WLA-SCS:2024
WLA Security Control Standard
Information and operations security and integrity requirements for lottery, video lottery, sports and esports betting operators, as well as their suppliers.
Contents
Foreword
The World Lottery Association (WLA) has recognized the need for an adequate security and integrity standard for lottery, video lottery, sports and esports betting operators (hereafter referred to as gaming operators) from its foundation and has continued to develop the work started by its predecessors.
Gaming operators have a business need to develop environments that maintain a visible and documented security and integrity position so as to retain the confidence of players and other stakeholders alike. The WLA Security Control Standard (WLA-SCS) is designed to help gaming operators around the world, as well as their suppliers, to achieve levels of control that are in accordance with both generally accepted information security and quality practices as well as specific industry requirements. This will support gaming operators’ increased reliance on the integrity of their operations. Certification to the WLA-SCS provides an objective measure of a gaming operator’s security control and risk management performance.
The WLA-SCS has been prepared by the WLA Security and Risk Management Committee (WLA SRMC). The WLA SRMC consists of representatives and security specialists from gaming operators around the world. By comparing current security and integrity practices used in the industry with those approved by gaming experts around the world, a solid security and risk management framework for gaming operators, and their suppliers, has been established.
The WLA SRMC reviews all security control standards for use by the gaming sector and acts as a focal point for the sector on security and risk management issues. It oversees the WLA-SCS certification process whereby compliance of WLA Members and Associate Members with the standard is
verified.
All new or updated standards from the WLA SRMC must be endorsed and released by the WLA Executive Committee and approved by the delegates of the biennial General Meeting before publication.
The structure of the WLA-SCS is aligned with that of the International Standards Organization (ISO) and the WLA is committed to keeping it updated and adapted in accordance with the ISO/IEC 27001 standard.
Introduction
The WLA-SCS defines a security, integrity, and risk management standard for use by the gaming sector and is intended to be the focal point for the sector on security and integrity issues. It describes a security management process that is aligned both with internationally recognized standards and with a common security baseline that represents good practice for gaming operators. The standard comprises a comprehensive set of controls and requirements for gaming operators and their suppliers.
WLA-SCS can be considered as the foundation for building trust relationships with industry stakeholders and regulators for the purpose of conducting gaming operations or multi-jurisdictional games. It can also be of substantial assistance to top management by providing an independent review in order to foster increased confidence in the security of gaming operations.
The latest iteration of the standard, WLA-SCS:2024, proposes two-level certification framework.
Compliance with the WLA-SCS Level 1 proves a basic but essential level of information security for gaming operators and shows their commitment to achieving WLA-SCS Level 2, the highest level of certification. WLA-SCS Level 1 certification is suitable for those WLA member organizations that wish to take a more step-by-step approach to certification.
Compliance with the WLA-SCS Level 2 allows WLA member organizations to ensure the integrity, availability, and confidentiality of services and information vital to their secure operation. Combining the assessment of controls for gaming operators and compliance with the ISO/IEC 27001 Standard for Information Security Management Systems, WLA-SCS Level 2 represents the most complete and com- prehensive certification standard for gaming operators and their suppliers.
Adoption of the WLA-SCS is a strategic decision. The design and implementation of the organization’s security and integrity management systems is influenced by their specific needs, objectives, risks and security requirements, the processes employed, and the size and structure of the organization. These factors and their supporting systems are expected to change over time, and it is to be expected that management system implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple system.
Compliance with WLA-SCS can be used by interested internal and external parties to evaluate the security and integrity of a gaming operator’s systems, as well as those of their suppliers.
In addition to ISO/IEC 27001, the WLA-SCS is aligned with ISO 9001 to allow for consistent and integrated implementation and operation with related management standards.
1. Scope
The WLA-SCS covers all types of gaming operations, including commercial enterprises, government agencies, and non-profit organizations.
The WLA-SCS specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented security and integrity system within the context of the organization’s overall risks.
The requirements set out in WLA-SCS are generic and are intended to be applicable to all organizations, regardless of type, size, and nature. Excluding any of the requirements specified in Annexes A, B, C, or D is not acceptable unless formally approved by the WLA.
