Decree No. 208 / 2017 Coll.
Order setting out the scope of the technical parameters for the facilities through which gambling is operated, the requirements for the protection and storage of game data and the technical parameters thereof
Valid
Order
Effective from 14.07.2017
Zobrazeno prvních 200 z celkem 227 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
208
DECLARATION
of 27 June 2017
determining the scope of the technical parameters for the facilities through which gambling is operated, the requirements for the protection and storage of game and financial data and their technical parameters
The Ministry of Finance provides, pursuant to § 133 (1) (b) of Act No. 186 / 2016 Coll., on gambling:
INTRODUCTORY PROVISIONS
Subject matter
This decree regulates the scope of the technical parameters for the facilities through which gambling, the requirements for the protection and storage of game data and the technical parameters thereof.
GENERAL REQUIREMENTS
Equipment through which gambling is operated
(1) The equipment through which a gambling game is operated subject to authorisation (hereinafter referred to as "the equipment") is composed of a comprehensive set of gambling operator hardware and software that serves to perform activities under Section 5 of the Gaming Act.
(2) The installation must contain a server which is used to manage activities under Section 5 of the Gaming Act and to store financial and gaming data (hereinafter referred to as "the server").
(3) Equipment through which lotteries, bingo, technical game or internet game are operated, in which a win or a loss is decided in whole or in part by chance, must contain a random number generator.
Protection and storage of game and financial data
Unless otherwise provided for in the Gaming Act or the Gaming Act, the equipment and method of handling the gambling operator of the Gaming and Financial Data held therein shall comply with the technical requirements of the Information Security Management System set out in Technical Standard CSN ISO / IEC 27001: 2014 Information Technology - Security Techniques - Information Security Management Systems - Requirements.
Server Location
(1) The server must be located in an area which is intended for the location of information and communication technology in continuous operation and ensures stable operation without ambient influences (hereinafter referred to as "data centre").
(2) The gambling operator shall take measures to ensure the physical security of the server
(a) providing protection at the level of the object in which the data centre is located;
(b) preventing unauthorised entry into the data centre;
(c) preventing damage and interference with the data centre; and
(d) prior damage, theft or misuse of the server or interruption of its operation.
(3) In order to ensure the physical security referred to in paragraph 2, the gambling operator shall use at least:
(a) mechanical means of defence;
(b) electrical signalling equipment;
(c) means limiting the effects of fires;
(d) means limiting the effects of natural events;
(e) input control systems;
(f) camera systems;
(g) equipment to ensure protection against failure of the supply of electricity; and
(h) equipment to ensure optimum operating conditions.
Random Number Generator
(1) The random number generator, which is a source of coincidence in the installation referred to in Section 2 (3), is either a stand-alone part of the device or an integrated part of the server or terminal device. The conditions set out in Section 8 shall apply mutatis mutandis to the identification of the random number generator of a stand-alone type.
(2) The random number generator must be of such a nature that:
(a) the random process of creating the result of the game could not be influenced; and
(b) the result of the random process
1. was independent of previous results;
2. respond in probability to theoretical probabilities in achieving the various possible results of gambling; and
3. was unpredictable without full knowledge of the game result process including all settings or initial values.
(3) A random number generator which uses a deterministic algorithm to determine the game result shall:
(a) work with a period of at least 264 to ensure that the random process is generated in such a way that, in the case of a particular gambling, there is no identifiable repetition of the results;
b) create a sequence of game results based on initial values that are random or unpredictable; and
(c) be an integrated part of a server or terminal device.
(4) A generator of random numbers which uses a physical phenomenon to determine the game result must:
(a) macroscopic phenomena, in particular cubes, roulette wheel or draw destinies, use objects made of unchangeable material for the random process of creating the result of the game which are not normally used to wear it;
(b) microscopic phenomena, in particular noise or quantum phenomena, be an integrated part of a server or terminal device.
(5) When creating a game result based on the range of values of the generated sequence of random numbers for further processing of random process results, the software shall be a part of the server or terminal device and it shall be ensured that such processing complies with the requirements for random process result in accordance with paragraph 2.
