule should enable the first operators to legally provide gambling services on the French
market by the 2010 FIFA World Cup.
Licensing application content
The specifications list all the elements that an operator applying for licensing must provide:
• Personal information (e.g. identity, address, legal sanctions, business names);
• Economic, financial and accounting information (e.g. balance sheet, fiscal representative);
onomic,
• Gambling site (e.g. description of .fr site, advertising, affiliations);
• Gambling operations offered (e.g. types of gambling, general terms of business);
• Gambler accounts (e.g. registration, provisional accounts, funding to and withdrawal from
unts
accounts);
• Prevention of fraud and money laundering;
• Prevention of addiction;
• Prevention of conflicts of interest (e.g. sponsoring a team or competition);
• Information system (IS) architecture (e.g. front-end and vault, approval of software
end
applications, audit reports, maturity, compliance with specifications).
According to the licensing procedure announced by the ARJEL, it will respond to licensing
applications within four months of submission. If the ARJEL expects this to be the normal
turnaround time for processing applications, we presume that the first batch of applications will
6
10. The trusted solution for online gambling operators in France
be processed in a shorter period of time to allow a limited number of operators to provide legal
online gambling services for the 2010 FIFA World Cup.
ine
Transition period
The specifications allow for a transition period during which some of the front
front-end specifications
may not be met.
During this period, which may last a maximum of six months following licensing by the ARJEL, the
licensing
authority may exceptionally agree to allow operators to trace only the following in the front
front-end:
• Gambler account data; and
• Either (to be chosen by the operator):
o Betting/game data (placing of bets, sequence of actions in a poker game); or
o Financial data.
In all cases, data that the operator chooses to not trace directly on the front
front-end must be sent to
the ARJEL by some other means for the duration of the transition period.
7
11. The trusted solution for online gambling operators in France
2 . THE NEED FOR TRUST
2.1 GAMBLERS
Gamblers open gambling accounts with operators, entrust them with money, make bets in the
hopes of winning with certain odds, and play against other gamblers. They must be able to trust
the operator with whom they gamble to be sure they can:
• Recover any amounts initially paid that do not end up being wagered;
• Recover their winnings, whether from a bookmaker or other players (pari
(pari-mutuel betting
and poker).
To facilitate the establishment of trusted relationships between multiple gamblers and between
gamblers and operators, gamblers must be able to call on a third party in the event of a dispute to
blers
provide evidence of their transactions. This role of trusted third party will be played by the future
regulatory authority.
2.2 OPERATORS
The data handled by operators are extremely sensitive, in part because they contain personal data
sensitive,
regarding their clients, which must be protected, and in part because these data could be of
strategic interest to their competitors. Operators cannot share these data with a third party unless
they are sure that the third party is completely trustworthy.
e
2.3 AUTHORITIES
The authorities ensure that the activities undertaken by online gambling operators do not
jeopardize social or public order. They must be able to draw on reliable control data to monitor for
money laundering and fraudulent or criminal activity, and to ensure the protection of minors and
ney
persons at risk. Furthermore, authorities use these reliable data to check the tax bases of French
operators.
Consequently, the future authority must be able to track all relevant operations between operators
and gamblers in such a way that it can, if necessary, re
re-create them.
8
12. The trusted solution for online gambling operators in France
3 . THE TECHNICAL SOLUTION
SOLUTION
3.1 ARCHITECTURE WITH A FRONT-END IN FRENCH TERRITORY
Article 22 of the French bill on introducing competition to the online gambling market imposes the
the
use of a technical device located in metropolitan France:
"Operators shall be required to archive, in real time and on a physical medium located in
France, all data mentioned...All data exchanged between the gambler a
and the operator
shall pass through this medium." (Unofficial translation)
In practice, this article translates into the use of a "front end" that must be hosted in France. The
"front-end"
front-end is a server that can be accessed at an address ending in “.fr”. The b stipulates that
end . bill
data exchanged between gamblers and operators must flow through this server and be recorded
so that the regulatory authority can, if necessary, examine it. The architecture can be represented
as follows:
Simplified architecture
The .fr front-end server is the technical representation of the trusted third party required for
end
online gambling in France.
3.2 THE FRONT-END RETRIEVES AND SECURES TRACES OF
TRANSACTIONS
The front-end intervenes without interrupting the data stream. It must allow gambling operators
end allow
to manage a French interface for gamblers, manage the various regulatory displays, execute the
traceability functions required by the bill, and efficiently manage relations with their "back offices".
As shown in the diagram below, there are four main modules within the operator's .fr front
front-end:
the front-end interface, the capteur, the back-end relay and the electronic vault. The first three
end
make up the lower part of the front
front-end.
