20160203-IR-068150084FRA Adds 68 IAC 25 concerning limited mobile gaming systems and devices. Effective 30 days after filing with the Publisher.  

  • TITLE 68 INDIANA GAMING COMMISSION

    Final Rule
    LSA Document #15-84(F)

    DIGEST

    Adds 68 IAC 25 concerning limited mobile gaming systems and devices. Effective 30 days after filing with the Publisher.



    SECTION 1. 68 IAC 25 IS ADDED TO READ AS FOLLOWS:

    ARTICLE 25. LIMITED MOBILE GAMING


    Rule 1. General Provisions


    68 IAC 25-1-1 Applicability

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) This article applies to casino licensees and casino license applicants.

    (b) An MGD is an electronic gaming device and subject to 68 IAC 2-6 to the extent applicable.

    (c) Limited mobile gaming is server-based gaming and subject to 68 IAC 2-6.5 to the extent applicable.
    (Indiana Gaming Commission; 68 IAC 25-1-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-1-2 Purpose

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. The purpose of the LMGS rules is to ensure the following:
    (1) Limit the area of LMGS play to authorized gaming areas within the casino.
    (2) Limit the MGD's communication to dedicated casino servers.
    (3) Protect access to the LMGS to only approved MGDs.
    (4) Maintain the public's confidence in regulation and the assurance of heightened integrity and in accordance with IC 4-33, IC 4-35, and this title.
    (Indiana Gaming Commission; 68 IAC 25-1-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-1-3 Definitions

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. The definitions in 68 IAC 1 and the following definitions apply throughout this article:
    (1) "Authorized gaming area" means the area approved and authorized by the commission to conduct limited mobile gaming.
    (2) "Authorized independent gaming laboratory" has the meaning set forth in 68 IAC 2-6-1.
    (3) "Cashless wagering system" or "CWS" means a host system whereby a player maintains an electronic account on the casino's host database that allows the play of MGDs through the use of a login and personal identification number (PIN).
    (4) "Client terminal" means a device that is used to interact with a gaming system for the purpose of conducting server-based gaming activity. In the context of LMGS, the MGD functions as the client terminal.
    (5) "Critical components" means hardware and software required to conduct limited mobile gaming. Critical components do not include the MGD acting as a display only.
    (6) "Data library" has the meaning set forth in 68 IAC 2-6.5-1 and specifically refers to the software on the gaming server.
    (7) "Dormant account" means a limited mobile gaming player account that has had no patron activity for a period of one (1) year.
    (8) "Gaming server" means the server that contains game software and control programs. In the context of LMGS, the limited mobile gaming server functions as the gaming server.
    (9) "Geo-fence" means a virtual space controlled through a short-range communications protocol such as Wi-Fi. This space corresponds to a physical area or gaming area within the casino.
    (10) "GLI Standard #26" means the Gaming Laboratories International's Standard 26 - Wireless System Standards.
    (11) "IT" means information technology.
    (12) "Limited mobile gaming" means the placing of wagers through a wireless server-based gaming system using a computer network through which the casino licensee may offer authorized games to patrons who have established a limited mobile gaming player account with the casino licensee and who are physically present within the defined property boundaries as approved by the commission pursuant to IC 4-33-9-17 and IC 4-35-7-1.5.
    (13) "Limited mobile gaming player account" means an account established by a casino licensee that a patron may use for the deposit and withdrawal of funds used for limited mobile gaming.
    (14) "Limited mobile gaming system" or "LMGS" has the meaning set forth in IC 4-33-2-13.3 and IC 4-35-2-7.5.
    (15) "Media access control address" or "MAC address" means a unique identifier assigned to network interfaces for communications on the physical network segment. For Wi-Fi, MAC addresses are used as a network address.
    (16) "Mobile gaming device" or "MGD" has the meaning set forth in IC 4-33-2-13.5 and IC 4-35-2-7.7.
    (17) "Peer-to-peer gaming" means gaming in which patrons compete against one another.
    (18) "Server-based gaming" means gaming activity conducted via a client terminal where the outcome of a game is determined by a random number generator maintained on a server.
    (19) "Server-based gaming system" or "SBGS" means hardware, software, and communications that make up a system utilized for the purpose of offering electronic versions of authorized casino games where material aspects of game functionality occur at the server level.
    (20) "System administrator" means the IT department personnel responsible for the administration of the LMGS.
    (21) "Technology provider" means the vendor, supplier, or manufacturer of one (1) or more components of an LMGS.
    (22) "Verification" means a method used by a gaming system or device to verify the validity of software of critical components.
    (23) "Wi-Fi" means wireless fidelity which serves as the communication backbone for a wireless network.
    (Indiana Gaming Commission; 68 IAC 25-1-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-1-4 Deviation from provisions

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. The executive director or the executive director's designee may approve deviations from the provisions of this title upon written request by the person directly affected by the procedure or requirement if the executive director or the executive director's designee determines that the:
    (1) procedure or requirement is impractical or burdensome; and
    (2) alternative means of satisfying the procedure or requirement:
    (A) fulfill the purpose of the rule;
    (B) are in the best interests of the public and gaming in Indiana; and
    (C) do not violate IC 4-33 or IC 4-35.
    (Indiana Gaming Commission; 68 IAC 25-1-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-1-5 Violation of article

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. If the commission determines that a casino licensee or casino license applicant has violated this article, the commission may initiate an investigation and disciplinary action under 68 IAC 13.
    (Indiana Gaming Commission; 68 IAC 25-1-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 2. Internal Control Procedures


    68 IAC 25-2-1 Submission and approval, amendments and emergency procedures of internal control procedures

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. The internal control procedures in this article are subject to the following:
    (1) Submission and approval procedures contained within 68 IAC 11-1-3.
    (2) Amendment procedures contained within 68 IAC 11-1-4.
    (3) Emergency procedures contained within 68 IAC 11-1-5.
    (Indiana Gaming Commission; 68 IAC 25-2-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-2-2 Technical standards

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) Casino licensees are required to maintain industry technical standards regarding limited mobile gaming.

