Article 3. System Requirements
11VAC20-20-470. Location of equipment.
All equipment used to perform network bingo must be physically located within the boundaries of the Commonwealth of Virginia.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-480. Communications and network requirements.
A. Where the network bingo system components are linked with one another in a network, communication protocols shall be used that ensure that erroneous data or signals will not adversely affect the operations of any such system components.
B. All data communication shall incorporate error detection and correction schemes to ensure the data is transmitted and received accurately.
C. Connections between all components of the network bingo system shall only be through the use of secure communication protocols that are designed to prevent unauthorized access or tampering, employing Advanced Encryption Standard (AES) or equivalent encryption.
D. A firewall or equivalent hardware device configured to block all inbound and outbound traffic that has not been expressly permitted and is not required for continued use of the network bingo system must exist between the network bingo system and any external point of access.
E. The minimum width (size) for encryption keys is 112 bits for symmetric algorithms and 1024 bits for public keys.
F. There must be a secure method implemented for changing the current encryption key set. It is not acceptable to only use the current key set to encrypt the next set.
G. There must be a secure method in place for the storage of encryption keys. Encryption keys must not be stored without being encrypted themselves.
H. If a wireless network is used, wireless products used in conjunction with any gaming system or system component must meet the following minimum standards:
1. Employ a security process that complies with the Federal Information Processing Standard 140-2 (FIPS 140-2); or
2. Employ an alternative method, as approved by the department.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-490. Backup and recovery.
A. A network bingo system shall have a separate physical medium for securely storing data for the network bingo game, which shall be mirrored in real time by a backup medium.
B. All data required to be available or reported by this chapter must be retained for a period of not less than three years from the close of the fiscal year.
C. All storage of critical data shall utilize error checking and be stored on a nonvolatile physical medium.
D. The database shall be stored on redundant media so that no single failure of any portion of the system would result in the loss or corruption of data.
E. In the event of a catastrophic failure when the network bingo system cannot be restarted in any other way, it shall be possible to reload the network bingo system from the last viable backup point and fully recover the contents of that backup, to consist of at least the following information:
1. All significant events;
2. All accounting information;
3. Auditing information, including all sales and disbursements; and
4. Employee files with access levels.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-500. Security requirements.
A. A network bingo system shall not permit the alteration of any accounting or significant event information that was communicated from a point-of-sale terminal without supervised access controls. In the event financial data is changed, an automated audit log must be capable of being produced to document the following:
1. Data element altered;
2. Data element value prior to alteration;
3. Data element value after alteration;
4. Time and date of alteration; and
5. Personnel that performed alteration.
B. A network bingo system must provide password security or other secure means of ensuring data integrity and enforcing user permissions for all system components through the following means:
1. All programs and data files must only be accessible via the entry of a password that will be known only to authorized personnel;
2. The network bingo system must have multiple security access levels to control and restrict different classes;
3. The network bingo system access accounts must be unique when assigned to the authorized personnel and shared accounts amongst authorized personnel must not be allowed;
4. The storage of passwords and personal identification numbers (PINs) must be in an encrypted, nonreversible form; and
5. A program or report must be available that will list all registered users on the network bingo system, including their privilege level.
C. All components of a network bingo system that allow access to users, other than the player, must have a password sign-on with at least two-level codes comprising the personal identification code and a personal password.
1. The personal identification code must have a length of at least six American Standard Code for Information Interchange (ASCII) characters; and
2. The personal password must have a minimum length of six alphanumeric characters, which should include at least one nonalphabetic character.
D. A network bingo system must have the capability to control potential data corruption that can be created by multiple simultaneous log-ons by system management personnel.
1. A network bingo system shall specify which of the access levels allow for multiple simultaneous sign-ons by different users and which of the access levels do not allow for multiple sign-ons, and if multiple sign-ons are possible, what restrictions, if any, exist; or
2. If a network bingo system does not provide adequate control, a comprehensive procedural control document must be drafted for the department's review and approval.
E. Network bingo system software components or modules shall be verifiable by a secure means at the system level. A network bingo system shall have the ability to allow for an independent integrity check of the components or modules from an outside source and an independent integrity check is required for all control programs that may affect the integrity of the network bingo system. This must be accomplished by being authenticated by a third-party device, which may be embedded within the network bingo system software or having an interface or procedure for a third-party application to authenticate the component. This integrity check will provide a means for field verification of the network bingo system components.
F. A network bingo system may be used to configure and perform security checks on the point-of-sale terminals, provided such functions do not affect the security, integrity, or outcome of any game and meets the requirements set forth in this chapter regarding program storage devices.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-510. Randomization.
