dictao traceability solution for internet gaming operators on newly regulated european...
TRANSCRIPT
DICTAO
152, avenue Malakoff
75116 PARIS, France
+33 1 73 00 26 00
www.dictao.com
Traceability Requirements and Solutions
for iGaming operators
on New Regulated Markets in Europe
Denmark, Spain, France & Schleswig-Holstein cases.
September 2012
Copyright Dictao 2012
1
Agenda
Fact: Traceability is a key regulatory requirement
Problem: Traceability requirements are complex, and increase costs & time
Solution: Traceability made simple with Dictao
Traceability requirements and gaming system architectures
The cases of Denmark, Spain, France and Schleswig-Holstein
Operator benefits
Compliance, flexibility and cost-effectiveness
Dictao, leading iGaming compliance service provider
Contact
Copyright Dictao 2012 2
Fact: Traceability is a key regulatory requirement
Regulators see traceability as mean to achieve :
Consumer protection
Anti money laundering
Fight against fraud
Tax control
Traceability : Pervasive in all regulated markets
Italy AAMS* and SOGEI’s centralized system (2009)
France ARJEL* ‘Frontal’ (2010)
Denmark DGA* ‘SAFE’ (2011)
Spain CNJ* ‘Almacen’ (2011)
Schleswig-Holstein ‘Kontrollsystem’ (2012)
Greece GSCC* ‘Supervision and Control IT System’
(2012 – est.)
Next EU markets
“E15” Germany, the Netherlands, Poland, Bulgaria…
(I) AAMS: Amministrazione autonoma dei monopoli di Stato
(II) ARJEL: Autorité de Régulation des Jeux en Ligne
(III) DGA: Danish Gaming Authority
(IV) CNJ: Comisión Nacional del Juego
(V) GSCC: Games of Chance Supervision and Control
Commission
Copyright Dictao 2012
Problem: Traceability requirements are complex,
and increase costs & time
4
Especially when each jurisdiction
requires distinct and specific:
Data formats
Server location
Backup location
Certifications
Secure storage
Data retention policies
Language
…
This wide heterogeneity
Creates additional complexity
Delays go-to-market
Increases running costs
Capteur
.FR
Core Gaming Platforms
.DE .DK
.ES
Capturador
Copyright Dictao 2012
Solution: Traceability made simple
A single partner for every regulation
For all jurisdictions that do not impose a
central system
For all games
Dictao focuses on traceability only
We are regulation and traceability
experts
We only extract operator’s data
We manage traceability data storage
and download by the local regulator
5
Operator platform
Dictao
DGA ARJEL S-H CNJ
Casino Sports
book
Poker
Copyright Dictao 2012
…
Denmark traceability requirements
7
Dictao Compliance Services
Format XML gaming records
Cryptographically seal records
Generate "end of day" reports
Ensure regulator real-time access
Backup data for 5 years
Operators’ services
Authenticate the users through NemID
Check user against player blacklist
Operator platform
Dictao
DGA
Generate
reports
Seal
records Format
records
Player
Blacklist
Tamper
Token
FTPS
Access
Publish
records
Backup
data
Other
game Poker CRM
NemID
Auth
Copyright Dictao 2012
Denmark gaming system architecture
8
SKAT
Tamper Token
Self-exclusion
Register
Reporting DB
Dictao
Gaming
application
Operator
API
Data extraction
XML Formatting
SAFE
Long-term
archival
TT
-Transactions
-End-of-day
reports
Civil registration number
Transaction
data
Copyright Dictao 2012
Spain traceability requirements
9
Dictao Compliance Services
Format XML gaming events
Sign and timestamp the events
Encrypt the events
Generate aggregated reports
Store game history
Ensure regulator real-time access
Backup data for 6 years
Operators’ services
Check user against CNJ Webservices
Geolocalize user IP
Operator platform
Dictao
CNJ
Time-
stamp
records
Sign
records Format
records
Player Info
Sign.
verification
Other
game Poker CRM
Geoloc.