    (b) To the extent applicable, casino licensees shall meet or exceed the technical standards provided in GLI Standard #26, which is hereby incorporated by reference. The incorporated document (Version 2.0, released February 24, 2015) is available for public view at www.gaminglabs.com/gli-standards, and copies may be obtained by request mailed to the offices of the Indiana Gaming Commission at 101 West Washington Street, East Tower-Suite 1600, Indianapolis, IN 46204 and does not include any later amendments or editions.

    (c) In the event of a conflict between GLI 26 and this article, this article shall prevail.
    (Indiana Gaming Commission; 68 IAC 25-2-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 3. LMGS Components and Location


    68 IAC 25-3-1 Limited mobile gaming play

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. Limited mobile gaming may only be played in the authorized gaming area approved by the commission.
    (Indiana Gaming Commission; 68 IAC 25-3-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-2 LMGS component inventory

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) The casino licensee must include the LMGS components within the inventory required by 68 IAC 2-6-6, including the following:
    (1) Hardware and software under the control and responsibility of the technology provider, the casino licensee, and the commission.
    (2) Access to hardware or software granted to the casino licensee or technology provider through contracts with third party providers.

    (b) The LMGS inventory shall be divided into controlled components, as described in section 6 of this rule, and noncontrolled components and shall include the following information:
    (1) Identification information for each component, including the following at a minimum:
    (A) The serial number assigned to the MGD by the manufacturer.
    (B) The name of the manufacturer of the component.
    (C) The physical location of the component.
    (D) Whether vendor support will be needed to maintain the component.
    (2) Documentation of the current topology of the LMGS in the form of network diagrams that illustrate the physical and logical connections between the components of the system.
    (3) Wireless network configuration parameters, including, but not limited to, the following:
    (A) Addresses.
    (B) Host name.
    (C) Service set identification.
    (D) Encryption.
    (E) Related parameter setting.
    (Indiana Gaming Commission; 68 IAC 25-3-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-3 LMGS data library

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. The casino licensee must include approved data files within the electronic repository pursuant to 68 IAC 2-6.5-3.
    (Indiana Gaming Commission; 68 IAC 25-3-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-4 LMGS system architecture

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) The system of internal controls of the casino licensee shall, at a minimum, describe the following components of the LMGS:
    (1) LMGS components that record, store, process, share, transmit or retrieve sensitive player information, including but not limited to authentication information and limited mobile gaming player account balances.
    (2) LMGS components that generate, transmit, or process random numbers used to determine the outcome of games or virtual events.
    (3) LMGS components that store the results or the current state of a player's wager.
    (4) Points of entry to and exit from the above systems.
    (5) Communication networks that transmit sensitive player information.

    (b) Networks serving the LMGS and its components shall be segregated into security domains based on a risk assessment of the functions performed on each network. The risk assessment shall include, but is not limited to the following:
    (1) The devices and software deployed on each network, including but not limited to, wireless devices, database servers, voice over IP devices, and remote desktop capability.
    (2) The value and classification of the information stored or processed in the network.
    (3) The access control policy and access requirements for the applications on the network.
    (4) Any other requirements imposed by the executive director or the executive director's designee.

    (c) The boundaries between networks having different security domains shall be secured from outside traffic. Systems shall be configured to detect and report security-related events at security domain boundaries.

    (d) The architecture shall support the use of layered access controls to applications running on the network.
    (Indiana Gaming Commission; 68 IAC 25-3-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-5 MGDs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. MGDs and critical components that perform the equivalent tasks in the LMGS are subject to 68 IAC 2-6, to the extent applicable, except the following:
    (1) The location of MGDs listed on the electronic gaming device inventory required pursuant to 68 IAC 2-6-6 must designate the location of MGDs as either checked out to gaming players or within the secured storage area for inactive MGDs.
    (2) The surge protectors required pursuant to 68 IAC 2-6-13(a) shall be required only if MGD charging is permitted by the patron.
    (3) The electronic and electromechanical meters and key switch required pursuant to 68 IAC 2-6-9(a) and 68 IAC 2-6-9(d) may be housed on the LMGS server.
    (Indiana Gaming Commission; 68 IAC 25-3-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-6 Identification of controlled components for the LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 6. (a) The casino licensee shall use the LMGS inventory to identify hardware and software components that are used in the operation of the LMGS and shall generate a separate register of controlled components. The authorized independent gaming laboratory that certifies the LMGS will identify the critical files in the software that must form part of the register of controlled components.

    (b) Items in the register of controlled components shall have:
    (1) a unique code;
    (2) a version number; and
    (3) an identification characteristic;
    sufficient to ensure that the internal audit department will be able to inspect some or all components at a given time and determine whether they have deviated from the approved version.

    (c) A member of the IT department will be assigned responsibility to oversee and perform the installation of items in the register of configurable assets.

    (d) Only the components identified in the LMGS inventory, including the MGDs, and approved by the executive director or the executive director's designee may be used within the LMGS.

    (e) Personal devices may not be used to access the LMGS.
    (Indiana Gaming Commission; 68 IAC 25-3-6; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-7 Logging of system changes

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 7. (a) The LMGS is subject to the requirements of 68 IAC 2-6.5-4 for changes that affect game play or control programs on an LMGD.

