Identification of Program Storage Media, and Slot Machine Technical Requirements, Facility Based Monitoring System and Computer Diagnostics, Security Requirements, System Access, and Firewalls  


  • RULE NO: RULE TITLE
    61D-14.044: Identification of Program Storage Media, and Slot Machine Technical Requirements
    61D-14.047: Facility Based Monitoring System and Computer Diagnostics
    61D-14.074: Security Requirements, System Access, and Firewalls
    NOTICE OF CHANGE
    Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 32 No. 17, April 28, 2006 issue of the Florida Administrative Weekly.

    The changes are in response to written comments received from interested parties in the pari-mutuel industry, and comments made at a public rule hearing on May 23, 2006.

    61D-14.044 Identification of Program Storage Media, and Slot Machine Technical Requirements.

    (1) through (2) No change.

    (3) The control program shall authenticate all files that are critical to the accurate operation of the slot machine (“critical files”) by employing a hashing algorithm with non-EPROM based slot machines; and a kobetron signature with EPROM based slot machines which produces a “message digest” output of at least 128 bits at minimum, as certified by the licensed independent test laboratory. The message digest(s) shall be stored on a memory device within the slot machine. Message digests which reside on any other medium shall be encrypted, using a public/private key algorithm with a minimum of a 768 bit key or an equivalent encryption algorithm with similar security certified by the licensed independent test laboratory.

    (4) The slot machine shall authenticate all critical files against the stored message digest(s), as required in (3), above. In the event of a failed authentication after the slot machine has been powered up, the slot machine shall immediately enter an error condition with a tower light signal activation and record the details including time and date of the error in the facility based monitoring system a log. This error shall require supervisor intervention to clear. The slot machine shall display specific error information and shall not clear until the file authenticates, following the supervisor intervention, or the medium is replaced or corrected.

    (5) through (7) No change.

    (a) Have the ability to retain data for a minimum of thirty (30) days after power is removed from the slot machine. If a rechargeable battery is used, tThe battery used to retain power shall recharge itself to its full potential in a maximum of twenty-four (24) hours. The shelf life of the battery used shall be at least five (5) years;

    (b) through (10) No change.

    (11) Slot machines shall be capable of detecting and displaying error conditions and illuminating the tower light for each slot machine. Play of the slot machine shall cease, and the slot machine shall maintain an internal record if the error is for:

    (a) Loss of communication with the facility based monitoring system for longer than 90 minutes;

    (b) No change.

    (c) ROM error, except that if the ROM error disables the tower light, the tower light illumination requirement does not have to be met;

    (d) through (15) No change.

    Specific Authority 551.103(1), 551.122 FS. Law Implemented 551.103(1)(c), (1)(d), (1)(e), (1)(f) FS. History–New _______.

     

    61D-14.047 Facility Based Monitoring System and Computer Diagnostics.

    (1) through (6)(a) No change.

    (b) Encryption of accounting data communications.

    (7) through (9) No change.

    (10) The data contained in the facility based monitoring system shall be backed-up daily and the backup shall be sufficient to reconstruct the entire day’s activity. The backup media shall be stored for a minimum of 120 days either off-site or secured on-site in an industry standard 2-hour fire and water resistant storage device. If the data is stored off-site, the slot machine licensee shall provide the division with the address and telephone number of the off-site storage location saved to a back-up file that shall be updated no less than once every eight hours. The information shall be used in the event of a system wide failure when the facility based monitoring system cannot be restarted in any other way. The facility based monitoring system shall only be reloaded utilizing data contained in the most recent complete back-up that contains at least the following:

    (a) through (12) No change.

    (13) The facility based monitoring system shall not enable the slot machine(s) for play until the control program is authenticated following receipt of any handpay reset or error listed in Rule 61D-14.044(11), F.A.C.

    (14) No change.

    Specific Authority 551.103(1), 551.122 FS. Law Implemented 551.103(1)(d), (1)(e), (1)(i), 551.104(4)(f) FS. History–New _______.

     

    61D-14.074 Security Requirements, System Access, and Firewalls.

    (1) No change.