Decryption
SFTP
access Replay
game
Encrypt
records
Publish
records
Store
game
history
Generate
reports
Backup
data
Copyright Dictao 2012
Spain gaming system architecture
10
Central Game Unit CNJ
Game Platform (Player management, Payment
systems, access logs,…)
Player Info
Game software (Sportsbook, Poker, Bingo,…)
Random number generator
Internal Control
System
Capturador
Secure Vault Supervision
Copyright Dictao 2012
Dictao
France traceability requirements (1/2)
Distributed architecture: each operator is in charge of its vault and « capteur »
A posteriori control, rather than ‘a-priori’ authorization of transactions
Data extracted and stored in France where French law officers have power to seize equipment
Game events are stored in a vault
Access control: only ARJEL can read on site and remotely, only operator can write
Tamper proof: changes, deletions, insertions are detectable
Data is encrypted to ensure privacy protection
Game events are produced in a « capteur »
Data extracted prior to any backend processing
Data reflects the player’s view of events
Data is stored synchronously
Capteur code audited by independant third parties
Copyright Dictao 2010 11
France traceability requirements (2/2)
Relies on advanced security enabling operation in « hostile » environment
HSM
Strong authentication
Digital signature
Trace chaining
Physical seal on control equipment
Enforcement
Mystery player – ARJEL checks site and trace production anonymously
Vault certification – trusted third party audit
Daily data downloads – business intelligence
Regular on-site audits by ARJEL – limit travel destinations
Cryptographic seals – control data has legal value years after it has been produced
Copyright Dictao 2010 12
Encryption
Timestamping
Strict role separation
« CSPN » Certification
France gaming system architecture
13
Operator’s backend can be
anywhere
Frontal must be on French soil
Players must reside in France
Frontal
Capteur Vault
Copyright Dictao 2012
Gaming Backend Operator Gaming Backend
Player
1
2
3
4
5
Schleswig-Holstein: defined traceability requirements (1/2)
Final technical requirements were distributed to licensed operators in July.
Schleswig-Holstein requirements include :
Safe-server
36 months data storage
Located in Schleswig-Holstein or
other Länder
Near-real time data capture
Certification by accredited 3rd parties
Encrypted data
Standards-based
=> A new combination of the « usual » building blocks found in IT requirements
of France, Denmark and Spain.
14 Copyright Dictao 2012
Schleswig-Holstein: defined traceability requirements (2/2)
The decree clarifies, amongst other technical requirements, the Safe-server
features:
Data
Player personal information
Financial information
Gameplay
End-of-day summaries
Data formats
XSD description of the data model with German tags
Cryptography algorithms
XAdES standard signatures/timestamps and AES encryption
15 Copyright Dictao 2012
Benefits (1/3): Guaranteed compliance
We keep close relationships with local regulators
Compliance with current regulations
First ARJEL-compliant ‘frontal’ in France
DGA-compliant SAFE in Denmark
CNJ-compliant Internal Control System (ICS) in Spain
Strategic commitment to comply with future regulatory requirements
100% compliant with current, preliminary Schleswig-Holstein requirements
Dictao guarantees compliance with future regulation modifications
16 Copyright Dictao 2012
Benefits (2/3): Flexibility
Business model flexibility
Software license: operator integrates and operates the service
Software as a Service (SaaS): Dictao hosts and operates the service on behalf of the
operator
Managed service: Dictao operates the service hosted in operator’s premises
Integration flexibility
Standard Webservices API
Managed test environment
Connection link
over the internet
over dedicated leased line
Technical flexibility
Scalable : from a few to several thousands of events per second
Reliable: high availability (>99.99%) and multiple sites
17 Copyright Dictao 2012
Benefits (3/3): Cost-effectiveness
Low investment costs
The solution is based on existing in-house products
The development costs are spread across multiple customers
The SaaS platform shares infrastructure
Low recurring costs
One dedicated compliance team operates the vaults of several customers
Evolutions in regulation included
18 Copyright Dictao 2012
Dictao
Specialized in 3 areas:
Data traceability
Strong authentication
Electronic signatures
Dictao products power mission-critical applications across multiple sectors
Gaming, banking, industry, defense, government, …
Dictao products are certified EAL3+ by the French Network and Information Security
Agency (ANSSI), SigG and SigV by the Bundesnetzagentur in Germany, and 3-D
Secure by Visa and MasterCard.
19 Copyright Dictao 2012
Dictao in the iGaming industry
Main traceability offer built to answer compliance requirements:
E-vault product
Hosted services
Consulting services
But also player authentication and registration where eID can be used
Dictao is the industry’s leading technical compliance solution provider:
The only offer covering Spain, Denmark, France and (soon) Schleswig-Holstein
40+ operators are clients
9 out of the top 10 operators from eGaming Review’s Power50 list
45% of the first licensed operators in France
45% of the first licensed operators in Denmark
28 operators chose Dictao in Spain
20 Copyright Dictao 2012
For more information, please contact:
Gregory Kuhlmey
+33 1 73 00 26 00
+33 6 42 15 62 49 (mobile)
www.dictao.com
http://www.dictao.com/en/solutions/online-gambling