    (b) Logging of system changes performed by the casino licensee shall be enabled on databases and shall record at a minimum the following:
    (1) The identity of the user making changes.
    (2) The date and time of the modification.
    (3) The state of the data prior to the change.
    (4) The state of the data after the change.
    (Indiana Gaming Commission; 68 IAC 25-3-7; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-8 Exception reports

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 8. (a) Exception reports shall track events including, but not limited to, the following:
    (1) Adjustments to an authorized player's limited mobile gaming player account balance.
    (2) Changes made to information recorded in an authorized player's limited mobile gaming player account.
    (3) Voids, overrides, and corrections.
    (4) Irrecoverable loss of patron-related data.
    (5) Significant periods of system unavailability.
    (6) Mandatory deactivation of an authorized player by the casino licensee.
    (7) Any other activity requiring employee intervention and occurring outside of the normal scope of system operation.

    (b) Exception reports produced for the LMGS for the events listed in subsection (a) shall include at a minimum the following:
    (1) Date and time of the exception event.
    (2) Unique transaction identifier.
    (3) Identification of user who performed or authorized alteration.
    (4) Data or parameter altered.
    (5) Data or parameter value prior to alteration.
    (6) Data or parameter value after alteration.
    (7) The reason the alteration was made.
    (Indiana Gaming Commission; 68 IAC 25-3-8; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-3-9 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 9. The casino licensee must submit internal control procedures for the following:
    (1) Maintaining the LMGS inventory.
    (2) Ensuring the verification process required by 68 IAC 2-6.5-6 for the LMGS components in the production environment are identical to those approved by the executive director or the executive director's designee.
    (3) Securing LMGS components.
    (4) Accurately accounting for MGDs in addition to the applicable electronic gaming device internal control procedures contained within 68 IAC 2-6.
    (Indiana Gaming Commission; 68 IAC 25-3-9; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 4. LMGS Security and Surveillance


    68 IAC 25-4-1 Physical and environmental security of LMGS equipment

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) The location hosting the gaming server used in association with the LMGS, or that provides redundant facilities for these functions, must be approved by the executive director or the executive director's designee and located in the server room within the confines of an approved location described in IC 4-33 or IC 4-35.

    (b) Critical components of the LMGS are to be maintained in secure areas protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

    (c) Secure areas where LMGSs are developed, accessed, or maintained shall have physical protection and work guidelines designed and applied.

    (d) An uninterruptible power supply to support orderly close down or continuous running shall be supplied for equipment supporting critical business operations.

    (e) The physical and environmental security of the LMGS must meet the requirements as outlined in GLI Standard #26.
    (Indiana Gaming Commission; 68 IAC 25-4-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-2 Intrusion detection

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) Casino licensees shall utilize an intrusion detection system (IDS) in conjunction with an LMGS. The IDS shall be capable of generating an audit trail report reflecting unauthorized attempts to access the wireless network or a connected MGD. At a minimum, the IT department shall review the audit trail report on a weekly basis. Irregular detections must be noted on the report and shall be reported to the executive director or the executive director's designee. The audit trail report is signed and dated by the person reviewing the report.

    (b) Antivirus software shall be deployed on the LMGS to mitigate attacks from known viruses. Logs shall be stored of all virus encounters.

    (c) The IDS shall be deployed on the LMGS, and the resulting logs shall be securely stored.

    (d) Critical components of the LMGS are to be operational in order for the system to operate. The LMGS shall detect and record information regarding the failure or nonoperation of a component within the system. A log of this event shall be generated.

    (e) Audit logs from critical system components and software shall be maintained and shall include the following:
    (1) Authorized access, including the following:
    (A) The user identification.
    (B) The date and time of key events.
    (C) The types of events.
    (D) The files accessed.
    (E) The programs or utilities used.
    (2) System alerts or failures, including the following:
    (A) Console alerts or messages.
    (B) System log exceptions.
    (C) Changes to the date or time on the network time server.
    (D) Network management alarms.
    (E) Alarms raised by the access control system.
    (3) Changes to, or attempts to change, system security settings and controls.
    (Indiana Gaming Commission; 68 IAC 25-4-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-3 Reporting requirements related to system security

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. (a) On a weekly basis, daily system event logs shall be reviewed by internal audit personnel. System event logs shall be maintained for a minimum of seven (7) days following the review.

    (b) The review shall provide reasonable assurance of the following:
    (1) Users are only performing activities that have been explicitly authorized.
    (2) Possible threats facing the LMGS are being assessed.

    (c) Evidence of the review of system event logs is to be maintained for one (1) year. The evidence is to include at a minimum the following:
    (1) Date and time of review.
    (2) Name and title of person performing the review.
    (3) The system event log reviewed.
    (4) Any exceptions, follow-up, and resolution of exceptions.
    (Indiana Gaming Commission; 68 IAC 25-4-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-4 Network security

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) Networks serving an LMGS and its components shall be secure from outside traffic, and systems shall be configured to detect and report security-related events.

    (b) Network shared drives containing application files and data for the LMGS shall be secured such that only authorized personnel may gain access.

    (c) Login accounts and passwords required to administer network and other equipment shall be secured such that only authorized IT personnel may gain access to these devices. The passwords for these accounts shall meet minimum required security parameters, and accounts shall be immediately disabled when IT personnel are terminated.

    (d) The casino licensee shall mask the service set identification of the LMGS network to ensure that it is not available for broadcast to the public.
    (Indiana Gaming Commission; 68 IAC 25-4-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-5 Surveillance

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. (a) The LMGS is subject to the security and surveillance rules contained within 68 IAC 12. In the event of a conflict between 68 IAC 12 and this article, the provisions outlined in this article shall prevail.

