DICTAO

152, avenue Malakoff

75116 PARIS, France

+33 1 73 00 26 00

www.dictao.com

Traceability Requirements and Solutions

for iGaming operators

on New Regulated Markets in Europe

Denmark, Spain, France & Schleswig-Holstein cases.

September 2012

Copyright Dictao 2012

1

Agenda

Fact: Traceability is a key regulatory requirement

Problem: Traceability requirements are complex, and increase costs & time

Solution: Traceability made simple with Dictao

Traceability requirements and gaming system architectures

The cases of Denmark, Spain, France and Schleswig-Holstein

Operator benefits

Compliance, flexibility and cost-effectiveness

Dictao, leading iGaming compliance service provider

Contact

Copyright Dictao 2012 2

Fact: Traceability is a key regulatory requirement

Regulators see traceability as mean to achieve :

Consumer protection

Anti money laundering

Fight against fraud

Tax control

Traceability : Pervasive in all regulated markets

Italy AAMS* and SOGEI’s centralized system (2009)

France ARJEL* ‘Frontal’ (2010)

Denmark DGA* ‘SAFE’ (2011)

Spain CNJ* ‘Almacen’ (2011)

Schleswig-Holstein ‘Kontrollsystem’ (2012)

Greece GSCC* ‘Supervision and Control IT System’

(2012 – est.)

Next EU markets

“E15” Germany, the Netherlands, Poland, Bulgaria…

(I) AAMS: Amministrazione autonoma dei monopoli di Stato

(II) ARJEL: Autorité de Régulation des Jeux en Ligne

(III) DGA: Danish Gaming Authority

(IV) CNJ: Comisión Nacional del Juego

(V) GSCC: Games of Chance Supervision and Control

Commission

Copyright Dictao 2012

Problem: Traceability requirements are complex,

and increase costs & time

4

Especially when each jurisdiction

requires distinct and specific:

Data formats

Server location

Backup location

Certifications

Secure storage

Data retention policies

Language

…

This wide heterogeneity

Creates additional complexity

Delays go-to-market

Increases running costs

Capteur

.FR

Core Gaming Platforms

.DE .DK

.ES

Capturador

Copyright Dictao 2012

Solution: Traceability made simple

A single partner for every regulation

For all jurisdictions that do not impose a

central system

For all games

Dictao focuses on traceability only

We are regulation and traceability

experts

We only extract operator’s data

We manage traceability data storage

and download by the local regulator

5

Operator platform

Dictao

DGA ARJEL S-H CNJ

Casino Sports

book

Poker

Copyright Dictao 2012

…

Copyright Dictao 2012

Denmark

Spain

France

Schleswig-Holstein

Market Cases

Denmark traceability requirements

7

Dictao Compliance Services

Format XML gaming records

Cryptographically seal records

Generate "end of day" reports

Ensure regulator real-time access

Backup data for 5 years

Operators’ services

Authenticate the users through NemID

Check user against player blacklist

Operator platform

Dictao

DGA

Generate

reports

Seal

records Format

records

Player

Blacklist

Tamper

Token

FTPS

Access

Publish

records

Backup

data

Other

game Poker CRM

NemID

Auth

Copyright Dictao 2012

Denmark gaming system architecture

8

SKAT

Tamper Token

Self-exclusion

Register

Reporting DB

Dictao

Gaming

application

Operator

API

Data extraction

XML Formatting

SAFE

Long-term

archival

TT

-Transactions

-End-of-day

reports

Civil registration number

Transaction

data

Copyright Dictao 2012

Spain traceability requirements

9

Dictao Compliance Services

Format XML gaming events

Sign and timestamp the events

Encrypt the events

Generate aggregated reports

Store game history

Ensure regulator real-time access

Backup data for 6 years

Operators’ services

Check user against CNJ Webservices

Geolocalize user IP

Operator platform

Dictao

CNJ

Time-

stamp

records

Sign

records Format

records

Player Info

Sign.

verification

Other

game Poker CRM

Geoloc.

