La. Admin. Code tit. 42 § XV-1163

Current through Register Vol. 50, No. 11, November 20, 2024
Section XV-1163 - Computer Systems and Sports Wagering Platforms
A. The operator shall use a sports wagering platform to offer, conduct, or operate sports wagering in accordance with the Act and rules set forth by the corporation.
1. The operator shall comply with, and the corporation adopts and incorporates by reference, the Gaming Laboratories International, LLC Standard, GLI-33: Standards for Event Wagering systems and its Appendices, version 1.1 and any future amendments and updates thereto. The GLI-33 standards are intended to supplement rather than supplant other technical standards and requirements under these rules.
2. The operator may provide evidence of compliance with GLI-33 in other states where the operator has an existing sports wagering platform until the operator can certify the sports wagering platform in Louisiana.
3. A sports wagering platform utilized to conduct sports wagering shall meet the specifications of these rules and any additional technical specifications prescribed by the corporation.
B. The operator shall submit all equipment and software utilized with the sports wagering platform to a designated firm approved by the corporation for an initial certification to ensure the sports wagering platform is in operational compliance with the Act, these rules, corporation technical guidelines, and internal controls. The certification report shall, at a minimum, identify system interfaces of service providers and the applicable methods, programs, protocols, and security measures implemented by the operator to ensure compliance.
C. At the discretion of the corporation, additional testing or re-certification of the entire sports wagering platform may be required and shall be completed by a designated firm approved by the corporation. The operator shall incur all costs associated with the testing of the sports wagering platform.
D. Upon placing a sports wager at a sports wagering mechanism, the player shall receive an unalterable virtual or printed wager record (ticket) which shall contain, at a minimum:
1. name of the operator issuing the ticket;
2. the date and time the sports wager was placed;
3. the date and time the sports event is expected to occur;
4. any patron choices involved in the sports wager including, but not limited to:
a. sports wager selection(s);
b. type of sports wager and line postings;
c. any special condition(s) applying to the sports wager;
d. pay out, applicable at the time the sports wager is placed;
5. total amount wagered, including any promotional play if applicable;
6. sports event and market identifiers;
7. a barcode or similar symbol or marking as approved by the corporation, corresponding to the unique wager identifier.
E. A sports wagering platform system that offers in-play wagering shall be capable of the following:
1. the accurate and timely update of odds for in-play wagers;
2. the ability to notify the patron of any change in odds after a wager is attempted that is not beneficial to the patron;
3. the ability for the patron to confirm the wager after notification of the odds change; and
4. the ability to freeze or suspend the offering of wagers, when necessary.
F. A sports wagering platform shall be capable of performing the following functions:
1. creating wagers;
2. settling wagers;
3. reprinting tickets;
4. resettling wagers;
5. voiding wager
6. cancelling wagers; and
7. preventing the acceptance of wagers on prohibited sports events.
G. When a sports wager is voided or cancelled, the operator shall clearly indicate that the ticket is voided or cancelled, render it nonredeemable, and make an entry in the system indicating the void or cancellation and identity of the automated process.
H. A sports wagering platform shall prevent past posting of wagers and the cancellation of wagers after the outcome of an event is known.
I. In the event a patron has a pending sports wager and then the operator becomes aware of the patron selfexcluding, the wager shall be governed in accordance with the Act, these rules, and internal controls.
J. A sports wagering platform shall periodically perform a self-authentication process on all software used to offer, record, and process wagers to ensure there have been no unauthorized modifications. In the event of an authentication failure, the sports wagering platform operator shall notify the appropriate corporation employees as provided in the internal controls using an automated process. The operator shall notify the corporation of the authentication failure within 24 hours. The results of all self-authentication attempts shall be recorded by the system and maintained for a period of 90 days.
K. A sports wagering platform shall have controls in place to review the accuracy and timeliness of any data feeds used to offer or settle wagers. In the event that an incident or error occurs that results in a loss of communication with data feeds used to offer or redeem wagers, such error shall be recorded in a log capturing the date and time of the error, duration of the error, the nature of the error, and a description of its impact on the system's performance. Such information shall be maintained for a period of two years.
L. The sports wagering platform operator shall provide access to wagering transaction and related data as deemed necessary by the corporation in a manner approved by the corporation.
M. A sports wagering platform shall be capable of preventing any wager in excess of $10,000 or making a payout in excess of $10,000 until authorized by a supervisor, unless pre-approved and in accordance with internal controls.
N. A sports wagering platform shall be capable of recording and storing the following information for each wager made:
1. description of the event;
2. wager selection;
3. type of wager;
4. amount of wager;
5. amount of potential payout or an indication that it is a pari-mutuel wager;
6. date and time of wager;
7. unique wager identifier, which shall be masked on all system menus, printed reports, and displays, except when accessed by users with supervisor or higher authority, for all unredeemed and unexpired wagers;
8. expiration date of ticket;
9. patron name, if known;
10. date, time, amount, and description of the settlement;
11. location where the wager was made;
12. location of redemption;
O. For all sports wagering accounts, a sports wagering platform shall record and maintain the following information:
1. a unique player identification;
2. the player-us identity details including, but not limited to: player-us legal name; date of birth; and residential address;
3. any self-restrictions;
4. any previous accounts; and
5. the date and location from which the sports wagering account was registered or accessed.
P. The operator shall provide the following information upon demand by the corporation. As appropriate, the information shall include, at a minimum, month to date and year to date:
1. total sports wagering account deposits for the requested period;
2. total sports wagering account withdrawals for the requested period;
3. total sports wagers collected from players; and
4. total winnings paid to players.
Q. A sports wagering platform shall be capable of recognizing valid tickets that contain a duplicate unique wager identifier used for redemption.
R. A sports wagering platform shall be capable of preventing the redemption of any tickets when the data related to tickets has been manually altered outside of the approved system procedures.
S. All servers necessary for the processing of sports wagers, other than backup servers, shall be physically located in Louisiana, and shall be located in a restricted area with adequate security and surveillance in accordance with internal controls and as approved by the corporation. Other servers used in the operation of the sports book may be located outside of the state as long as they are not used to process sports wagers. The corporation may approve of the use of internet or cloud-based hosting of duplicate data or data not related to transactional wagering data upon written request of the operator.
T. All sports wagering mechanisms shall be submitted to a designated gaming laboratory for testing and required certification prior to being placed at a licensed premise. A designated gaming laboratory shall certify that the sports wagering mechanism meets or exceeds the most current corporation approved version of standards for sports wagering mechanisms, or equivalent standards as approved by the corporation, and the standards established by the corporation.
U. System Integrity and Security Assessment
1. The operator of online sports wagering shall upon installation of the sports wagering platform and annually thereafter, perform a system integrity and security assessment of the sports wagering platform and systems which shall be conducted by an independent professional selected by the operator and subject to approval of the corporation. The scope shall include, at a minimum: a vulnerability assessment of digital platforms, mobile applications, internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the sports wagering platform, and applications transferring, storing, and/or processing personal identifying information and other sensitive information connected to or present on the networks; a penetration test of all digital platforms, mobile applications, internal, external, and wireless networks to confirm if identified vulnerability of all devices, the sports wagering platform, and applications are susceptible to compromise; a review of the firewall rules to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets performed on all the perimeter firewalls and the internal firewalls; a technical security control assessment against the provisions adopted in these rules with generally accepted professional standards and as approved by the corporation; an evaluation of information security services, cloud services, payment services (financial institutions, payment processors, etc.), location services, and any other services which may be offered directly by the operator or involve the use of third parties; and any other specific criteria or standards for the sports wagering platform integrity and security assessment as prescribed by the corporation. The assessment report shall include, at a minimum: scope of review; name and company of affiliation of who conducted the assessment; date of assessment findings; recommended corrective action, if any; and the operator-us response to the findings and recommended corrective action.
2. The operator conducting sports wagering shall perform a system integrity and security assessment of the sports wagering platforms and systems used for conducting retail sports wagering, which shall be completed by an independent professional selected by the operator and subject to approval of the corporation. The operator shall submit the results of an independent system integrity and security assessment to the corporation for review, subject to the following requirements:
a. the testing organization must be independent of the operator;
b. results from the network security risk assessment shall be submitted to the corporation no later than 90 days after the assessment is conducted;
c. at the discretion of the corporation, additional network security risk assessments may be required; and
d. the operator shall periodically assess the risk to operations, assets, patrons, employees, and other individuals or entities resulting from the operation of the operator-us computer systems and the processing, storage, or transmission of information and data. The assessment shall be documented and recorded in a manner that can be displayed or printed upon demand by the corporation and shall be maintained for a period of five years. The operator shall assess the collection of personnel and patron data annually to ensure that only information necessary for the operation of the business is collected and maintained. No unnecessary personal information shall be retained.
3. The operator may submit for approval a request to the corporation to leverage the results of prior assessments within the past year conducted by the same independent professional against standards such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, the NIST Cybersecurity Framework (CSF), the Payment Card Industry Data Security Standards (PCI-DSS), or equivalent. Such leveraging shall be noted in the independent professional's report. This leveraging does not include critical components unique to the corporation which will require more current and separate assessments.
V. The sports wagering platform and systems shall provide a mechanism for the corporation to query and export, in a format approved by the corporation, all sports wagering platform data.
W. The sports wagering platform and systems shall be designed in a way to comply with all Federal requirements including, but not limited to: suspicious wagering activity; Title 31; and W-2G reporting.
X. Upon request by the corporation, an operator shall create test accounts for the corporation-us use to conduct compliance inspections and testing of the sports wagering platform.
Y. The corporation may establish test accounts to be used to test the various components and operation of a sports wagering platform pursuant to the corporation-us approved internal control procedures which must address procedures for identifying test accounts, issuing funds, maintaining proper records for all test accounts and conducting audits of all test activity to ensure proper adjustments to gross sports wagering revenue and any additional requirements specified by the corporation.

La. Admin. Code tit. 42, § XV-1163

Promulgated by the Louisiana Lottery Corporation LR 471892 (12/1/2021).
AUTHORITY NOTE: Promulgated in accordance with R.S. 47:9001 et seq.