    (2) Except as provided in this section, Tthe facility based monitoring system shall not allow for remote access and all. All access to the facility based monitoring system shall be conducted from within the slot machine licensee’s facility. A slot machine licensee shall provide in its system of internal controls a method of providing limited remote access to the facility based monitoring system for a business or person licensed as a business occupational license pursuant to Section 551.107(2)(a)3., Florida Statutes, for performance of maintenance or diagnostics of the facility based monitoring system that cannot be performed by the slot machine licensee’s on-site personnel. The system of internal controls for such remote access shall provide for the following:

    (a) Designation of an officer required to sign for acknowledgement of internal controls in subsection 61D-14.058(4), F.A.C., who shall be responsible for determining the need for remote access to the facility based monitoring system;

    (b) The device or method through which remote access is given shall be taken offline when remote access is not required;

    (c) Limited access to any device or method used to establish remote access including:

    1. A list of persons authorized to modify or enable such a device or method used to establish remote access; and

    2. Storage of any such device or method in a secure location that is not readily accessible to any person other than those listed under subparagraph (c)1.; and

    3. A log with separate entries for each person and the dates and times when the remote access is enabled, disabled or modified.

    (d) Maintenance of a log of each time remote access is provided, enabled, disabled or modified with a separate entry for each of the following:

    1. The specific reason for which remote access was provided to another person or entity;

    2. The name and occupational license number of the employee who authorized remote access to be provided to another person or entity;

    3. The name and occupational license number of the employee of the slot machine licensee who established a remote access connection to the person or entity, if such employee is different from the employee provided in subparagraph (d)2.;

    4. The name and occupational license number of the person and entity with whom remote access is established. If remote access is provided to an employee of a business occupational licensee, the name and occupational license number of both the employee and the business entity shall be entered on the log;

    5. The date and time that remote access is established; and

    6. The date and time that remote access is terminated.

    (e) A written report to be provided to the division in no less than 24 hours after the remote access has been completed which shall include:

    1. The reason that remote access was provided, enabled, disabled or modified;

    2. The name of the employee of the slot machine licensee that authorized the remote access;

    3. The name of the slot machine employee who established the remote access on behalf of the slot machine licensee;

    4. The name of the person and entity with whom remote access was established;

    5. The date and time remote access was established and concluded; and

    6. A narrative report that shall describe:

    A. Each component of the facility based monitoring system that was accessed; and

    B. Whether the remote access was successful in resolving the issue described in subparagraph (d)1.

    (3) Automated ticket redemption machines are only to be used for the purpose of accepting, validating and providing payment for tickets inserted, or converting bills into smaller denominations. Automated ticket redemption machines shall not incorporate other functions. Automated ticket redemption machines shall use a communication protocol that shall not permit the automated ticket redemption machine to write directly to the system database and only process payments based on commands from the system. Automated ticket redemption machines shall meet the slot machine hardware requirements for security and player safety, as set forth in Rule 61D-14.022-044, F.A.C.

    (4) through (10) No change.

    (11) A business occupational licensee who provides maintenance or diagnostic services under this section for a slot machine licensee by remote access shall maintain a log each time remote access is provided by a slot machine licensee with a separate entry for each of the following:

    (a) The specific slot machine licensee;

    (b) The name and occupational license number of the employee of the slot machine licensee who requested remote access;

    (c) The name and occupational license number of the employee of the slot machine licensee who established a remote access connection to the business occupational license, if such employee is different from the employee provided in paragraph (11)(b);

    (d) The name and occupational license number of the employee of the business occupational license who provides services to the slot machine licensee by remote access;

    (e) The date and time that remote access is established; and

    (f) The date and time that remote access is terminated.

    (12) A written report shall be provided by a business occupational licensee that performs maintenance or diagnostic services under (11) to the division at the division’s office located at the slot machine licensee’s facility to whom services were provided by remote access. The report shall be postmarked for no less than 24 hours after the remote access has been completed which shall include:

    (a) The reason that remote access was provided;

    (b) The name of the employee of the slot machine licensee that authorized the access;

    (c) The name of the slot machine employee who established the remote access on behalf of the slot machine licensee;

    (d) The name of the person and entity with whom remote access was established;

    (e) The date and time remote access was established and concluded; and

    (f) A narrative report that shall describe:

    1. Each component of the facility based monitoring system that was accessed; and

    2. Whether the remote access was successful in resolving the issue described in subparagraph (2)(d)1.

    Specific Authority 551.103(1), 551.122 FS. Law Implemented 551.103(1)(d), (1)(g), (1)(i) FS. History–New _______.