Any exclusions found to be necessary of controls in relation to Annexes A, B, C, or D need to be formally justified and evidence needs to be provided that the exclusions have been accepted by accountable persons. Where any controls are excluded, claims of conformity to WLA-SCS are not acceptable unless such exclusions do not affect the organization’s ability and/or responsibility to provide security and
integrity that meet the requirements as determined by a risk assessment and applicable legal or regulatory requirements.
Any controls excluded from Annexes A, B, C, or D will be noted in the certification scope on the WLA-SCS certificate.
Note: If an organization already has an operational business process management system (e.g. in relation with ISO 9001 or ISO 14001), in most cases it is advisable to satisfy the requirements of the WLA-SCS within the existing management system.
Important: The WLA-SCS does not purport to include all the necessary provisions of a contract. WLA members adopting the WLA-SCS are responsible for its correct application. Compliance with any standard does not in itself confer immunity from any legal obligations.
2. Normative references
The following documents are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements. The current edition (2022), or more recent edition, applies.
WLA-SCS:2024 Code of Practice – best-practices guidelines for the WLA-SCS security and integrity controls and requirements.
Guide to Certification for the WLA-SCS.
3. Terms and definitions
3.1 Abbreviations
WLA: World Lottery Association
WLA-SCS: WLA Security Control Standard
WLA SRMC: WLA Security and Risk Management Committee
3.2 Definitions
This section contains only those terms that are used in a specialized way throughout this standard. Most terms in the standard are used either according to their accepted dictionary definitions or according to commonly accepted definitions that may be found in ISO security glossaries or other well-known collections of security terms.
Assets: Information or resources to be protected by countermeasures.
Personnel: Shall be read as any employee, contractor or other third party who works for the gaming operator or gaming supplier and, by virtue of their role or access has the potential to impact the confidentiality, availability or integrity of the game.
Gaming system: Shall be read as all or any subset of the technology and information resources that allows the offer of a game.
Gaming services: Any type of gaming system that is provided as a service.
Gaming supplier: Refers to entities that provide gaming systems or gaming services.
Gaming operator: Refers to entities that operate games.
Organization: Refers to the gaming operator or supplier that is the subject of certification to this standard.
4. Overview
The main objective of the security and integrity approach for WLA member organizations is to ensure adequate operation as well as to provide confidence.
Confidence in a gaming operation is key to retaining players and other stakeholders. Therefore, WLA member organizations need to develop and maintain a visible and documented security and integrity environment.
The WLA SRMC has described in the WLA-SCS the requirements, control objectives and controls that are viewed as best practice. A WLA member organization shall operate an information security management system that implements all requirements stated in ISO/IEC 27001, as well as the mandatory WLA-SCS requirements and controls.
The WLA-SCS incorporates baseline requirements and controls within the gaming operator’s overall security, integrity, and risk management process; avoiding overlaps with more general security frameworks. It provides gaming security and integrity professionals with a process whereby they can formally manage, update, and continuously improve their controls. Gaming operators, therefore, need to develop and maintain a visible and documented security environment.
The WLA-SCS consists of four parts that specify the minimum controls necessary for the effective management of security and integrity in gaming operators and suppliers to the industry.
The first part (Annex A – G Controls: Organizational controls) incorporates the ISO/IEC 27001 compliance within a global scope, with a further 30 basic WLA controls adjoined.
The second part (Annex B – L Controls: Controls for the operation of games) furnishes an additional 62 gaming-specific security and integrity controls representing current best practice.
The third part (Annex C – S Controls: Controls for the development of gaming systems and the provision of gaming services) contains 21 controls based on products and services offered by lottery, video lottery, sports and esports betting and other gaming suppliers and operators that develop or manage their own gaming systems and services.
The fourth part (Annex D – M Controls: Controls for multijurisdictional games) contains 11 controls required to participate in games run by the US Multi-State Lottery Association (MUSL).
5. General security and integrity
management requirements
5.1 Information Security Management System (ISMS)
Organizations certifying against WLA-SCS:2024 Level 2 shall operate an Information Security Management System (ISMS) that satisfies the requirements of ISO/IEC 27001.