9
13. The trusted solution for online gambling operators in France
The electronic vault function is run independently of the gambling operator's business, and is used
to protect traces over a long period of time. This is the upper part of the front
front-end.
The electronic vault stores and protects traces from the information collected by the capteur
Front-
Front - end interface
In standard web architecture, this is the presentation layer. This module implements the gambling
site interface in French, including all the moderators required by the future authority (e.g. pop
pop-
ups, warnings).
Capteur
This module is required by the bill. It must allow operators to retrieve data relevant to monitoring
bill.
and supervisory activities from the requests sent by gamblers to the presentation layer. The nature
and format of the data traced (XML) is imposed by the future authority. This means that th
the
capteur module will also have to format the retrieved data according to the specifications.
Back-
Back - end relay
This module transfers the transactions initiated by gamblers to the operator's back
back-end gambling
engines. It establishes the secure link between th front-end in France and the operator's IS, which
the end
may be located outside of France. As with the front end interface, it is very important that this
front-end
module not be the weak link in terms of performance and availability.
front-
Vault (upper part of front - end)
The vault module collects the traces produced by the capteur to preserve them in a secure
ault
manner. This module is essential for the purposes of the bill. If required, the future authority must
be able to access the electronic vault either on site or remotely.
10
14. The trusted solution for online gambling operators in France
3.3 VAULT FUNCTION (UPPER PART OF FRONT-END)
A key part of supervisory and monitoring activities
The future regulatory authority will supervise and monitor operators' activities, a role that relies on
the transaction traces preserved in the electronic vault. Should an operator and a gambler, or an
Should
operator and the regulatory authority, disagree on some point, these data shall be regarded as
official. They must therefore be completely reliable and admissible in a court of law.
Mandatory FNISA certification
The French Network and Information Security Agency (FNISA), is the national reference body for IT
rench
security. The future regulatory authority will impose a security target for the electronic vault,
which the FNISA will use as criteria in the CSPN first level security certification process for
security
approving the vault application used.
Initialized by the future regulatory authority
The electronic vault must be initialized by the future regulatory authority. The authority will certify
the generation of the secrets, before logically and physically sealing the vault. This initialization
before
operation is what makes it possible to guarantee the security of data preserved in the vault.
Hosted under the responsibility of the operator
The electronic vault constitutes part of the operator's infrastructure. Consequently, the operator is
operator's
responsible for hosting it, or finding a host for it, under satisfactory perimeter security conditions.
The operator is responsible for ensuring that the electronic vault functions correctly.
11
15. The trusted solution for online gambling operators in France
4 . ARJEL SPECIFICATIONS
On March 1, 2010, the ARJEL's pre configuration mission published a first version of the detailed
pre-configuration
specifications with which the IS of operators licensed in France must comply.
4.1 FRONT-END REQUIREMENTS
General requirements
• The front-end shall be located in metropolitan France;
• The front-end shall rely on a highly available architecture;
end
• Only data transmitted from the gambler to the operator may be traced, such that the data
correspond to the gambler's perception of how the bet was placed or how the poker game
played out;
• The front-end shall operate without interrupting the data stream;
end
• Data streaming from French IP addresses or gamblers registered as French citizens shall be
redirected towards this front
front-end.
The capteur
• The capteur shall retrieve data corresponding to gambling or betting actions to create
ve
traces in the vault;
• The annex to the specifications provides a detailed definition of the XML format expected
for each type of poker, horse racing and sports betting events that shall be trace
horse-racing traced;
• Only data related to gambling events shall be traced. Consequently, most presentation
data, such as images, shall not be traced;
• The capteur shall prepare the data to be traced and submit them to the vault after receiving
acknowledgment of correct proce
processing from the gambling platform.
The vault
• The vault shall guarantee the integrity and completeness of archived data;
• Access to the vault part of the front end shall be controlled using strong authentication
front-end
mechanisms;
• Data stored in the vault shall be encrypted such that only the ARJEL can read them;
encrypted
• The vault shall have CSPN certification covering:
o Submission or injection of recorded data;
o Modification of recorded data;
o Theft of data;
o Denial of service;
o Strong authentication of users and administrators;
o Event chaining;
o Event encryption;
o Signature of events;
12
16. The trusted solution for online gambling operators in France
• Only the ARJEL shall be able to manage profiles and users for this vault. ARJEL
representatives acting on behalf of the authority shall define this configuration during a
Key Ceremony to initialize th vault;
the
• Storage spaces shall be compartmentalized to separate:
o Configuration data from stored gambling data;
o Data related to the different ARJEL licenses;
• The cryptographic functions shall respect the general security framework (RGS)
recommendations;
• The electronic signature shall, by a certain time, meet the XAdES T standard;
XAdES-T
• The ARJEL shall be able to remotely access the vault to:
o Consult traces based on a specific time frame;
o Synchronize with data stored in the vault;
• On site, the ARJEL shall be able to copy all data from the vault onto a removable medium;
• For performance purposes, the vault shall be able to cryptographically process recorded
data in batches.
