58 Pa. Code § 1407a.5

Current through Register Vol. 54, No.43, October 26, 2024
Section 1407a.5 - Self-service kiosks and point of sale system requirements
(a) Self-service kiosks and point of sale devices shall have an identification badge affixed to the exterior of the device by the manufacturer. The identification badge shall not be removable without leaving evidence of tampering. This badge shall include all of the following minimum information:
(1) The complete name of the manufacturer or some appropriate abbreviation for same.
(2) A unique serial number.
(3) The self-service kiosk or point of sale device model number.
(4) The date of manufacture.
(b) Self-service kiosks and point of sale devices shall meet all of the following basic hardware requirements:
(1) Identification for any printed circuit board (PCB) that impacts the integrity of the self-service kiosk or point of sale device shall include all of the following:
(i) Each PCB shall be clearly identifiable by an alphanumeric identification and, when applicable, a revision number.
(ii) If track cuts, patch wires or other circuit alterations are introduced to the PCB, then a new revision number shall be assigned.
(2) If the self-service kiosk or point of sale device contains switches or jumpers, or both, they shall be fully documented for evaluation by the Board's Office of Gaming Laboratory.
(3) The self-service kiosk or point of sale device shall be designed so that power and data cables into and out of the self-service kiosk or point of sale device can be routed so that they are not accessible to the general public.
(4) Wired communication ports shall be clearly labeled and must be securely housed within the self-service kiosk or point of sale device to prevent unauthorized access to the ports or their associated cable connectors.
(b) Self-service kiosks and point of sale devices shall meet all of the following basic power requirements:
(1) The self-service kiosk and point of sale device shall not be adversely affected, other than resets, by surges or dips of ± 20% of the supply voltage. It is acceptable for the self-service kiosk or point of sale device to reset provided no damage to the equipment or loss or corruption of data is experienced.
(2) The power supply used in a self-service kiosk or point of sale device must be appropriately fused or protected by circuit breakers. The amperage rating of all fuses and circuit breakers must be clearly stated on or near the fuse or the breaker.
(3) An on/off switch that controls the electrical current supplied to the self-service kiosk or point of sale device shall be located in a place which is readily accessible within the interior of the self-service kiosk or point of sale device. The on/off positions of the switch shall be clearly labeled.
(c) Self-service kiosks and point of sale device shall meet all of the following basic security requirements:
(1) A self-service kiosk or point of sale device shall be robust enough to resist forced entry into any secured doors, areas or compartments. In the event that extreme force is applied to the cabinet materials causing a potential breach in self-service kiosk or point of sale device security, evidence of tampering must be conspicuous. "Secured areas" or "secured compartments" shall include the external doors such as the main door, cash compartment doors such as a drop box door, peripheral device access areas, or other sensitive access areas of the self-service kiosk or point of sale device.
(2) The following requirements apply to the self-service kiosk's or point of sale device's external doors:
(i) External doors shall be manufactured of materials that are suitable for allowing only legitimate access to the inside of the self-service kiosk cabinet or point of sale device. Doors and their associated hinges shall be capable of withstanding determined and unauthorized efforts to gain access to the interior of the self-service kiosk or point of sale device and shall leave conspicuous evidence of tampering if an attempt is made.
(ii) The seal between the self-service kiosk cabinet or point of sale device and the door of a locked area shall be designed to resist the entry of objects. It shall not be possible to insert an object into the self-service kiosk or point of sale device that disables a door open sensor when the self-service kiosk's or point of sale device's door is fully closed, without leaving conspicuous evidence of tampering.
(iii) External doors shall be secure and support the installation of locks.
(iv) Doors that provide access to secure areas of the self-service kiosk or point of sale device shall be monitored by a door access detection system.
(A) The detection system shall register a door as being open when the door is moved from its fully closed and locked position, provided power is supplied to the self-service kiosk or point of sale device.
(B) When any door that provides access to a secured area or secured compartment registers as open, the self-service kiosk or point of sale device shall cease wagering operations and display an appropriate error message.
(d) Self-service kiosks and point of sale devices shall meet all of the following basic critical nonvolatile memory requirements:
(1) Critical nonvolatile memory shall be used to store all data elements that are considered vital to the continued operation of the self-service kiosk or point of sale device, including self-service kiosk configuration and point of sale device data and state of operations.
(2) Critical nonvolatile memory shall not store sensitive information outside of self-service kiosk and point of sale device operations; however, critical nonvolatile memory may be maintained by any component of the sports wagering system.
(3) The self-service kiosk or point of sale device must have a backup or archive capability, which allows the recovery of critical nonvolatile memory should a failure occur.
(4) Critical nonvolatile memory storage shall be maintained by a methodology that enables errors to be identified. This methodology may involve signatures, check sums, redundant copies, database error checks or other methods approved by the Board.
(5) Comprehensive checks of critical nonvolatile memory data elements shall be made on startup. Nonvolatile memory that is not critical to self-service kiosk or point of sale device integrity is not required to be checked.
(6) An unrecoverable corruption of critical nonvolatile memory shall result in an error. Upon detection, the self-service kiosk and point of sale device software shall cease to function. Additionally, the critical nonvolatile memory error shall cause any communication external to the self-service kiosk to cease.
(e) Self-service kiosk and point of sale device software, after a program interruption, shall recover to the state it was in immediately prior to the interruption occurring. Any communications to an external device shall not begin until the program resumption routine, including any self-test, is completed successfully.
(f) On a scheduled basis, a sports wagering certificate holder or sports wagering operator shall remove the bill validator boxes in the self-service kiosks.
(1) The self-service kiosk drop shall be monitored and recorded by surveillance.
(2) The sports wagering certificate holder or sports wagering operator shall submit the self-service kiosk drop schedule to the Board, with the schedule to include:
(i) The time that a drop is scheduled to commence.
(ii) The number and locations of the self-service kiosks in the sports wagering area or on the gaming floor of a licensed facility.
(g) A security department member and a finance department member shall obtain the keys necessary to perform the self-service kiosk drop or currency cassette replacement, or both, in accordance with the sports wagering certificate holder or sports wagering operator's key sign-out procedures.
(1) The security department shall control the keys to the outer door of the self-service kiosks.
(2) The finance department shall control the keys to the bill validator boxes or currency cassettes, or both.
(h) A finance department member with no incompatible job functions shall place empty bill validator boxes needed for the self-service kiosk drop into a secured cart which shall be transported in the presence of a member of the security department at all times.
(i) A sports wagering certificate holder or sports wagering operator shall reconcile the self-service kiosks on a scheduled basis under internal controls.
(1) Any variance of $500 or more shall be documented by the accounting department and reported in writing to the Office of Sports Wagering and Bureau of Casino Compliance within 72 hours of the end of the gaming day which the variance was discovered.
(2) The report shall indicate the cause of the variance and shall contain any documentation required to support the stated explanation.
(j) A sports wagering certificate holder or sports wagering operator shall include in its internal controls required under § 1408a.3 (relating to internal controls) the set of self-service kiosk key controls and accounting protocols, including the procedures for the drop and count of self-service kiosk funds, and all point of sale devices.

58 Pa. Code § 1407a.5