Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 11. Gaming
Agency 15. Charitable Gaming Board
Chapter 40. Charitable Gaming Regulations
10/22/2020

11VAC15-40-490. Security Requirements.

A. A network bingo system shall not permit the alteration of any accounting or significant event information that was communicated from a point-of-sale terminal without supervised access controls. In the event financial data is changed, an automated audit log must be capable of being produced to document the following:

1. Data element altered;

2. Data element value prior to alteration;

3. Data element value after alteration;

4. Time and date of alteration; and

5. Personnel that performed alteration.

B. A network bingo system must provide password security or other secure means of ensuring data integrity and enforcing user permissions for all system components through the following means:

1. All programs and data files must only be accessible via the entry of a password that will be known only to authorized personnel;

2. The network bingo system must have multiple security access levels to control and restrict different classes;

3. The network bingo system access accounts must be unique when assigned to the authorized personnel and shared accounts amongst authorized personnel must not be allowed;

4. The storage of passwords and PINs must be in an encrypted, nonreversible form; and

5. A program or report must be available that will list all registered users on the network bingo system including their privilege level.

C. All components of a network bingo system that allow access to users, other than the player, must have a password sign-on with at least two-level codes comprising the personal identification code and a personal password.

1. The personal identification code must have a length of at least six ASCII characters; and

2. The personal password must have a minimum length of six alphanumeric characters, which should include at least one nonalphabetic character.

D. A network bingo system must have the capability to control potential data corruption that can be created by multiple simultaneous log-ons by system management personnel.

1. A network bingo system shall specify which of the access levels allow for multiple simultaneous sign-ons by different users and which of the access levels do not allow for multiple sign-ons, and if multiple sign-ons are possible, what restrictions, if any, exist; or

2. If a network bingo system does not provide adequate control, a comprehensive procedural control document must be drafted for the department's review and approval.

E. Network bingo system software components/modules shall be verifiable by a secure means at the system level. A network bingo system shall have the ability to allow for an independent integrity check of the components/modules from an outside source and an independent integrity check is required for all control programs that may affect the integrity of the network bingo system. This must be accomplished by being authenticated by a third-party device, which may be embedded within the network bingo system software or having an interface or procedure for a third-party application to authenticate the component. This integrity check will provide a means for field verification of the network bingo system components.

F. A network bingo system may be used to configure and perform security checks on the point-of-sale terminals, provided such functions do not affect the security, integrity, or outcome of any game and meets the requirements set forth in this chapter regarding program storage devices.

Statutory Authority

§ 18.2-340.15 of the Code of Virginia.

Historical Notes

Derived from Volume 33, Issue 04, eff. November 17, 2016.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.