    (b) The surveillance system must provide an overall view of the LMGS gaming area capable of clearly identifying the following:
    (1) LMGS casino employees at the LMGS registration.
    (2) Facial view of a patron registering for a limited mobile gaming player account with sufficient clarity to allow identification of the patron.
    (3) Facial view of a patron checking out or checking in an MGD with sufficient clarity to allow identification of the patron.
    (4) The amount deposited into a limited mobile gaming player account.
    (5) Points of ingress to and egress from the LMGS gaming area.

    (c) The surveillance system must include cameras dedicated to monitoring the registration area where the MGDs are stored prior to being checked out.

    (d) The surveillance system must include cameras dedicated to monitoring points of access to the room housing the LMGS servers.

    (e) The surveillance system must include cameras dedicated to monitoring points of access to any other location where MGDs are stored.
    (Indiana Gaming Commission; 68 IAC 25-4-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-6 MGD movement

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 6. The movement of MGDs is subject to 68 IAC 17-1.
    (Indiana Gaming Commission; 68 IAC 25-4-6; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-4-7 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 7. The casino licensee must submit internal controls to maintain all aspects of security, including the following:
    (1) Procedures to handle different types of security incidents, including the following:
    (A) System failures and loss of service.
    (B) Malicious code detection.
    (C) Denial of service.
    (D) Errors resulting from incomplete or inaccurate business data.
    (E) Breaches of confidentiality or integrity.
    (F) Misuse of information systems.
    (2) In addition to the normal contingency plans, these internal controls shall include the following:
    (A) Analysis and cause of the security incident.
    (B) Containment.
    (C) Planning and implementation of corrective action to prevent recurrence.
    (D) Communication with those affected by or involved with recovery from the security incident.
    (E) Reporting of the action to the executive director or the executive director's designee.
    (3) Action to recover from security breaches and correct system failures shall be carefully and formally controlled; the procedures shall ensure the following:
    (A) Only clearly identified and authorized personnel are allowed access to live systems and data.
    (B) Emergency actions taken are documented in detail.
    (C) Emergency action is reported to management and reviewed in an orderly manner.
    (D) The integrity of business systems and controls is confirmed with minimal delay.
    (4) Testing the integrity of the LMGS on an ongoing basis.
    (Indiana Gaming Commission; 68 IAC 25-4-7; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 5. Access to LMGS


    68 IAC 25-5-1 Access controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. The LMGS, including application software, shall be secured through the use of passwords, biometrics, or other suitable means.
    (Indiana Gaming Commission; 68 IAC 25-5-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-5-2 Access privileges and password requirements

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) The system administrator shall establish, revise, and deactivate user accounts as follows:
    (1) Application functions for a user shall be limited to the user's current job responsibilities.
    (2) User accounts shall be disabled upon employee termination or change in employee job responsibilities that no longer require access to the LMGS within twenty-four (24) hours of termination or change.

    (b) Security parameters for passwords shall, at a minimum, meet industry technical standards.
    (Indiana Gaming Commission; 68 IAC 25-5-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-5-3 Remote access by non-casino employees

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. (a) The casino licensee shall request approval from the executive director or the executive director's designee for instances of remote access at least twenty-four (24) hours before access is requested. The request shall include the following:
    (1) The LMGS components requiring vendor support and the name of the licensed supplier.
    (2) The purpose for remote access.

    (b) Remote access shall be restricted to support or updates and include only the applications and databases that are necessary.

    (c) In the event an emergency exists, the casino licensee shall contact the commission office on property for authorization.
    (Indiana Gaming Commission; 68 IAC 25-5-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-5-4 Remote access reports and LMGS component logs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) An instance of remote access to the LMGS components shall be automatically logged by network access components when a remote access is established. At a minimum, the log must include the following:
    (1) Name of user account through which the system was accessed.
    (2) Date, time, and duration of the access.

    (b) A complete log of remote access must be created by the casino licensee and include at a minimum the following:
    (1) Commission staff authorization.
    (2) Name or identifier of the system administrator that requested remote access.
    (3) Name of licensed supplier.
    (4) Name and license number of licensed supplier employee that accessed the LMGS.
    (5) System components accessed by the licensed supplier employee.
    (6) Detailed description of work performed.
    (7) Date, time, and duration of access.
    (Indiana Gaming Commission; 68 IAC 25-5-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-5-5 Maintenance of the LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. (a) System documentation for in-use components of the LMGS shall be maintained.

    (b) The casino licensee shall document the responsibilities of the IT department for the maintenance of the components of the LMGS. The documentation shall include the following:
    (1) The roles of IT personnel in performing routine and non-routine maintenance on the components of the LMGS.
    (2) The source of procedures for performing routine maintenance activities.
    (3) The records of the maintenance activities required to be kept.

    (c) LMGS equipment shall be correctly maintained to ensure its continued availability and integrity.

    (d) Documentation records shall be kept for one (1) year.
    (Indiana Gaming Commission; 68 IAC 25-5-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-5-6 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 6. The casino licensee must submit internal controls for the following:
    (1) Access privileges to the LMGS that includes, but is not limited to the following:
    (A) Access to a component of the LMGS shall be configured to prevent the transfer of personally identifiable information outside of the casino.
    (B) Access shall be continuously monitored by the casino licensee.
    (2) Subsequent to an authorized use by a licensed supplier, the account shall be returned to a disabled state on all operating systems, databases, network devices, and applications until needed by such licensed supplier and approved by the executive director or the executive director's designee.
    (3) Remote access to the LMGS and its components for purposes of licensed supplier support must include the following:
    (A) The method and procedures used to gain access remotely, including the use of passwords and other logical controls, and commission staff observation.
    (B) The procedures to be used by the IT department to further control and monitor access and to ensure that licensed suppliers have only the limited access needed to perform authorized support and update functions.
    (Indiana Gaming Commission; 68 IAC 25-5-6; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 6. Storage, Maintenance, Replacement, and Disposal of MGDs


    68 IAC 25-6-1 Storage of MGDs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) MGDs shall be stored where they will be secured, remain under surveillance, and be individually logged by the registration number assigned by the executive director or the executive director's designee.