Cryptographic agents
Cryptographic algorithms and cryptographic keys meeting the minimum requirements for cryptographic algorithms set out in the Annex to this Regulation shall be used for the transmission and storage of game data and financial data and access to equipment software in order to ensure the integrity and confidentiality of game data, financial data and equipment software.
Preservation of game data and financial data
(1) The installation must use such a mechanism for the storage of game data and financial data so that they cannot be lost. The storage of game data and financial data for the purposes of this decree means the storage and backup of data.
(2) The gambling operator shall, in order to fulfil the obligation referred to in paragraph 1, be obliged to back up the gaming and financial data stored on the server in such a way as to ensure the complete renewal of the game and financial data, in particular to ensure the backup of the game and financial data at a sufficient distance from the data centre or in any other way so that a backup set of financial and game data cannot be lost for the same reason that the game and financial data stored on the server may be lost.
REQUIREMENTS FOR CONCESSION DEVICES OPERATED IN THE HERO
Identification of terminal equipment
(1) The terminal equipment must be marked with a registration mark in accordance with the Decree governing exit documents in the field of gambling (hereinafter referred to as the "registration mark") issued by the authorised person.
(2) The registration mark must be affixed to the front or side side of the outer shell of the end device in such a way that it is visible. It must remain legible, unaltered and intact.
(3) The adhesive used to attach the registration mark and the material used to manufacture the registration mark must have characteristics such that the registration mark cannot be unglued without infringing it, not even under the influence of weather or other external influences.
(4) If the registration mark becomes illegible or if there is a breach of the registration, the operator of the terminal installation may operate for the period strictly necessary for its replacement, provided that:
(a) request the delegate to issue a replacement registration mark; and
(b) indicate all the particulars indicated on the registration mark on the terminal device by other appropriate means; paragraph 2 shall apply mutatis mutandis.
(5) Where the terminal equipment contains more than one authorised game positions of a technical game, each of them shall be marked from the outside with the serial number shown on the registration mark in such a way that:
(a) there shall be no doubt as to which of the authorised game positions the marking relates; and
(b) the label has been legible and visible, even if the authorised game position is not operated.
External safety of terminal equipment
(1) Terminal equipment must be such as to prevent forced or otherwise unauthorised entry into the terminal equipment by using a force of such intensity as can reasonably be expected in normal operation.
(2) The end-device shall be equipped with a sensor or other safety device that records an attempt at forced or other unauthorised intrusion into the end-device, disconnecting or affecting the supply or data cable or other influence on its operation. The sensor or other safety device shall also record any authorised inputs to the external locking parts of the terminal device.
(3) When attempting violent or other unauthorised entry into the terminal equipment, disconnecting or affecting power or data cables, or otherwise affecting its operation, the terminal equipment shall be automatically switched to an error state which means a state in which no technical game or other transaction in the user's account is allowed.
(4) If the sensor or safety device no longer indicates the need for a further duration of the fault state, the operation of the terminal device may be automatically restored.
(5) The terminal equipment shall be equipped with a system which, in the event that the operation of the terminal equipment cannot be resumed automatically in accordance with paragraph 4, shall inform the operator of the game area (hereinafter referred to as "the operator ') of the continued error. The operation of the terminal device from a continuous fault state may be restored only on the basis of authorised operator intervention. If the error status cannot be corrected without delay, on the basis of an authorised intervention, the operator betting the prize shall, after verifying its amount, be refunded on the relevant electronic indicator and the booker shall withdraw from his user account, paragraph 3 shall not be affected.
Internal protection of terminal equipment
(1) All parts of the terminal equipment, the handling of which could affect the random process of the game result or the remote transmission of the game result or the storage of game and financial data and their remote transmission to the server, must be located in the inside separately lockable part of the terminal device.
(2) At least the inside of the lockable part shall be located
(a) software used to control the operation of the terminal equipment;
(b) a random number generator, provided that the device is equipped with it;
c) software providing telecommunications data connection to the server,
d) software to control the imaging equipment system;
(e) software to manage the banknote and coin storage system; and
(f) banknote and coin storage.