5.2 Scope of the ISMS
The organization’s ISMS scope shall include all gaming related activities of its operations, including all related assets and information systems. The scope may only exclude operations of the organization that are not related to gaming activities. The excluded operations shall be fully identified and the causes for their exclusion justified in detail. General organizational functions (e.g. human resources, planning, finance …) needed to conduct lottery, video lottery, sports and esports betting operations are within the scope.
5.3 Statement of Applicability
The organization’s ISMS Statement of Applicability shall explicitly include all controls in Annexes A, B, C, and D of the WLA-SCS. Claims of non-applicability shall be justified in detail and be formally approved by the WLA.
Annex A (G Controls):
Organizational controls
G.1 Organization of security
A security forum or other organizational structure comprised of senior managers shall be formally established to monitor and review the ISMS to ensure its continuing suitability, adequacy and effectiveness, maintain formal minutes of meetings, and convene at least every six months.
A security function shall exist that is responsible for developing a security strategy in accordance with the overall business. The security function will subsequently work with the other business units to implement the associated action plans. It shall be involved in reviewing all tasks and processes that are necessary from the security perspective for the organization, including, but not limited to, the protection of information and data, communications, physical, virtual, personnel, and overall business operational security.
The security function shall report to no lower than executive level management and shall be independent of the technology function with regard to the management of security risk.
It shall have the competences and be sufficiently empowered and shall have access to all necessary resources to enable the adequate assessment, management, and reduction of risk.
The head of the security function shall be a full member of the security forum and be responsible for recommending security policies and changes.
G.2 Human resources security
A code of conduct shall be issued to all employees when initially employed.
All employees shall formally acknowledge acceptance of this code.
The code of conduct shall include statements that all policies and procedures are adhered to and that infringement or other breaches of the code could lead to disciplinary action.
The code of conduct shall include statements that employees are required to declare conflicts of interest in employment as and when they occur. Specific examples of conflict of interest shall be cited within the code.
The code of conduct shall address anti-graft provisions including hospitality and gifts provided by, or given to, persons or entities with which the organization transacts business.
There shall be an internal policy, aligned with any legislative or regulatory requirements, that addresses the right to play of personnel and those who are financially dependent on them. Where there are roles that could impact the integrity of the games without collusion they shall be prohibited from playing. Where the policy requires a prohibition of play, those roles impacted shall be explicitly defined and the prohibition shall be enforced contractually with the personnel or their employer (if not the gaming operator or supplier itself).
There shall be a policy and process for establishing trust in individuals that could impact the integrity of games through security vetting. There shall be an associated policy and process for implementing monitoring of the system activity of personnel to detect and investigate activity that might impact game integrity. These policies shall balance an individual’s right to privacy with the obligation of the organization to protect the integrity of the games.
There shall be a policy to implement segregation of duties detailing the respective roles and responsibilities of the people in charge of critical processes that could impact the integrity of a game, such as, but not limited to, draw processing and prize payment. The intention is to avoid possible collusion. Furthermore, no single group or team shall have overall control in a way that could impact game integrity without management oversight.
A policy shall be established to ensure that employee conducting lone working, those working remotely outside the organization’s premises, or those working inside the organization’s premises in areas with public access, are receiving an adequate level of protection with regard to both their safety and security.
G.3 Physical and environmental security
Physical access to production gaming system data centers, computer rooms, network operations centers, and other defined critical areas, shall be restricted and adequately secured or monitored by staff at all times. While this control is risk based, in practice it shall require a minimum of an auditable two-factor authentication process. The list of critical areas shall be documented.
G.4 Access control to gaming systems
The range of functions available to the user shall be defined and maintained in conjunction with the process owner, the IT function, and the security function.
All actions performed on the gaming systems by human or system accounts shall be logged and these logs shall be monitored, regularly reviewed, and acted upon as appropriate.
G.5 Information systems security
Cryptography to protect the confidentiality of information shall be applied for sensitive information on portable computer systems and to protect the integrity of sensitive information held at rest on terminals.