4.2 GAMBLING APPLICATION REQUIREMENTS
• Gambling applications shall be approved by the ARJEL;
• ARJEL approval includes:
o Supplying the application's source code;
o Supplying the source code for the random
random-number generator;
o A security vulnerability audit;
o An audit validating the quality of the random number generator;
random-number
o An audit certifying that the application co
conforms to gambling rules.
4.3 GAMBLING PLATFORM REQUIREMENTS
• The platform shall be located in a country or territory that is not considered a tax haven by
international organizations;
• The platform shall allow the operator to generate activity reports containin aggregate
containing
indicators for the ARJEL;
• The platform shall, by a certain time, interface with the ARJEL's database of banned
gamblers;
• The platform shall have undergone a security audit.
4.4 INFORMATION SYSTEM MATURITY REQUIREMENTS
The operator must prove the maturity of its IS, especially of those aspects related to security. To
turity
do this, the operator's licensing application shall include documentation proving that:
• Administration and operation procedures have been implemented;
• Technical architecture specifications (hardware and software) are met;
specifications
• Denial of service protection is implemented;
13
17. The trusted solution for online gambling operators in France
• CERTA (Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques
informatiques, the French IT attack response and processing governmental expertise
center) alerts are monitored and recommendations are observed;
erts
• Administrator access to equipment and applications is controlled;
• Configuration files are updated and their integrity guaranteed;
• Gambling application source codes are provided;
• Data is archived for five years after a gambler account is closed;
• The clock is precise to within 1 sec of UTC time;
• Logs of technical traces are kept;
• User interventions are traceable;
• Physical access to technical locations is secured.
14
18. The trusted solution for online gambling operators in France
5 . DICTAO'S OFFER :
A SOLUTION COMPLIANT WITH THE
FUTURE AUTHORITY'S
REGULATIONS AS OF TH
THE
INTRODUCTION OF COMPETITION
COMPETITION
5.1 AN OFFER TECHNICALLY BASED ON OUR D3S SOLUTION
Overview of D3S solution
For organizations looking to protect and archive their digital data such that they retain legal value,
Dictao Secure Storage Server, or D3S, is an infrastructure solution that makes it possible to:
tao
• Protect archived electronic data: D3S guarantees data confidentiality and access control
data:
(only authorized persons may access the data);
• Archive data with legal value: D3S guarantees the continuity and intact retrieval of data at
value
ue:
any moment, such that they can be used as evidence in the event of a dispute. To
accomplish this, D3S ensures the authenticity, integrity, traceability and availability of
archived information over the long term.
on
France,
An industrial solution, D3S has been proven in various contexts, for example at the Banque de France the
Defense,
French Ministry of Defense, the French Ministry for the Economy, Industry and Employment (MINEI),
the INPI (French National Institute for Intellectual Property), Cegedim and the Paris chamber of notaries
titute Cegedim, notaries.
D3S is the only solution on the market to be built on components whose quality, security and
regulatory compliance are regularly validated by the FNISA through audits, certifica
certification and
recertification at the Common Criteria EAL3+ level.
Dictao is currently working to obtain CSPN certification for D3S early in 2010 so that it meets the
requirements of the future online gambling regulatory authority.
D3S guarantees the following:
• Long-term preservation of archived documents;
term
• Intact retrieval of certified copies of archives;
• Access control for archived documents;
• Legal value of archives;
• Traceability of actions carried out.
15
19. The trusted solution for online gambling operators in France
Archiving for legal purposes
Archiving for legal purposes differs from regular storage in that it guarantees the quality and
poses
reliability of the information.
To preserve the legal value of born digital documents, their authenticity, integrity, accessibility,
born-digital
readability and durability must be ensured.
Dictao's security and trust functions guarantee the:
ao's
• Integrity of archived documents, through electronic signature;
• Confidentiality of these documents, through data encryption and access control;
• Traceability of actions performed (e.g. filing, retrieval, requests for copies);
requests
• Durability of data (e.g. evidence, documents), through periodic re signing, which makes it
re-signing,
possible to preserve archives for a longer period of time.