    (b) IT will associate the MGD's MAC address to the gaming server via the network.

    (c) MGDs will be tracked and stored by an individual active sequential inventory control number.

    (d) The MGD's MAC address shall become active only when the MGD is distributed to a patron and linked with the patron's limited mobile gaming player account. As active MGDs are distributed, the inventory control number of the device will be electronically noted in the limited mobile gaming player account until the device is returned.

    (e) Surplus inventory will be stored and logged by a unique MAC address in a separate locked area of the casino.

    (f) Stored MGDs will be inactive and restricted from the server.

    (g) MGD security shall ensure the following:
    (1) MGDs are not operational beyond the confines of the geo-fence.
    (2) Surveillance of the authorized gaming area points of ingress and egress is maintained.
    (3) A valid limited mobile gaming player account is a prerequisite for checking out a device.
    (4) Signage is prominently displayed at the casino to indicate the boundaries of the authorized gaming areas.
    (5) MGD splash screens provide for electronic acknowledgement of official rules for LMGS.
    (6) MGD becomes inactive after fifteen (15) minutes of inactivity.
    (7) Stolen or lost MGDs are marked as disabled.
    (Indiana Gaming Commission; 68 IAC 25-6-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-6-2 Repair of MGDs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) Active MGDs that are not working or that have a malfunction that cannot be immediately addressed by dispatched IT technicians will be marked for repair on the active MGD log.

    (b) Casino IT shall disassociate the MAC address of the MGD in need of repair with the server so the device is inactive during repair.

    (c) As MGDs are repaired, the MAC address will be re-associated with the server, the active device log will be updated, and the active device will be placed back into active service.
    (Indiana Gaming Commission; 68 IAC 25-6-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-6-3 Replacement of MGDs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. (a) If an MGD needs to be replaced, casino IT will complete a destruction form.

    (b) Commission gaming agents, surveillance, and security shall be notified by IT to witness destruction of the device.

    (c) Casino IT will disassociate the MAC address of the MGD in need of replacement via the network and reassociate a new MGD from the surplus stock.

    (d) The active device log shall be updated, the destruction form filed, and the new active MGD will go into service assuming the same inventory control number and docking slot as the replaced device.
    (Indiana Gaming Commission; 68 IAC 25-6-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-6-4 Secure disposal or reuse of MGDs

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) LMGS equipment containing storage media shall be checked to ensure that sensitive data and licensed software has been removed or securely overwritten prior to disposal or reuse in a separate area of the business.

    (b) Storage media shall be disposed of securely and safely when no longer required.

    (c) A record of the disposal of equipment or media shall be kept in the LMGS inventory.
    (Indiana Gaming Commission; 68 IAC 25-6-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-6-5 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. The casino licensee must submit internal controls to ensure the following:
    (1) Malfunctioning MGDs are removed from active service and repaired without affecting the LMGS.
    (2) Repaired MGDs are returned to active service without affecting the LMGS.
    (3) MGDs permanently removed from service shall be destroyed or disposed of according to a plan approved by the executive director or the executive director's designee.
    (Indiana Gaming Commission; 68 IAC 25-6-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 7. Enforcement of Authorized Gaming Area for the LMGS Using a Geo-Fence


    68 IAC 25-7-1 Enforcement of authorized gaming area of LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) The play of games on the LMGS will be restricted to an authorized gaming area as approved by the executive director or the executive director's designee.

    (b) The LMGS shall employ a location tracking component to track the physical location of each MGD within the authorized gaming area.

    (c) If the system detects that the physical location of the MGD is outside the authorized gaming area, the LMGS shall not accept wagers and shall disable the MGD for play until such time that the MGD is returned to the authorized gaming area.

    (d) MGDs will only be allowed to connect to the LMGS within this defined authorized gaming area. The wireless network will have Wi-Fi geo-fence technology to ensure the devices do not operate outside of this allowed footprint.

    (e) The area will be monitored by the surveillance department via video cameras to further ensure adherence to the authorized gaming areas of LMGS-based play.

    (f) Only MGDs authorized by the executive director or the executive director's designee shall be permitted to establish communications with the LMGS.
    (Indiana Gaming Commission; 68 IAC 25-7-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-7-2 MGD tracking

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) MGDs shall incorporate a location tracking component to track the location of each MGD to detect when a device has been transported out of the authorized gaming area.

    (b) The location tracking component shall provide the surveillance department with the location of an MGD within the authorized gaming area.

    (c) When a device is removed from the authorized gaming area, the LMGS shall disable a current gaming or casino licensee session associated with that device.

    (d) A casino licensee may hold an MGD for a patron subject to the requirements of 68 IAC 10-1-1.2.
    (Indiana Gaming Commission; 68 IAC 25-7-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 8. LMGS Session Requirements


    68 IAC 25-8-1 Player and game session requirements

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) Prior to establishing a player session, the LMGS must be able to authenticate the authorized player requesting to establish a session using the following:
    (1) an electronic authentication created when the limited mobile gaming player account was established; and
    (2) a login/password.

    (b) If the LMGS is unable to reasonably authenticate the authorized player after three (3) consecutive attempts, the MGD must do the following:
    (1) indicate on the MGD screen that the player must take the MGD to the casino attendant to reset the MGD; and
    (2) disable all wagering.