Cryptography to protect the confidentiality and integrity of information as appropriate shall be applied for sensitive information passed over networks, which risk analysis has shown to have an inadequate level of protection. This includes, but is not limited to, validation or other important gaming information, customer data, and financial transactions.
Cryptographic controls for integrity shall be applied for the storage of winning ticket data and validation information. This control applies to all game types.
The test methodology policy shall include provisions to prevent the use of data created in a live production system for the current draw period and to prevent the use of player, retailer, or staff personal information. In this context current draw period shall be defined as the period for which prizes can still be claimed.
Thorough testing of the gaming system security functionality shall be performed prior to production environment use and on any significant changes.
Managed environments (including cloud services, hosted services and in general managed services) that run gaming systems and gaming system components shall be compliant with ISO/IEC 27001. A managed environment is defined as computing resources managed by a third party and to which the organization subscribes to for services.
The following elements shall be documented, communicated, and implemented:
• responsibilities for shared information security roles between the organization and the managed service provider.
• procedures for administrative operations on the managed service environment and monitoring of these.
• a termination process that covers return and removal of the organization's assets in a timely manner.
The managed service virtual environment of the organization shall be protected from other host service customers and unauthorized persons.
Virtual components in the managed service environment shall be hardened and protected. The consistency of configurations between virtual and physical networks shall be verified based on the managed service provider's network security policy.
The organization shall have the capability to monitor specified aspects of the operation of the managed service that the organization uses.
The organization shall provide a layered approach to security within the gaming systems architecture to ensure secure storage and processing of data.
The organization shall have in place a Responsible Disclosure Policy for the disclosure of security vulnerabilities by the public to the gaming operator.
G.6 System availability and business continuity
The organization shall have documented the list of critical services to players (both retail and digital channels) that are required for the continued operation of games, as well as the availability and resilience requirements of those services. Systems shall be architected to meet those requirements.
The organization shall prepare a documented business continuity plan that covers, at minimum, the continued operation of games and continued stakeholder confidence in the integrity of gaming operations. The organization shall furthermore plan, perform, and evaluate business continuity exercises in regular intervals to prepare the organization for crisis situations, covering the elements included in the business continuity plan.
Annex B (L Controls):
Controls for the operation of games
L.1 Physical instant tickets
The organization shall implement a documented procedure that covers the entire game lifecycle, from design to destruction, by specifying the integrity requirements for each instant game.
There shall be controls to ensure the integrity of game data, including but not limited to the importing of game data into the gaming system and the transfer of validation data between the supplier / operator / retailers.
Controls shall be in place to ensure that prior to the claiming of a prize no one in the organization has access and knowledge of which instant ticket is a winning ticket and which is not; nor shall they be able to identify the location of the winning ticket and which retailer it has been assigned to.
L.2 Lottery draws
A policy shall be established to ensure that lottery draws are conducted as a planned and controlled event and in accordance with a clear working instruction.
The organization shall publish a working instruction prior to any draw including special instructions with respect to the draw.
The working instruction shall include the composition of a draw team including their contact telephone numbers.
The working instruction shall include the duties of the identified members of the draw team.
The working instruction shall nominate persons as reserves and detail how the reserve team are deployed.
The working instruction shall include the detailed timings of the draw operation from the opening of the draw location to the closing of that location.
The working instruction shall include details of any requirement under the lottery rules for independent observers to be present during a draw.
The organization shall establish a detailed draw procedure to ensure that all draw functions are conducted in compliance with the rules of the applicable lottery game and regulatory requirements.
The draw procedure shall include a step-by-step guide of the draw process.
The draw procedure shall include the definition of the draw location.
The draw procedure shall include a definition of the attendance at the draw and the responsibilities and actions of all participants.
The draw procedure shall define the policy regarding the attendance of an (independent) compliance officer or an auditor.
The draw procedure shall include adequate security measures for the draw operation and all equipment used during the draw process.
The draw procedure shall include actions in the event of an emergency occurring at any time during the course of the draw.
The lottery shall put a system or process in place to ensure that no individual or individuals with access to the Central Gaming System can manipulate the transactions within, prior to, or post draw, and that a clear audit trail tracking of the user access and transaction audit is established.