(3) If the terminal device is equipped with a random number generator, the counter systems shall also be located in the inside separately locking part.
(4) The requirement to be placed in the inside separately lockable part of the terminal equipment referred to in paragraphs 1 to 3 does not apply to the random number generator, which also serves to display the winning combination or other result of the game, and the counter system, if functionally indivisible with the random number generator. Such part of the terminal equipment shall comply with the external security conditions of Section 9.
(5) The deposit of banknotes and coins must be located in the inside separately lockable part intended solely for this purpose.
(6) The internal lockable parts shall be provided with a separate security that meets the conditions of Section 9.
Imaging apparatus
(1) Each game position must be equipped with a screen or other display device.
(2) If the game position is equipped with a touch screen, the screen shall be accurate and shall not contain any hidden or unmarked button or touch point which may affect the game, except in the cases specified in the game plan.
(3) A terminal device which is equipped with a random number generator, which simultaneously serves to display a winning combination or other result of a game, or is equipped with a mechanical or electromechanical part which serves solely to display a winning combination or other result of a game, shall be designed in such a way that the displayed results match the indicators on the game position screen; If they do not match, the end device automatically switches to the fault state.
Telecommunications data connection
(1) Each terminal device must be equipped with a telecommunication data link to the server used for the transmission of game data and financial data for each game position after each game played.
(2) A terminal device which does not contain a random number generator shall be equipped with a telecommunication data link that operates when transmitting a game result with a response time of less than 0,3 seconds.
Printing works
(1) Each end device must be equipped with a printer or be connected to the printer in such a way that, after pressing the button on the touch screen or the outer cap of the end device, printing of the balance document on the user account is possible in the game space.
(2) The proof of the balance in the account must include at least:
(a) identification of the gambling operator;
(b) the designation of the establishment;
(c) the production number of the game position;
(d) player identification;
(e) the date and time of printing; and
(f) the unique identifier of the balance document in the user account.
(3) The end device shall display on the game position screen information that the event or malfunction has occurred that makes printing impossible.
Counter systems
(1) The terminal equipment containing a random number generator shall be equipped with at least two independent counter systems on top of each other which record the totals of each group of game and financial data intended for storage in the terminal equipment,
(a) electronic; and
(b) electromechanical or pulsed.
(2) The counters must be able to store and display values of at least 7 significant digits. Where a gambling game that is operated through a terminal device allows for the creation of game and financial data containing also parts of the cash units, the counters shall be able to store and display values of at least 9 significant digits; in the case of electromechanical and pulse counters, a display of values expressed in whole units of at least 7 significant digits is sufficient.
(3) The terminal equipment shall store the data referred to in paragraph 1 in such a way that statistical tests can be carried out at any time to verify the parameters of the terminal equipment or gambling provided for in the Gaming Act.
(4) The sum of the group of game and financial data intended for storage in the terminal equipment referred to in paragraph 1 shall be:
(a) the number of games of technical games,
b) the sum of bets placed in the game of technical games,
(c) the sum of wins credited to the user account based on the display of the winning combination;
(d) the sum of the funds entered into the technical game terminal
1. cash,
2. non-cash transmission; and
3. on the basis of the balance of funds in the user account,
(e) the sum of the funds paid from the technical game equipment through the operator's authorised person
1. as a balance or part of the balance of the user account; and
2. transferred to the remaining balance in the user account at the time of the check-out from the terminal.
Receipt of banknotes and coins
(1) If the end-devices accept banknotes and coins, they shall be designed in such a way as to protect them against vandalism, abuse or fraudulent activity.
(2) The terminal device shall be able to determine the direction and speed of the banknote or coin when inserted into the device. If the banknote or coin is not inserted in the normal way, the end device shall be automatically switched to the fault state.
(3) All banknotes and coins received must be stored in the storage of banknotes and coins in the terminal.
