Fla. Admin. Code Ann. R. 75-14.074 - Security Requirements, System Access, and Firewalls

(1) The firewall application shall maintain an audit log and disable all communications and generate an error event if the audit log becomes full. An audit log shall contain the following information:

(a) All changes to configuration of the firewall;

(b) All successful and unsuccessful connection attempts through the firewall; and,

(c) The source and destination IP addresses, port numbers and MAC addresses.

(2) Except as provided in this section, the facility based monitoring system shall not allow for remote access and all access to the facility based monitoring system shall be conducted from within the slot machine licensee's facility. A slot machine licensee shall provide in its system of internal controls a method of providing limited remote access to the facility based monitoring system for a business or person licensed as a business occupational license pursuant to Section 551.107(2)(a)3., F.S., for performance of maintenance or diagnostics of the facility based monitoring system that cannot be performed by the slot machine licensee's onsite personnel. The system of internal controls for such remote access shall provide for the following:

(a) Designation of an officer required to sign for acknowledgement of internal controls in subsection 75-14.058(4), F.A.C., who shall be responsible for determining the need for remote access to the facility based monitoring system;

(b) The device or method through which remote access is given shall be taken offline when remote access is not required;

(c) Limited access to any device or method used to establish remote access including:

1. A list of persons authorized to modify or enable such a device or method used to establish remote access; and,

2. Storage of any such device or method in a secure location that is not readily accessible to any person other than those listed under subparagraph (c)1.; and,

3. A log with separate entries for each person and the dates and times when the remote access is enabled, disabled or modified.

(d) Maintenance of a log of each time remote access is provided, enabled, disabled or modified with a separate entry for each of the following:

1. The specific reason for which remote access was provided to another person or entity,

2. The name and occupational license number of the employee who authorized remote access to be provided to another person or entity,

3. The name and occupational license number of the employee of the slot machine licensee who established a remote access connection to the person or entity, if such employee is different from the employee provided in subparagraph (d)2.,

4. The name and occupational license number of the person and entity with whom remote access is established. If remote access is provided to an employee of a business occupational licensee, the name and occupational license number of both the employee and the business entity shall be entered on the log,

5. The date and time that remote access is established; and,

6. The date and time that remote access is terminated.

(e) A written report to be provided to the division in no less than 24 hours after the remote access has been completed which shall include:

1. The reason that remote access was provided, enabled, disabled or modified,

2. The name of the employee of the slot machine licensee that authorized the remote access,

3. The name of the slot machine employee who established the remote access on behalf of the slot machine licensee,

4. The name of the person and entity with whom remote access was established,

5. The date and time remote access was established and concluded; and,

6. A narrative report that shall describe:

a. Each component of the facility based monitoring system that was accessed; and,

b. Whether the remote access was successful in resolving the issue described in subparagraph (d)1.

(3) Automated ticket redemption machines are only to be used for the purpose of accepting, validating and providing payment for tickets inserted, or converting bills into smaller denominations. Automated ticket redemption machines shall not incorporate other functions. Automated ticket redemption machines shall use a communication protocol that shall not permit the automated ticket redemption machine to write directly to the system database and only process payments based on commands from the system. Automated ticket redemption machines shall meet the slot machine hardware requirements for security and player safety, as set forth in Rules 75-14.022 through 75-14.044, F.A.C.

(4) Automated ticket redemption machines shall be capable of detecting and displaying the following error conditions:

(a) Power loss or power reset;

(b) Interpretation of communication with the automated ticket redemption machine;

(c) Cash dispenser empty or timed out;

(d) RAM error;

(e) Low RAM battery;

(f) Ticket in jam;

(g) Door open;

(h) Bill acceptor stacker full;

(i) Bill acceptor door open;

(j) Bill stacker door open or bill stacker removed; and,

(k) Printer errors.

(5) The error conditions referenced in subsection (4), shall illuminate the tower light alarm. The automated ticket redemption machine shall be able to recover to its prior operating condition.

(6) Error conditions listed in paragraphs (4)(a)-(g) and (k), shall require a slot machine attendant to intervene and clear the error from the automated ticket redemption machine prior to the resumption of operation.

(7) There shall be a maximum ticket value of $1, 199.99 that can be paid by an automated ticket redemption machine, per individual ticket.

(8) The automated ticket redemption machine shall maintain the following meters:

(a) A "total in" meter that accumulates the total value of tickets or vouchers accepted by the automated ticket redemption machine; and,

(b) A "total out" meter(s) for payments issued by the machine;

(c) Separate "out meters" shall report the value of all bills dispensed by denomination.

(9) A log shall be maintained in critical memory or on a paper log housed within the individual automated ticket redemption machine that consists of the following:

(a) An event log which shall record the following information about the ticket redeemed:

1. Date/time of redemption,

2. Amount of ticket; and,

3. At least last 4-digits of validation number; and,

(b) The automated ticket redemption machine shall maintain the most recent 35 events in the event log.

(10) Tickets may only be accepted by the automated ticket redemption machine when:

(a) All communication links are intact;

(b) Tickets inserted into an automated ticket redemption machine shall be rejected in the event of a communication failure; and,

(c) Payment shall only be made when the ticket is collected and physically housed within the bill stacker.

(11) A business occupational licensee who provides maintenance or diagnostic services under this section for a slot machine licensee by remote access shall maintain a log each time remote access is provided by a slot machine licensee with a separate entry for each of the following:

(a) The specific slot machine licensee;

(b) The name and occupational license number of the employee of the slot machine licensee who requested remote access;

(c) The name and occupational license number of the employee of the slot machine licensee who established a remote access connection to the business occupational license, if such employee is different from the employee provided in paragraph (11)(b);

(d) The name and occupational license number of the employee of the business occupational license who provides services to the slot machine licensee by remote access;

(e) The date and time that remote access is established; and,

(f) The date and time that remote access is terminated.

(12) A written report shall be provided by a business occupational licensee that performs maintenance or diagnostic services under subsection (11) to the division at the division's office located at the slot machine licensee's facility to whom services were provided by remote access. The report shall be postmarked for no less than 24 hours after the remote access has been completed which shall include:

(a) The reason that remote access was provided;

(b) The name of the employee of the slot machine licensee that authorized the access;

(c) The name of the slot machine employee who established the remote access on behalf of the slot machine licensee;

(d) The name of the person and entity with whom remote access was established;

(e) The date and time remote access was established and concluded; and,

(f) A narrative report that shall describe:

1. Each component of the facility based monitoring system that was accessed; and,

2. Whether the remote access was successful in resolving the issue described in subparagraph (2)(d)1.

Notes

Fla. Admin. Code Ann. R. 75-14.074

Rulemaking Authority 551.103(1), 551.122 FS. Law Implemented 551.103(1)(d), (g), (i) FS.

New 8-13-06, Amended 5-30-17, Formerly 61D-14.074.

New 8-13-06, Amended 5-30-17, Formerly 61D-14.074.