Decryption

SFTP

access Replay

game

Encrypt

records

Publish

records

Store

game

history

Generate

reports

Backup

data

Copyright Dictao 2012

Spain gaming system architecture

10

Central Game Unit CNJ

Game Platform (Player management, Payment

systems, access logs,…)

Player Info

Game software (Sportsbook, Poker, Bingo,…)

Random number generator

Internal Control

System

Capturador

Secure Vault Supervision

Copyright Dictao 2012

Dictao

France traceability requirements (1/2)

Distributed architecture: each operator is in charge of its vault and « capteur »

A posteriori control, rather than ‘a-priori’ authorization of transactions

Data extracted and stored in France where French law officers have power to seize equipment

Game events are stored in a vault

Access control: only ARJEL can read on site and remotely, only operator can write

Tamper proof: changes, deletions, insertions are detectable

Data is encrypted to ensure privacy protection

Game events are produced in a « capteur »

Data extracted prior to any backend processing

Data reflects the player’s view of events

Data is stored synchronously

Capteur code audited by independant third parties

Copyright Dictao 2010 11

France traceability requirements (2/2)

Relies on advanced security enabling operation in « hostile » environment

HSM

Strong authentication

Digital signature

Trace chaining

Physical seal on control equipment

Enforcement

Mystery player – ARJEL checks site and trace production anonymously

Vault certification – trusted third party audit

Daily data downloads – business intelligence

Regular on-site audits by ARJEL – limit travel destinations

Cryptographic seals – control data has legal value years after it has been produced

Copyright Dictao 2010 12

Encryption

Timestamping

Strict role separation

« CSPN » Certification

France gaming system architecture

13

Operator’s backend can be

anywhere

Frontal must be on French soil

Players must reside in France

Frontal

Capteur Vault

Copyright Dictao 2012

Gaming Backend Operator Gaming Backend

Player

1

2

3

4

5

Schleswig-Holstein: defined traceability requirements (1/2)

Final technical requirements were distributed to licensed operators in July.

Schleswig-Holstein requirements include :

Safe-server

36 months data storage

Located in Schleswig-Holstein or

other Länder

Near-real time data capture

Certification by accredited 3rd parties

Encrypted data

Standards-based

=> A new combination of the « usual » building blocks found in IT requirements

of France, Denmark and Spain.

14 Copyright Dictao 2012

Schleswig-Holstein: defined traceability requirements (2/2)

The decree clarifies, amongst other technical requirements, the Safe-server

features:

Data

Player personal information

Financial information

Gameplay

End-of-day summaries

Data formats

XSD description of the data model with German tags

Cryptography algorithms

XAdES standard signatures/timestamps and AES encryption

15 Copyright Dictao 2012

Benefits (1/3): Guaranteed compliance

We keep close relationships with local regulators

Compliance with current regulations

First ARJEL-compliant ‘frontal’ in France

DGA-compliant SAFE in Denmark

CNJ-compliant Internal Control System (ICS) in Spain

Strategic commitment to comply with future regulatory requirements

100% compliant with current, preliminary Schleswig-Holstein requirements

Dictao guarantees compliance with future regulation modifications

16 Copyright Dictao 2012

Benefits (2/3): Flexibility

Business model flexibility

Software license: operator integrates and operates the service

Software as a Service (SaaS): Dictao hosts and operates the service on behalf of the

operator

Managed service: Dictao operates the service hosted in operator’s premises

Integration flexibility

Standard Webservices API

Managed test environment

Connection link

over the internet

over dedicated leased line

Technical flexibility

Scalable : from a few to several thousands of events per second

Reliable: high availability (>99.99%) and multiple sites

17 Copyright Dictao 2012

Benefits (3/3): Cost-effectiveness

Low investment costs

The solution is based on existing in-house products

The development costs are spread across multiple customers

The SaaS platform shares infrastructure

Low recurring costs

One dedicated compliance team operates the vaults of several customers

Evolutions in regulation included

18 Copyright Dictao 2012

Dictao

Specialized in 3 areas:

Data traceability

Strong authentication

Electronic signatures

Dictao products power mission-critical applications across multiple sectors

Gaming, banking, industry, defense, government, …

Dictao products are certified EAL3+ by the French Network and Information Security

Agency (ANSSI), SigG and SigV by the Bundesnetzagentur in Germany, and 3-D

Secure by Visa and MasterCard.

19 Copyright Dictao 2012

Dictao in the iGaming industry

Main traceability offer built to answer compliance requirements:

E-vault product

Hosted services

Consulting services

But also player authentication and registration where eID can be used

Dictao is the industry’s leading technical compliance solution provider:

The only offer covering Spain, Denmark, France and (soon) Schleswig-Holstein

40+ operators are clients

9 out of the top 10 operators from eGaming Review’s Power50 list

45% of the first licensed operators in France

45% of the first licensed operators in Denmark

28 operators chose Dictao in Spain

20 Copyright Dictao 2012

For more information, please contact:

Gregory Kuhlmey

gkuhlmey@dictao.com

+33 1 73 00 26 00

+33 6 42 15 62 49 (mobile)

www.dictao.com

http://www.dictao.com/en/solutions/online-gambling