A. As used in this section, unless the context requires a different meaning:
1. "Card position" means the first card dealt, second card dealt in sequential order.
2. "Number position" means the first number drawn in sequential order.
B. A network bingo system shall utilize randomizing procedures in the creation of network bingo cards.
C. Any random number generation, shuffling, or randomization of network bingo cards used in connection with a network bingo system must be by use of a random number generation application that has successfully passed standard tests for randomness and unpredictability including:
1. Each card position or number position satisfies the 99% confidence limit using the standard chi-squared analysis. "Chi-squared analysis" is the sum of the ratio of the square difference between the expected result and the observed result to the expected result.
2. Each card position or number position does not produce a significant statistic with regard to producing patterns of occurrences. Each card position or number position will be considered random if it meets the 99% confidence level with regard to the "run test" or any similar pattern testing statistic. The "run test" is a mathematical statistic that determines the existence of recurring patterns within a set of data.
3. Each card position or number position is independently chosen without regard to any other card or number drawn within that game play. This test is the "correlation test." Each pair of card positions or number positions is considered random if it meets the 99% confidence level using standard correlation analysis.
4. Each card position or number position is independently chosen without reference to the same card position or number position in the previous game. This test is the "serial correlation test." Each card position or number position is considered random if it meets the 99% confidence level using standard serial correlation analysis.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-520. Point of sale terminal.
A. A network bingo system may utilize a point-of-sale terminal that is capable of facilitating the sale of network bingo cards. The point of sale may be entirely integrated into a network bingo system or exist as a separate entity.
B. Point-of-sale use is only permissible when the device is linked to an approved network bingo system.
C. If a network bingo system utilizes a point of sale, it shall be capable of printing a receipt for each sale or void. The receipt shall contain the following information:
1. Date and time of the transaction;
2. Dollar value of the transaction;
3. Validation number, if applicable;
4. Quantity of network bingo cards purchased;
5. Transaction number;
6. Point-of-sale identification number or name; and
7. Date and time when the network bingo game will begin.
D. The following point-of-sale report shall be generated on demand. Sales transaction history report shall show all sales and voids by session and include the following information:
1. Date and time of the transaction;
2. Dollar value of the transaction;
3. Quantity of network bingo cards sold;
4. Transaction number;
5. Point of sale identification number or name; and
6. Date and time of the network bingo game.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.
11VAC20-20-530. Game play requirements.
A. Any device that sells network bingo cards shall be clearly labeled so as to inform the public or game worker that no one younger than 18 years of age is allowed to play or redeem a network bingo card.
B. A network bingo provider shall have physical on-site independent supervision while the numbers for a network bingo game are called by a live caller. This independent supervision shall be unbiased in verifying the outcome of the network bingo game and uphold the department's objective of maintaining the highest level of integrity in charitable gaming. A written agreement specifying the terms of any arrangement between the entity or person providing the physical on-site independent supervision and the network bingo provider shall be required prior to any supervision being performed on the network bingo game. This written agreement shall be maintained by the network bingo provider for a minimum of three years from the close of the fiscal year, unless otherwise specified.
C. A network bingo provider shall ensure qualified organizations participating in its network bingo comply with § 18.2-340.28:1 F of the Code of Virginia.
D. A network bingo provider or the live caller shall announce the prize amount and the predetermined pattern to players immediately before the start of the network bingo game. Each location where a qualified organization is selling network bingo cards shall be equipped to visually display the broadcast or signal of the numbers as they are being called by a live caller.
E. Gross receipts from the sale of network bingo cards shall be allocated in the following manner:
1. Up to 50% of such receipts to the organization selling network bingo cards;
2. Up to 50% of gross receipts to the prize pool; and
3. Any remaining amount to the network bingo provider.
However, if the prize pool reaches the maximum prize limitation, then the network bingo provider shall enable the organization to retain those gross receipts normally allocated to the prize pool.
F. All written agreements specifying the terms of any arrangement between the qualified organization and network bingo provider shall be maintained by both parties for a minimum of three years from the close of the fiscal year, unless otherwise specified.
G. Network bingo prizes must be claimed by the player within 30 days of winning the game and if not, the network bingo provider shall roll the unclaimed prize into the prize pool for the next network bingo game. The network bingo provider shall pay the prize by check to the winning player within 30 days. If the outcome of a network bingo game results in multiple winning players, then the prize amount shall be equally divided among them.
H. No single network bingo prize shall exceed the prize limitation set forth in § 18.2-340.28:1 H of the Code of Virginia.
Statutory Authority
§ 18.2-340.15 of the Code of Virginia.
Historical Notes
Derived from Virginia Register Volume 39, Issue 14, eff. March 29, 2023.