A procedure for the inspection of draw appliances and ball sets on delivery and thereafter in consultation with an independent authority (to ensure compliance with technical specifications and standards) on a regular basis shall be established.
Inspections and maintenance of the draw appliances shall be carried out and documented at least annually to retain the specified standards throughout the machine’s working life.
The organization shall establish a procedure that provides for the use of ball sets manufactured to those measurements and weight tolerances compatible with the drawing machine to be used.
The organization shall establish a procedure that provides for the availability of a substitute draw appliance and ball set(s) for use in the event of mechanical problems or failure of any kind, if drawings are broadcast live.
The organization shall establish a procedure that provides for the secure storage, movement, and handling of draw appliances and ball sets.
When the draw is broadcast or live streamed over the Internet, there shall be a procedure in place that minimizes the risks associated with data corruption, time delay to the audio and/or video, mistakes in graphic generation or similar resulting in the public perception that there is an issue with the draw integrity.
L.3 Retailer security
The organization shall specify the obligations of a retailer and the security environment the retailer is required to operate in within an agreed contract.
The data traffic between the gaming terminals and the central gaming system shall be protected and measures to ensure the integrity of the transactions shall be implemented. Where a retailer point of sale device is used instead of a dedicated gaming terminal, the data traffic from the gaming application on the point-of-sale device to the central gaming system must be protected and not be reliant on the security of the retailer point of sale device for the integrity of games.
L.4 Prize payment
The organization shall define and implement procedures to ensure the validity of winning transactions, claims and/or tickets for different prize levels and types of games, and process prize payouts thereof.
Each ticket for each game shall have a unique reference number.
The organization shall implement technical and procedural controls to ensure the confidentiality, integrity, and availability of unclaimed prize data. This includes as a minimum, but is not limited to, files containing information on specific transactions yet to be claimed and any validation files. Specific consideration shall be given to access control to restrict access to the data, monitoring of user interaction with the data, and a process for dealing with unauthorized access or export of the data.
There shall be a prize payout procedure that defines a maximum prize claim period; includes a process to audit final transfers upon game settlement; details the rules and due diligence required prior to making a decision on payout for a lost, stolen or damaged ticket; details the procedure with regard to inquiries into the validity of claims; and a procedure with regard to late or last minute payouts.
There shall be adequate audit records kept and reviewed as part of the prize payout procedure to identify unusual patterns of late payouts and any claims made by retailers or that might require investigation.
Games shall be monitored concerning security and prize payout percentage.
There shall be documented procedures to handle dispute or protest from customer regarding a win or loss.
L.5 Payment methods and player accounts
Collection of sensitive data directly related to payment shall be limited to only the data strictly needed for the transaction.
Adequate measures shall be taken in order to protect any type of payment used in the system from fraudulent use.
The organization shall verify that the payment service ensures the protection of the player data, including any personally identifiable information given by the player or payment related data.
There shall be a formal process for identification, authentication, and authorization of a player. Both player data and the wallet shall be considered as critical assets for the purposes of risk assessment.
There shall be reasonable measures put in place to ensure each player only holds one active account.
There shall be an established process for excluding players in accordance with local applicable laws and/or internal procedures.
There shall be an established procedure, in accordance with local applicable laws, for assuring the ownership of the payment instrument with the identity of the player to avoid fraud and money laundering.
The organization shall generate all transactional records of player accounts. The data recorded shall allow the organization to trace a single financial activity of a player from another transaction.
L.6 Sports, esports and horse race betting
The framework in which the organization offers sports, esports and horse race betting and the according rules shall be defined, maintained, and published, including but not limited to, all authorized sporting event types and betting types for each sport.
Procedures regarding the selection of the events and for setting and updating the odds, betting margins and/or blocking events as well as for receiving the results from reliable sources shall be established. A process shall exist for validating accuracy and preventing fraudulent activities. The procedures shall be based on the respect of integrity, responsible gaming, and ensuring transparency.
There shall be documented procedures to assure and monitor the integrity of the live bet offering, the results handling and customer protection. Indicative areas for consideration in the procedure for results handling shall include, but not be limited to, time delays, sources of results, and reversal of results. The procedures shall also account for courtsiding prevention mechanisms including but not limited to a delay in live pictures.