Documents archived using this solution have legal value most notably because D3S's k
key
components are certified at the Common Criteria EAL3+ level. The information retrieved after
archiving can therefore be used as evidence in the event of a dispute.
D3S provides archiving for legal purposes
Digital vault room layout
D3S is organized according to a digital vault room layout, with master electronic vaults that each
contain one or more smaller vaults.
Each of these vaults may be empty or may contain one or more digital items.
16
20. The trusted solution for online gambling operators in France
The diagram below illustrates how D3S is organized.
Digital vault room layout
D3S is organized according to the following principles:
• Divided into master vaults, each containing several smaller vaults;
• Vaults allocated to a single group of users or shared between multiple groups;
• Request for access to a vault approved by a group of approving officers;
vault
• Integrity, confidentiality, access control, traceability ensured by each vault;
• Notification of document availability.
5.2 PACKAGING ADAPTED FOR ONLINE GAMBLING OPERATORS
D3S was designed to be configurable so that it could be adapted specifically to various client
implementations. To simplify and speed up integration of D3S into online gambling operator
platforms, we offer a pre-configured version that complies with requirements of both the future
configured
authority and operators.
17
21. The trusted solution for online gambling operators in France
D3S compliance with ARJEL requirements
D3S meets all the ARJEL's requirements, including the main ones presented in the table below.
Requirement ARJEL
Native support
configuration
1 The vault shall guarantee the integrity and
completeness of archived data.
eness
2 Access to the vault part of the front
front-end shall be
controlled using strong authentication mechanisms;
3 Data stored in the vault shall be encrypted such
that only the ARJEL can read them;
4 The vault shall have CSPN certification.
ertification. CSPN certification
pending
5 Only the ARJEL shall be able to manage profiles and
users. ARJEL representatives acting on behalf of the
authority shall define this configuration during a
Key Ceremony to initialize the vault.
6 Storage spaces must be compartmentalized to
ces
separate:
• Configuration data from stored gambling
data;
• Data related to the different ARJEL licenses.
7 Cryptography shall respect the RGS rules.
8 The electronic signature shall, by a certain time,
meet the XAdES-T standard.
T
9 The ARJEL shall be able to remotely access the vault
to:
• Consult traces based on a specific time
frame;
• Synchronize with data stored in the vault.
10 On site, the ARJEL shall be able to copy all data
from the vault onto a removable me
medium.
11 For performance purposes, the vault shall be able
to cryptographically process recorded data in
batches.
Managing multiple brands and licenses
The bill stipulates that online gambling operators will have to obtain different licenses for each
type of gambling they plan to offer: sports pools, horse racing betting and poker. To technically
compartmentalize these licenses, which may be obtained and revoked independently, we can
18
22. The trusted solution for online gambling operators in France
configure D3S to contain three distinct logical vaults. The technical configuration would then be
technical
perfectly adapted to the operator's license situation.
Some operators may want to market their online gambling platform under multiple brands, or
make their platform available to other operators as a white label product. In our approach, each
brand will be associated with a master vault.
The diagram below shows how D3S can be configured to accommodate multiple brands, by
assigning one master vault to each brand. Each master vault will in turn be configured to contain
smaller vaults corresponding to each type of license obtained.
ler
Example D3S configuration for online gambling
User management adapted for online gambling
D3S user management supports the definition of profiles with restricted rights tailored for each
use scenario. In the online gambling context, the ARJEL's specifications identify different types of
cenario.
"users" with whom we associate the following profiles in D3S:
• The capteur, the technical component responsible for collecting the data to be traced, is
authenticated to the electronic vault using a "depositor" profile to file information in the
cated
vault. The depositor profile is only authorized to write data to the vault;
• Technical personnel in charge of the daily operation of the electronic vault are
authenticated using an "operational administrator" profile. These people are employed by
the operator or, if the service is hosted, by the hosting service provider. The operational
administrator profile only allows these users to start and stop the electronic vault, add
storage media and query the operation indicators;
19
23. The trusted solution for online gambling operators in France
• Representatives of the future authority with monitoring and audit responsibilities are
authenticated using a "reader" profile. This profile only authorizes the retrieval of data and
proofs of submission associated with the electronic vault;
sociated
• Representatives of the future authority in charge of managing the profiles are
authenticated using an "administrator" profile. This profile only allows these
representatives to configure profiles and attribute them to us
users.