    (c) Upon establishing a new player session, the LMGS must notify the authorized player of the last time the account was logged in.
    (Indiana Gaming Commission; 68 IAC 25-8-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-8-2 Activation for the LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. In addition to 68 IAC 2-6 and 68 IAC 2-6.5, casino licensees shall ensure that the following requirements are met with respect to theme activation:
    (1) MGDs shall not contain logic utilized to generate the result of a game. All critical functions, including the generation of a game outcome, shall be generated by the LMGS game server.
    (2) MGDs must not be capable of conducting a gaming activity if disconnected from the LMGS or if communication with the LMGS is severed.
    (3) MGDs must not be used to store sensitive data or system information.
    (4) MGDs must not automatically alter client-specific firewall rules to open ports that are otherwise blocked by a hardware or software firewall.
    (5) MGDs shall not access ports that are not required for client or server communications.
    (6) MGDs must not be able to transfer data to other wireless clients except in peer-to-peer gaming or other executive director or executive director designee approved functions.
    (7) Nongame-related functionality supported by MGDs must not impact the gaming data integrity and must be approved by the executive director or the executive director's designee.
    (8) Game outcome must not be impaired by:
    (A) bandwidth;
    (B) link utilization;
    (C) bit error rate; or
    (D) other communication characteristics that exist between MGDs and the LMGS server.
    (9) Individual par sheets for a game must be kept on file and accessible to the executive director or the executive director's designee before the MGD can be released for play.
    (Indiana Gaming Commission; 68 IAC 25-8-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-8-3 Session termination

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. The LMGS must be able to terminate a game or player session under the following conditions and notify the player of the termination:
    (1) An authorized player voluntarily terminates the session.
    (2) An authorized player fails authentication during a game or player session.
    (3) A user-inactivity timeout is reached.
    (4) The LMGS is unable to verify the connection status of an authorized player after a reasonable number of attempts.
    (5) A limit of the limited mobile gaming player account has been reached.
    (6) The casino licensee manually terminates the session.
    (7) The executive director or the executive director's designee requests termination.
    (8) Any other reason as determined by the executive director or the executive director's designee.
    (Indiana Gaming Commission; 68 IAC 25-8-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-8-4 Authorized games for the LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. Only games authorized by 68 IAC 1-16-4 and 68 IAC 2-6-22 are permitted.
    (Indiana Gaming Commission; 68 IAC 25-8-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 9. Documentation Requirements for LMGS


    68 IAC 25-9-1 System documentation

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) For the base LMGS, the following documentation shall be available upon request by the executive director or the executive director's designee:
    (1) A list of individual games hosted or offered on the LMGS.
    (2) An all-inclusive functional description of the LMGS.

    (b) For games that run on the LMGS, the following documentation must be available:
    (1) Game name.
    (2) Game version numbers.
    (3) Paytable identification numbers.
    (4) Detailed game rules, including options and bonus features.
    (5) Detailed breakdown of paytables, payouts, and mapped symbols present in the game.
    (6) A list of active devices currently installed on the server.

    (c) Game rules shall be available for inspection upon request by a patron.
    (Indiana Gaming Commission; 68 IAC 25-9-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-9-2 Logging for prior games

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. For an individual game played, the following information shall be recorded, maintained, and easily demonstrable by the LMGS:
    (1) Unique player identification.
    (2) Contributions to progressive jackpot pools.
    (3) Game status.
    (4) The paytable used.
    (5) Game identifier and version.
    (6) The date and time the game started and ended.
    (7) The display associated with the final outcome of the game, either graphically or via a clear text message.
    (8) Total player cash or credits at start and end of play.
    (9) Total amount bet.
    (10) Total cash or credits won for the prize.
    (11) The results of player choices involved in the game outcome.
    (12) Results of intermediate game phases.
    (13) Amount of promotional awards received.
    (Indiana Gaming Commission; 68 IAC 25-9-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-9-3 Transaction logging of limited mobile gaming player accounts

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. The casino licensee must maintain and back up a log of limited mobile gaming player account activity.
    (Indiana Gaming Commission; 68 IAC 25-9-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 10. Service Interruptions


    68 IAC 25-10-1 Unrecoverable malfunctions

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. The casino licensee's LMGS terms and conditions must clearly define its policies in respect of unrecoverable malfunctions of gambling hardware or software including components of the LMGS.
    (Indiana Gaming Commission; 68 IAC 25-10-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-10-2 Game disabling

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. The casino licensee shall have the ability to disable any game or game session without unfair impact on the patron. The casino licensee shall provide full audit trails when disabling a game that is currently in play.
    (Indiana Gaming Commission; 68 IAC 25-10-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-10-3 Inactivity timeout

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. The casino licensee shall implement a user inactivity timeout that automatically logs the patron out or ends the patron's session, or both, after a fifteen (15) minute period of inactivity.
    (Indiana Gaming Commission; 68 IAC 25-10-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-10-4 Completion of interrupted game

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) An interruption of a game may occur as a result of, but not limited to, the following:
    (1) Loss of communications between LMGS network and player MGD.
    (2) System restart condition.
    (3) Game disablement.
    (4) MGD restart.
    (5) Abnormal termination of gambling application on MGD.

    (b) For single stage games, the LMGS shall ensure that the patron can view the outcome.

    (c) For multiple stage games, the LMGS shall ensure that all game play transactions for incomplete games provide a method for the patron to either:
    (1) complete the game if further patron input is required to complete the game; or
    (2) view the outcome if further patron input is not required to complete the game.

    (d) The casino licensee must ensure patron fairness, to the extent possible, in the event of a communication loss to one (1) or more MGDs during a multi-patron game, if applicable.

