Current through Register Vol. 54, No. 49, December 7, 2024
Section 812a.3 - Account security(a) An interactive gaming system must utilize sufficient security to ensure player access is appropriately limited to the registered account holder. Unless otherwise authorized by the Board, security measures must include, at a minimum, all of the following:(2) A password of sufficient length and complexity to ensure its effectiveness.(3) Upon account creation, the option for users to choose strong authentication login protection.(4) When a player logs into his registered interactive gaming account, the system must display the date and time of the player's previous log on.(5) An option to permit a player to elect to receive an electronic notification to the player's registered e-mail address, cellular phone or other device each time an interactive gaming account is accessed.(6) The interactive gaming system must require a player to re-enter his username and password after 15 minutes of user inactivity.(b) An interactive gaming certificate holder or interactive gaming operator may not permit the creation of anonymous interactive gaming accounts or accounts using fictitious names. A registered player may, while engaged in interactive gaming, represent himself using a screen name other than his actual name.(c) An interactive gaming system must provide an account statement with account details to a player on demand, either displayed on the interactive gaming web site or mobile app or available for immediate download, which must include information as required under this chapter.(d) An interactive gaming system must utilize sufficient security to ensure third-party access to player accounts is limited as follows:(1) Network shared drives containing application files and data for interactive gaming system must be secured so that only authorized personnel may gain access.(2) Login accounts and passwords required to administer network and other equipment are secured so that only authorized Information Technology (IT) personnel from the interactive gaming certificate holder or interactive gaming operator may gain access to these devices.(3) Remote access by vendor personnel to any component of the interactive gaming system is allowed for purposes of support or updates and is enabled only when approved by authorized IT personnel employed by the technology provider.(e) Interactive gaming certificate holders and interactive gaming operators may utilize third-party vendors to verify player information so long as those vendors are licensed by the Board when required and the agreements related to the provided services is submitted to the Board.