User management adapted for online gambling
5.3 THREE VERSIONS TO MEET THE SPECIFIC NEEDS OF EACH
OPERATOR
Building on D3S, and in cooperation with our partners, Dictao proposes three offerings for online
gambling operators:
• A publisher offering (vault application), from Dictao's core business area, through which
(vault application),
operators can purchase the product (paid up license, irrespective of the number of
(paid-up
transactions);
• A hosted service offering, provided jointly with our partners, which allows operators to quick
offering, quickly
meet the technical and organizational front
front-end requirements;
• A turnkey offering where we provide, with our partners, all the services needed to implement
and operate a .fr site, along with a commitment to comply with all recommendations issued by
the ARJEL's pre-configuration mission.
configuration
Publisher offering
Dictao offers operators an electronic vault solution compliant with the future authority's
expectations.
D3S can be purchased in license mode, for unlimited use (regardless of the number of
transactions) under a paid-up license with an annual support and maintenance fee.
up
20
24. The trusted solution for online gambling operators in France
Our fee structure is based on the number of processors used, which is determined by the levels of
performance and service quality required by the operator.
Hosted service offering
We have developed a partnership program to offer operators a hosted solution for the .fr website
(complete front-end with capteur and vault).
The cost is related to the capacity installed, but independent of the number of transactions carried
out.
Turnkey offeri ng with support for integration and obtaining ARJEL licensing
offering
We can also offer, with our partners, complete support for complying with French regulations.
• The vault: Dictao's D3S meets all the vault functional and security requirements described
vault:
in the ARJEL's technical specifications document. We offer full support including integration
JEL's
of the application into the operator's IS, whether as a "hosted service" or under a paid
paid-up
software license;
• The capteur: we propose helping the operator define the front end architecture, carry out
front-end
development work for the capteur module and integrate it with D3S;
• Hosting:
Hosting: the gambling platform must be hosted under perimeter security conditions
including following strict procedures. With our partner, we propose a hosting service that
meets these requirements; we can host either the vault only, the entire front
front-end with the
capteur and the vault, or the entire platform including the gambling engines and back
back-end
management servers;
• Gambler registration: we work with a partner specialized in registering gamblers that can
registration: partner
process gambler registration on behalf of the operator to ensure that registration complies
with French regulations;
• Payment tools: we can suggest a banking partner that can facilitate the process of setting
tools:
up payment tools and a bank account in France;
• IS maturity the licensing application must include documentation on the entire IS and
maturity:
associated management procedures. Documentation on the front end must be especially
front-end
detailed. We can help operators compile and write all the technical documents required to
compile
prove the maturity of their IS;
• Corpus of economic, legal and financial documents as well as providing technical
documents:
documentation, the licensing application must prove that the company exists and is
represented in France. We work with a law firm that can guide operators through these
nted
steps of the ARJEL licensing application;
• Audit reports the licensing application must include security audits on the gambling
reports:
applications, random-number generator and entire platform. We work closely with an audit
number
firm recognized by the FNISA that can certify the quality of operators' solutions.
21
25. The trusted solution for online gambling operators in France
DICTAO
Dictao is the benchmark publisher of software solutions for strong authentication and electronic
signatures.
We develop and market solutions that provide the functions required to establish security and
trust in an electronic world: client and user authentication, binding electronic signatures and
creation of legally-binding proofs of transaction.
binding
We assist our clients in securing sensitive applications, meeting regulatory constraints and
innovating to increase efficiency and growth.
The tangible results obtained by our clients attest to the value of our products, industry solutions
and expertise.
We support the banking sector in securing online transactions for corporate and individual
ector
banking clients, the public sector in modernizing its administrative procedures (e.g. electronic
procedures), and the industrial world in building extended enterprises (e.g. electronic orde
orders,
invoices).
Dictao is the only publisher whose solution suite is proven in various contexts (e.g. transfer
orders, online contracting, electronic invoicing, online VAT declarations) and certified at the EAL3+
level of the international Common Criteria standard by the French Network and Information
standard
Security Agency (FNISA).
They trust us:
600 financial and lending institutions, including the Banque de France, BPCE (Banque Populaire
Caisse d’Epargne) Group, BNP Paribas, La Banque Postale, LCL and Société G
Générale; large
industrial companies such as PSA Peugeot Citroën, Total, Alcatel and CMA CGM; French
government bodies such as the Public Finances General Directorate (DGFiP), the Ministry of
Defense, the Direction des Journaux Officiels (DJO), the Agence Nationale des Titres Sécurisés
(ANTS; national agency for secured vehicle registration documents and passports) and the INPI
(National Institute for Intellectual Property).
22
26. The trusted solution for online gambling operators in France
Dictao's Online Gambling team is available
to provide any additiona information required.
additional
info@dictao.com
DICTAO
152 avenue de Malakoff
75116 PARIS, France
+33 (0)1 73 00 26 00
www.dictao.com
23