    (e) Game rules must provide for situations where the casino licensee loses connectivity with the patron device.
    (Indiana Gaming Commission; 68 IAC 25-10-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-10-5 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. The casino licensee must submit internal controls to ensure that service interruptions are fairly handled.
    (Indiana Gaming Commission; 68 IAC 25-10-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 11. Administration of Limited Mobile Gaming Player Accounts


    68 IAC 25-11-1 Registration of authorized player

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) Before allowing or accepting wagers from a patron to engage in limited mobile gaming, a casino licensee must register the individual as an authorized player and create a limited mobile gaming player account for the patron.

    (b) A casino licensee may register a patron as an authorized player only if the patron provides the casino licensee with the following information:
    (1) A government issued identification.
    (2) The patron's date of birth showing that the individual is at least twenty-one (21) years of age.
    (3) The physical address where the patron resides.

    (c) Before registering a patron as an authorized player, the casino licensee must have the patron affirm the following:
    (1) That the information provided to the casino licensee by the patron to register is accurate.
    (2) That the patron has reviewed and acknowledged access to the house rules and terms and conditions for limited mobile gaming.
    (3) That the patron has been informed and has acknowledged that, as an authorized player, the patron is prohibited from allowing another person access to or use of his or her limited mobile gaming player account or MGD.

    (d) Before registering a patron as an authorized player, the casino licensee must confirm that the patron is not:
    (1) an excluded person pursuant to 68 IAC 6-1; or
    (2) a voluntarily excluded person pursuant to 68 IAC 6-3.
    (Indiana Gaming Commission; 68 IAC 25-11-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-2 Limited mobile gaming player accounts

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. (a) A casino licensee shall record and maintain the following in relation to a limited mobile gaming player account:
    (1) The date and time the limited mobile gaming player account is opened and terminated.
    (2) The date and time the limited mobile gaming player account is logged into or is logged out of.

    (b) The casino licensee shall ensure that a patron registered as an authorized player holds only one (1) limited mobile gaming player account with the casino licensee.

    (c) A casino licensee shall not set up anonymous limited mobile gaming player accounts or accounts in fictitious names.

    (d) Funds may be deposited by an authorized player into a limited mobile gaming player account as follows:
    (1) Cash, as defined in 68 IAC 1-1-12, deposited directly with the casino licensee.
    (2) Cash equivalents, as defined in 68 IAC 1-1-13, deposited directly with the casino licensee.

    (e) Limited mobile gaming player account credits may be made by the following means:
    (1) Deposits.
    (2) Amounts won by an authorized player.
    (3) Promotional credits, or bonus credits provided by the casino licensee and subject to the terms of use established by the casino licensee and as long as such credits are clearly identified as such.
    (4) Adjustments made by the casino licensee following the resolution of a dispute.

    (f) Limited mobile gaming player account debits may be made by the following means:
    (1) Amounts wagered by an authorized player.
    (2) Purchases of limited mobile gaming related merchandise and services requested by an authorized player.
    (3) Withdrawals.
    (4) Transfers to safekeeping or front money accounts held by the casino licensee.
    (5) Adjustments made by the casino licensee following the resolution of a dispute.
    (6) Debits as otherwise approved by the executive director or the executive director's designee.

    (g) Unless there is a pending unresolved player dispute or investigation, a casino licensee shall comply with a request for a withdrawal of funds by an authorized player from the limited mobile gaming player account within a reasonable amount of time.

    (h) A casino licensee shall not allow an authorized player to transfer funds to another authorized player.

    (i) The language of an agreement, including, but not limited to, house rules or terms and conditions, used between a casino licensee and its authorized players pertaining to limited mobile gaming and authorized players' access to the limited mobile gaming player account shall be submitted to the executive director or the executive director's designee for approval. The casino licensee shall not allow or engage in limited mobile gaming until such agreement is approved by the executive director or the executive director's designee.

    (j) A casino licensee shall ensure that an authorized player has the ability, through the limited mobile gaming player account, to select responsible gambling options that include the following without limitation:
    (1) Loss limits establishing the net loss that can occur within a specified period of time.
    (2) Deposit limits establishing the amount of total deposits an authorized player can make to the limited mobile gaming player account within a specified period of time.
    (3) Tournament limits establishing the total dollar amount of tournament entries an authorized player can purchase within a specified period of time.
    (4) Play time limits establishing the total amount of time available for play during a specified period of time.

    (k) Nothing in this article prohibits a casino licensee from closing a limited mobile gaming player account and precluding further limited mobile gaming by an authorized player pursuant to the terms of the agreements between the casino licensee and an authorized player.
    (Indiana Gaming Commission; 68 IAC 25-11-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-3 Limited mobile gaming player account adjustments

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 3. Adjustments to limited mobile gaming player accounts shall be authorized by supervisory personnel.
    (Indiana Gaming Commission; 68 IAC 25-11-3; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-4 Control of patron funds

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 4. (a) Transactions must be identifiable and maintained in a system audit log.

    (b) A deposit into a limited mobile gaming player account must not be available for gambling until such time as the transaction has been approved by the appropriate issuing authority except in the case of cash deposits. This authorization must be maintained in a system audit log.

