Tenn. Comp. R. & Regs. 1350-03-.12 - INFORMATION SYSTEM MINIMUM CONTROLS
(1) Licensees shall
verify Sports Gaming Systems daily to ensure the date and time is properly
displayed and registered for Wagers made pursuant to Sports Gaming Accounts.
Licensees shall Immediately Report any discrepancies to the Council.
(2) Licensee shall implement an Integrity
Monitoring System utilizing software to identify irregularities in volume or
odds and swings that could signal Unusual or Suspicious Wagering Activities
that should require further investigation and shall Immediately Report such
findings to the Council.
(3) Sports
Gaming Systems shall be designed to only allow Wagers to be created using an
authorized Sports Gaming Account.
(4) Sports Gaming Systems shall contain a
mechanism to prevent the creation of a Wager before or after the official Wager
timeframe (i.e., prior to posting of the Wager and subsequent to the outcome of
a Sporting Event or cutoff).
(5)
Sports Gaming Systems shall be incapable of voiding a Wager subsequent to the
outcome of a Sporting Event or cutoff.
(6) Sports Gaming Systems shall automatically
authorize payment of winning Wagers and update a Player's Sports Gaming
Account.
(7) Sports Gaming Systems
shall be incapable of authorizing payment on a Voided or Cancelled Wager or a
Wager that has been previously paid, except in accordance with these
Rules.
(8) Sports Gaming Systems
shall be designed to prevent an individual, group of individuals or entity from
tampering with or interfering with the operation of Interactive Sports Gaming
or Sports Gaming Systems.
(9)
Sports Gaming Systems shall be configured to terminate a Player's session,
and/or require re-authentication, after a prescribed period of inactivity by
the Player not to exceed thirty (30) minutes.
(10) Sports Gaming Systems shall be designed
to reasonably ensure the integrity and confidentiality of communications and
ensure the proper identification of the sender and receiver of communications.
If communications are performed across a public or third-party network, the
system shall either encrypt the data packets or utilize a secure communications
protocol to ensure the integrity and confidentiality of the
transmission.
(11) Confidential
and/or sensitive electronic data shall be encrypted while both at rest and in
transit using the current standards and methodologies set forth by the National
Institute of Standards and Technology (NIST), International Organization for
Standardization, and the International Electrotechnical Commission (ISO/IEC),
or equivalent standard as approved by the Council. Confidential and/or
sensitive electronic data may include, but is not limited to, Player PII and
Player banking information.
(12)
User authentication to the Sports Gaming Systems and other system components
shall be configured consistent with the current standards and methodologies set
forth by the NIST, ISO/IEC, or equivalent standard as approved by the
Council.
(13) Sports Gaming Systems
shall monitor for and Immediately Report to the Licensee and the Council any
malfunction or security incident that adversely affects the integrity of
critical data or system functionality.
(14) A system event log or series of
reports/logs for operating systems (including the database layer and network
layer) and applications must be configured to track at least the following
events:
(a) Failed login attempts;
(b) Changes to live data files occurring
outside of normal program and operating system execution;
(c) Changes to operating system, database,
network, and application policies and parameters;
(d) Audit trail of information changed by
administrator accounts;
(e) Changes
to date/time on master time server;
(f) Significant periods of unavailability of
the Sports Gaming System or any critical component of the Sports Gaming System;
and
(g) Other significant
events.
(15) Sports
Gaming Systems shall record and generate daily reports that may be accessed and
reviewed by the Council upon request on the following:
(a) Wagers exceeding $10,000;
(b) Futures Wagers;
(c) Sports Gaming Account activity, including
Sports Gaming Account number, transaction, and transaction amount. The report
must include deposit amounts, withdrawal amounts, winnings, and Wagers made;
and
(d) Changes in odds, Wager
cutoff times, Event data, or Sporting Event results.
(16) Sports Gaming Account management shall
be configured in a manner to ensure the confidentiality and integrity of the
Player PII and to protect the Sports Gaming Account from unauthorized use. The
following controls surrounding Sports Gaming Accounts must be present at a
minimum:
(a) Once a Sports Gaming Account is
created, a secure personal identification for the Player authorized to use the
Sports Gaming Account shall be established that is reasonably designed to
prevent the unauthorized access to, or use of, the Sports Gaming Account by any
individual other than the Player for whom the Sports Gaming Account is
established;
(b) Controls shall be
in place to ensure the strength of Player's passwords;
(c) A Player shall have only one (1) Sports
Gaming Account per Licensee;
(d)
Player's Sports Gaming Account shall be Immediately suspended, and Player's
identification shall be Immediately re-verified upon reasonable suspicion that
the Player's identification has been compromised;
(e) Player's Sports Gaming Account shall be
disabled after three failed log-in attempts and require Multi-Factor
Authentication to recover or reset a password or username;
(f) Multi-Factor Authentication shall be
required before allowing a Player to reset the Sports Gaming Account password,
update Player PII, withdraw funds, and unlock the Sports Gaming
Account;
(g) Players shall be
allowed to manage their profiles at all times when logged in regardless of
their geographical location; and
(h) A mechanism shall be in place to suspend
a Player's Sports Gaming Account in the event that there is suspicion that the
Sports Gaming Account has been compromised or used to commit fraud or other
illegal activity.
(17)
Licensees shall have policies and procedures for all changes to the Sports
Gaming System and its related components. Documentation must be created and
maintained for all changes to the production environment of the Sports Gaming
System and its related components.
(18) The Licensee shall have a documented
process for performing and restoring Sports Gaming System back-ups. All backup
media must be stored at a secure location offsite. Periodic testing of backup
media must be performed to ensure that the Sports Gaming System can be restored
in the event of a failure.
(19) The
integrity of all geolocation systems used by the Licensee shall be reviewed
regularly to ensure it detects and mitigates existing and emerging location
fraud risks. Licensee must either (1) provide the Council evidence that the
geolocation system is updated to the latest version every 180 days, or (2)
provide the Council with access to its geolocation system (or a dashboard or
application utilized by the geolocation system Vendor) so that compliance can
be independently verified by the Council.
(20) Interactive Sports Gaming may only be
conducted over the Internet or through the use of Mobile applications or other
digital platforms. The internal controls for the Sports Gaming Systems shall
apply to all websites and applications used to provide this
functionality.
(21) Additional
system specifications and Sports Gaming Systems logging requirements may be
specified by the Council through the issuance of technical bulletins in the
case of exigent circumstances.
(22)
Each Licensee shall Immediately Report to the Council any known violations or
incidents of non-compliance with any part of this chapter.
Notes
Authority: T.C.A. ยงยง 4-49-102, 4-49-106, 4-49-110, 4-49-115, 4-49-122, and 4-49-125.
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.