(4) The value of each banknote and coin received must be displayed immediately on the balance indicator in the user account. Where the operator of a technical game, using safe and reliable methods, allows for the deposit of funds on the user account of cash-free payments, the first sentence shall also apply to the funds thus received.
(5) The terminal device shall not allow the insertion of banknotes or coins or shall refuse and return the banknotes and coins inserted if they are inoperative or in error.
(6) The end device shall display on the game position screen information that the event or defect has occurred that makes it impossible to receive the banknote or coin.
TRANSITIONAL AND FINAL PROVISIONS
This Decree was notified in accordance with Directive (EU) 2015 / 1535 of the European Parliament and of the Council of 9 September 2015 on the procedure for the provision of information in the field of technical and information society services, as amended.
The gambling operator operating on the basis of a permit pursuant to Act No. 202 / 1990 Coll., as effective before the date of entry into force of the Gambling Act, which is obliged to operate this gambling act under the Gambling Act, is obliged to comply with the technical parameters for equipment, requirements for the protection and retention of game and financial data and their technical parameters under this Order no later than one year after the date of entry into force of the Gambling Act.
EFFECTIVE
This decree shall take effect on the day of its publication.
Minister:
Ing. Busy v. r.
Annex to Decree No. 208 / 2017 Coll.
Minimum requirements for cryptographic algorithms
I. Symmetric algorithms
a) Block and current codes for confidentiality and integrity protection
1. Advanced Encryption Standard (AES) using key length 128, 192 and 256 bits Triple Data Encryption Standard (3DES) using the key length 168 bits, limited use with a key load of less than 10 GB, gradually switch to AES,
2. Triple Data Encryption Standard (3DES) using the 112 bit key length, limited use only with a key load of less than 10 MB, gradually switch to AES. Recommended to use a unique key for each message,
3. Blowfish using the minimum length of 128 bits keys, limited use with a key load of less than 10 GB,
4. Kasumi using 128 bit key length, limited use with a key load of less than 10 GB,
5. Twofish using key length 128 to 256 bits,
6. Serpent using key length 128, 192, 256 bits,
7. Camellia using key lengths 128, 192 and 256 bits,
8. Snow 2.0, Snow 3G using key length 128, 256 bits.
b) Encryption modes with integrity protection
1. CCM,
2. EAX,
3. OCB,
4. Composite diagrams of the "Encrypt-then-MAC" type.
Note:
The "Encrypt-then-MAC" type schematics shall use only those encryption modes for encryption and only those integrity protection modes for calculation of the MAC.
c) Encryption modes
1. CTR,
2. OFB,
3. CBC,
4. CFB.
Note:
The CBC and CFB modes shall be used with a random, unpredictable initialization vector for the attacker; when using the OFB mode, the initialization vector value shall not be repeated for the given key; when using the CTR mode, the counter value shall not be repeated for the given key; if using the CBC mode to encrypt without integrity protection, the integrity of the CBC mode attack resistance shall be verified.
(d) Fashion for the protection of integrity
1. HMAC,
2. CBC-MAC-X9.19, restricted use with a load of less than 109 MAC,
3. CBC-MAC@-@ EMAC,
4. CMAC.
II. Asymmetric algorithms
(a) For electronic signature technology
1. Digital Signature Algorithm (DSA) using the length of the keys 2048 bits and more, the length of the parameter cyclic subgroup 224 bits and more,
2. Elliptic Curve Digital Signature Algorithm (EC-DSA) using the length of 224 bits keys and more,
3. Rivest- Shamir- Adleman Probablistic Signature Scheme (RSA-PSS) using the length of keys 2048 bits and more.
b) For key agreement processes and key encryption
1. Diffie-Hellman (DH) using the length of the keys 2048 bits and more, the length of the parameter of the cyclic subgroup 224 bits and more,
2. Elliptic Curve Diffie-Hellman (ECDH) using the length of 224 bits keys and more,
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 208 / 2017 Coll., determining the scope of the technical parameters for the facilities through which gambling is operated, the requirements for the protection and storage of game and financial data and their technical parameters |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 14.07.2017 |
|---|---|
| Effective from | 14.07.2017 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0