Section 210. Security requirements  

A. A distributed pull-tab system computer must be in a locked, secure enclosure with key controls in place.

B. A distributed pull-tab system shall provide a means for terminating the game set if information about electronic pull-tabs in an open game set has been accessed or at the discretion of the department. In such cases, traceability of unauthorized access including time and date, users involved, and any other relevant information shall be available.

C. A distributed pull-tab system shall not permit the alteration of any accounting or significant event information that was communicated from the electronic pull-tab device without supervised access controls. In the event financial data is changed, an automated audit log must be capable of being produced to document the following:

1. Data element altered;

2. Data element value prior to alteration;

3. Data element value after alteration;

4. Time and date of alteration; and

5. Personnel that performed alteration.

D. A distributed pull-tab system must provide password security or other secure means of ensuring data integrity and enforcing user permissions for all system components through the following means:

1. All programs and data files must only be accessible via the entry of a password that will be known only to authorized personnel;

2. The distributed pull-tab system must have multiple security access levels to control and restrict different classes;

3. The distributed pull-tab system access accounts must be unique when assigned to the authorized personnel and shared accounts amongst authorized personnel must not be allowed;

4. The storage of passwords and PINs must be in an encrypted, nonreversible form; and

5. A program or report must be available that will list all registered users on the distributed pull-tab system including their privilege level.

E. All components of a distributed pull-tab system that allow access to users, other than end-users for game play, must have a password sign-on with two-level codes comprising the personal identification code and a personal password.

1. The personal identification code must have a length of at least six ASCII characters; and

2. The personal password must have a minimum length of six alphanumeric characters, which should include at least one nonalphabetic character.

F. A distributed pull-tab system must have the capability to control potential data corruption that can be created by multiple simultaneous log-ons by system management personnel.

1. A distributed pull-tab system shall specify which of the access levels allow for multiple simultaneous sign-ons by different users and which of the access levels do not allow for multiple sign-ons, and, if multiple sign-ons are possible, what restrictions, if any, exist; or

2. If a distributed pull-tab system does not provide adequate control, a comprehensive procedural control document must be drafted for the department's review and approval.

G. Distributed pull-tab system software components/modules shall be verifiable by a secure means at the system level. A distributed pull-tab system shall have the ability to allow for an independent integrity check of the components/modules from an outside source, and an independent integrity check is required for all control programs that may affect the integrity of the distributed pull-tab system. This must be accomplished by being authenticated by a third-party device, which may be embedded within the distributed pull-tab system software or having an interface or procedure for a third-party application to authenticate the component. This integrity check will provide a means for field verification of the distributed pull-tab system components.

H. A distributed pull-tab system may be used to configure and perform security checks on electronic pull-tab devices, provided such functions do not affect the security, integrity, or outcome of any game and meets the requirements set forth in this regulation regarding program storage devices.