    (c) Casino licensees must provide information to patrons about whether the casino licensee protects patron funds and the methods it uses to do so and about how it deals with unclaimed funds from dormant accounts.
    (Indiana Gaming Commission; 68 IAC 25-11-4; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-5 Limited mobile gaming player account statements

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 5. The casino licensee shall provide an account statement with account details to a patron on demand. The account statement shall include detailed account activity for a defined time period. Information to be provided shall include, at a minimum, the following:
    (1) Deposits to the limited mobile gaming player account.
    (2) Withdrawals from the limited mobile gaming player account.
    (3) Lifetime win or loss totals.
    (4) The current account balance.
    (5) The self-imposed limit history, if applicable.
    (Indiana Gaming Commission; 68 IAC 25-11-5; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-6 Deactivated or suspended limited mobile gaming player accounts

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 6. A casino licensee shall notify the limited mobile gaming player account holder via electronic mail, regular mail, or other method approved by the executive director or the executive director's designee, whenever the limited mobile gaming player account has been deactivated or placed in a suspended mode. Such notification shall include the restrictions placed on the account and further course of action needed to remove the restriction.
    (Indiana Gaming Commission; 68 IAC 25-11-6; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-11-7 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 7. The casino licensee must submit internal controls for the following:
    (1) Registering authorized players to engage in limited mobile gaming.
    (2) Identifying and verifying authorized players to prevent those who are not authorized players from engaging in limited mobile gaming.
    (3) Ensuring compliance related to child support obligors pursuant to IC 4-33-4-27 and IC 4-35-4-16.
    (4) Protecting and ensuring confidentiality of authorized players' limited mobile gaming player accounts.
    (5) Issuing, modifying, and resetting a patron's limited mobile gaming player account password, personal identification number, or other approved security feature, where applicable.
    (6) Promoting responsible limited mobile gaming.
    (Indiana Gaming Commission; 68 IAC 25-11-7; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 12. Limited Mobile Gaming Player Account Security


    68 IAC 25-12-1 Authorized limited mobile gaming player account access

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) An LMGS shall utilize sufficient security to ensure patron access is appropriately limited to the account holder. Security measures shall include the following:
    (1) Personal identification number.
    (2) Password or other access security feature.
    (3) Two (2) or more challenge questions.
    (4) Password expiration every quarter.

    (b) The LMGS shall utilize a secure method of data transfer approved by the executive director or the executive director's designee for communications that contain the following:
    (1) Patron account numbers.
    (2) User identification.
    (3) Passwords.
    (4) Personal identification numbers.
    (Indiana Gaming Commission; 68 IAC 25-12-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 13. Cashless Wagering System


    68 IAC 25-13-1 Integration of external CWS with the LMGS

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. For an internal or external CWS, the following applies:
    (1) The CWS must communicate acceptance, partial acceptance, or rejection of wagers placed through play of games on the LMGS.
    (2) When the CWS determines the cost of the wager, there is a positive confirmation sequence in place to ensure the following:
    (A) Enabling the patron to accept the wager cost.
    (B) Confirming there are enough funds in the patron's limited mobile gaming player account to meet the wager cost.
    (3) If the patron accepts the wager, the CWS shall complete the following actions:
    (A) Debit the patron's limited mobile gaming player account in the amount equal to the cost of the wager.
    (B) Retain the funds as a pending transaction.
    (C) Log details of the cost of the wager.
    (4) If the patron cancels the wager, the CWS shall complete the following actions:
    (A) Communicate acknowledgement of acceptance or rejection of the cancellation request to the patron.
    (B) Log details of the cancellation request.
    (5) When the result is entered and confirmed, the CWS shall transfer the winning wager placed from the LMGS back to the LMGS with the amount of the win.
    (6) Upon receiving the CWS win confirmation, the LMGS shall update the patron's limited mobile gaming player account with the winning amount, less required withholding amount.
    (Indiana Gaming Commission; 68 IAC 25-13-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-13-2 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. The casino licensee must submit internal control procedures to ensure that LMGS accounting records and procedures meet the requirements in 68 IAC 15-1, including, but not limited to, the following:
    (1) Tax required to be paid by the casino licensee pursuant to IC 4-33 and IC 4-35.
    (2) Jackpots.
    (Indiana Gaming Commission; 68 IAC 25-13-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    Rule 14. Unauthorized Play


    68 IAC 25-14-1 Unauthorized player wagers

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 1. (a) Wagering by an individual that is not the registered player account holder assigned to the particular MGD, regardless of permission by the player account holder, is void.

    (b) Winnings related to wagers by a nonregistered player account holder are forfeited.

    (c) The forfeited winnings will be withheld by the casino licensee and remitted to the commission. The commission shall collect the winnings. The registered player account holder may appeal a forfeiture under this rule by following the procedures outlined in 68 IAC 7.
    (Indiana Gaming Commission; 68 IAC 25-14-1; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    68 IAC 25-14-2 Internal controls

    Authority: IC 4-33-4; IC 4-35-4
    Affected: IC 4-33; IC 4-35

    Sec. 2. The casino licensee shall implement appropriate internal controls to identify and prohibit the following existing limited mobile gaming player accounts from placing a wager:
    (1) Voluntarily excluded patrons.
    (2) Patrons on the exclusion list.
    (3) Patrons with deactivated accounts.
    (4) Patrons with suspended accounts.
    (Indiana Gaming Commission; 68 IAC 25-14-2; filed Jan 7, 2016, 8:21 a.m.: 20160203-IR-068150084FRA)


    LSA Document #15-84(F)
    Notice of Intent: 20150408-IR-068150084NIA
    Proposed Rule: 20150708-IR-068150084PRA
    Hearing Held: August 20, 2015
    Approved by Attorney General: December 22, 2015
    Approved by Governor: January 6, 2016
    Filed with Publisher: January 7, 2016, 8:21 a.m.
    Documents Incorporated by Reference: Gaming Laboratories International, Standard Series, GLI 26: Wireless Systems Standard, Version 2.0, February 24, 2015
    Small Business Regulatory Coordinator: Michelle Baldwin, Deputy General Counsel, Indiana Gaming Commission, 101 West Washington Street, Suite 1600-East, Indianapolis, IN 46204, (317) 233-8527, mbaldwin@igc.in.gov

    Posted: 02/03/2016 by Legislative Services Agency

    DIN: 20160203-IR-068150084FRA
    Composed: Nov 01,2016 2:09:49AM EDT
    A PDF version of this document.