The organization shall establish a set of measures to ensure authorized payout levels are not exceeded.
Procedures shall be established to monitor all changes to odds and/or blocking throughout a sports, esports and horse race event, monitoring of the market, events and customer transactions for the detection of irregularities, monitoring of winners over a certain amount of gains, and deposits over a certain size. The procedures shall also specify thresholds of payment and methods of collection. The established procedures must be in compliance with the laws of the jurisdiction within which the certifying member is domiciled.
L.7 Interactive Video Lottery Terminals
VLT terminals shall be monitored concerning security and prize payout percentage.
The game-rules and overall prize-payout percentage shall be available to the customer.
Dedicated games for VLT shall be tested and a certificate, to provide evidence of integrity and prize-payout, has to be maintained/issued.
The organization shall maintain a description of the overall VLT system architecture, including security measures, to ensure the integrity of the VLT game, secure storage and processing of data.
L.8 Random number generation
Measures shall be taken in order to ensure only those authorized have physical access to, and logical protection of, both the Random Number Generator (RNG) (entropy source) and the drawing algorithm in order to prevent any modification of the algorithm and the entropy source settings. The physical system(s) shall be protected against theft, unauthorized modifications, and interference.
Measures shall be taken in order to ensure integrity and authenticity of the data transmitted between the RNG (entropy source) and the drawing algorithm.
Before deployment, tests and verifications shall be performed by independent parties in order to verify that the electronic drawing system is random. The organization shall document its policy related to after-deployment tests and verifications in order to verify that the random number generator and drawing algorithm is performing as specified.
In addition to the control G.2.1.7, a specific procedure shall be implemented for the segregation of duties involved in an electronic draw in order to prevent internal fraud. Notably, no one person shall be allowed to perform more than one of the following types of duties: maintaining, monitoring, or performing draws on electronic gaming equipment.
L.9 Online games
Refers to all gaming related activity delivered through mobile application or web-based online platforms, but not including retail transactions.
The online game rules and overall prize-payout percentage shall be available to the customer.
Dedicated online games shall be tested and evidence shall be provided to assure integrity and correct prize-payout throughout the whole lifecycle of the game.
Procedures shall be established to handle when online games are taken out of production, hence take in consideration how to handle Jackpots not won.
Procedures shall be established to handle discrepancies between what is presented on customer’s digital devices, and what is logged in the gaming system.
For games that have pre-determined winners, procedures shall be established, based on a risk analysis, to ensure that no one can take advantage of the game mechanisms.
L.10 Game design and approval
Game rules shall be documented and accessible by players.
An approval procedure shall be defined to validate that every new game and relevant modifications on the digital gaming systems are controlled. Final game design shall be formally approved through a process involving the security function.
The security function shall be involved in the approval process.
Annex C (S Controls):
Controls for the development of
gaming systems and the provision of gaming services
The S controls apply to the development of gaming systems and the provision of gaming services, whether that be a gaming supplier or the gaming operator's own in-house developers. In the case that a gaming operator or gaming supplier acquires a gaming system or services from a third party, it is the gaming operator’s or gaming supplier’s responsibility to assure compliance to these S controls from the third party.
S.1 Gaming systems security assurance
There shall be a policy on application security across the software development lifecycle.
The organization shall perform security testing of their products and/or services. The organization should adjust the tests based on the nature of the change, considering the impact and level of risk associated with it.
The organization shall provide to the operator:
• An inventory of the tests performed during the software development lifecycle. This inventory must cover all principal risks.
• A summary of the output along with the release notes for their product for the first release and any subsequent significant release into a production environment.
security tests
The security tests conducted by the gaming technology supplier shall reflect how the system will be deployed in a production environment by the operator.
Secure coding practices shall be defined and required for developers to follow and there shall be measures to audit the effectiveness and compliance of those practices.
There shall be a training and awareness program on secure coding practices for all developers that write code for gaming systems.
There shall be assurance over the integrity of the developed software / firmware at each stage of the development process, including as a minimum but not limited to, during the quality assurance process and also as the software / firmware is deployed into the production environment.
