Ohio Administrative Code (Last Updated: January 12, 2021) |
3772 Casino Control Commission |
Chapter3772-9. Electronic Gaming Equipment |
3772-9-12. Electronic gaming equipment authentication
-
(A) Casino operators and gaming -related vendors shall ensure their electronic gaming equipment supports a port and protocol, referred to as game authentication terminal (GAT), for gaming equipment verification.
(B) Electronic gaming equipment submitted for approval on or after December 1, 2012 shall provide the following support for authenticating critical program storage media (CPSM), unless otherwise approved in writing by the executive director or designee:
(1) Employ a verification mechanism, approved by the commission, which authenticates all CPSM. The authentication mechanism shall:
(a) Be accessible by a communication port and protocol approved by the commission;
(b) Provide on-demand authentication of electronic gaming equipment CPSM. This function shall not require the electronic gaming equipment power to be cycled;
(c) Generate a unique signature for each CPSM utilizing, at a minimum, secure hashing algorithm-1 (SHA-1) with hash-based message authentication code (HMAC), as defined by the "National Institute of Standards and Technology (NIST), Federal Information Processing Standards Publication 180-4: Secure Hash Standard (March 2012);" and
(d) Provide support for escrowing verification results. Verification results shall be preserved and retrievable pending a subsequent verification request or a loss of power; and
(2) Provide means for the use of third party authentication tools approved by the commission.
(C) All electronic gaming equipment submitted for approval before December 1, 2012, which offers a communication port, shall comply with the requirements in paragraph (B) of this rule, upon the installation of new CPSM and shall comply with this rule by December 1, 2012, unless otherwise approved in writing by the executive director or designee.
(D) Electronic gaming equipment submitted for approval before December 1, 2012, which do not offer a communication port are excluded from this rule.