There shall be adequate security logging provided from the developed software / firmware, that can be integrated by a security team into their security toolsets to ensure the integrity of the software / firmware. There shall be a document that details how to interpret and understand the security logging.
Critical files in the product shall be identified and documented in order for the gaming operator to verify the integrity of the production environment.
There shall be measures put in place to allow for the identification of unauthorized attempts to add or modify the gaming system hardware that could impact the integrity of the gaming system. In this context hardware includes as a minimum, but is not limited to, video lottery terminals, gaming point of sale equipment, and random number generators. The exact list of hardware to which this control applies is to be determined through risk assessment. Hardware provisioned and hosted by an Infrastructure as a Service provider will be exempt from this control requirement.
There shall be a process through which updates to software / firmware and any third-party code libraries used can be applied in a timely manner. Whether or not patches are pushed to production gaming systems is a decision to be determined via risk assessment, with consideration of the gaming operator’s vulnerability and patch management policy and taking into account any commercial considerations.
A gaming supplier shall have a Responsible Disclosure Policy that is available to all those who have purchased their products or services, for the disclosure of security vulnerabilities in their gaming system products.
The manufacturer shall formally validate requirements with the gaming operator and translate those requirements into specifications; any change in the specifications shall follow both supplier’s and gaming operator’s change management process.
The randomization process used for the generation of instant game data is subject to the application of WLA-SCS L.8 Random number generation controls and the requirements agreed between the operator and supplier.
The ticket manufacturer shall ensure that an independent team validates logical game data against gaming operator requirements. Reports with results shall be made available to the gaming operator.
The ticket manufacturer shall ensure that access to validation data is restricted at all times, even after instant game delivery, in conformity with the principle of least privilege.
The ticket manufacturer shall formally validate the final visuals and texts with the gaming operator before printing tickets.
The ticket manufacturer shall perform integrity audits on tickets on a regular basis.
Provisions shall be made for each ticket delivered to have a unique reference number.
The supplier shall provide evidence that in each printing lot they have supplied the correct number of tickets in accordance with the required prize structure.
There shall be a documented procedure to ensure that undelivered printed tickets are securely destroyed.
The supplier shall ensure that ticket delivery between the supplier and the gaming operator is secured.
Annex D (M Controls):
Controls for multijurisdictional games
M.1 Requirements to participate in games run by the Multi-State Lottery Association (MUSL)
To meet the requirement of the controls listed in section L.4.1 of this document, an organization shall additionally comply with the MUSL Minimum Game Security Standards.
Records of sold transaction data on the computer gaming system shall exist in no fewer than two distinct datacenter locations and shall be sufficiently separated so as not to be subject to the same disaster event.
transaction
Each location shall receive and acknowledge transaction board data prior to a ticket being allowed to print.
Play data must be backed up daily and stored offline and offsite.
A MUSL-approved cryptographic hash function shall be applied to the entire set of transactions stored via the internal control system (ICS) pre-draw for each draw to create a message digest of hash. The same cryptographic hash function shall be re-applied to the entire set of transactions after the creation of a winner by tier report immediately following a drawing.
Where a retailer point of sale device is used instead of a dedicated lottery terminal, the retailer point of sale device must meet NASPL requirements.
Terminals not intended to produce live tickets, and that are accessible to computer gaming system or internal control system operators, shall be modified in such a manner as to make it clear that any ticket created by such terminals is not valid. Neither site operations nor IT personnel shall be able to circumvent modifications.
Software used to generate random numbers for quick picks shall comply with WLA-SCS control L.8.1.3 “Electronic draw randomness and integrity verification”.
With regard to WLA-SCS control L.2.2.8 “Independent Control System”, if the computer gaming system is run by a third-party vendor, the ICS must be operated by a separate organization. In any case, responsibility for these systems must be highly separated, and no one individual can have access or partial access to both the ICS and CGS systems.
The lottery or its authorized designee shall process winning numbers using the same personnel and the same ICS systems used for processing sales transactions.
Intrusion detection and reporting or an intrusion prevention system shall be in place on both the ICS and CGS networks and actively configured to notify local administrators.