Spillemyndigheden’s certification programme is set out to ensure that the gambling system executes games in a correct way and that the security surrounding the gambling system is maintained. The licence holder must be certified at all times in accordance with those parts of the certification programme which apply to their specific offer of gambling products.
The requirements in the certification programme is adapted to the different types of games based on an evaluation of the type of game´s significance and risk in relation to extent, prevalence, nature, size of the prize and the risk of the customers being deceived etc. Currently the following types of games are in use:
- Online betting
- Land-based betting
- Online casino
- Charitable lotteries (Certification programme to be announced later)
- Land-based casino (Certification programme to be announced later)
- Class lottery (Certification programme to be announced later)
- Gaming machines with cash prizes (Certification programme to be announced later)
The accredited inspection and testing organisation performs testing and inspection of the gambling system, business processes and business systems of the licence holder. The testing and inspection must be adapted to the individual licence holder’s offer of gambling products.
Spillemyndigheden’s certification programme consists of a number of documents, which are continuously adapted to the development in technology.
Each of the eight types of games has a set of testing standards and a set of inspection standards associated. Furthermore, five documents apply across all types of games and cover general requirements, information security management system, penetration testing, vulnerability scanning and change management.
Each document sets out minimum requirements for the arrangement of the gambling system, business processes and business systems of the licence holder.
Spillemyndigheden’s certification programme supplements the gambling regulation, individual licence terms and the administrative practice set out by Spillemyndigheden.
The Danish Gambling Authority publishes certification programme for lotteries and betting on horse and dog races
A certification programme for lotteries and betting on horse and dog races have been published by The Danish Gambling Authority. This means that new testing and inspection standards have been published and changes have been made to the existing documents regarding landbased betting, online betting and the documents applicable to all gambling categories.
Updated certification programme came into force on january 1st 2015
The Danish Gambling Authority updated certification programme in 2014 with the intent to set a new structure for the programme and to update the certification programme in general.
New structure to the certification programme
The main reason for updating the certification programme has been to create new documental structure that is better suited for the future development of the programme. The updated certification programme have been divided into documents that either apply to all game types or only applies to specific game types. By dividing the existing certification programme to specific game types, makes it possible to compile packages with game specific requirements for each type of game offered.
General requirements contain the general framework for the certification process and the general preconditions for the rest of the documents in the certification programme.
Testing standards contain the requirements that require a test of the license holders systems in order to determine compliance. Testing of RNG functionality is a key requirement in the testing standards. The content of the testing standards have been specified to each game type.
Inspection standards contain requirements which doesn’t require testing, but compliance can be determined by an inspection. The content of the inspection standards have been specified to each game type.
Information Security Management System contains the requirements from section 6 in the previous "Technical standards" concerning the same subject matter.
Instructions for Penetration Testing contain the requirements from section 7 in the previous "Technical standards" concerning the same subject matter. The Danish Gambling Authority has elaborated on the contents and procedure due to the demand for clarification.
Instructions for Vulnerability Scanning contain the requirements from section 7 in the previous "Technical standards" concerning the same subject matter. The contents and procedures have also been elaborated.
Change management programme contain the requirements from the previous programme with the same name.
Each document in Spillemyndigheden’s Certification Programme has a unique identifier comprised of:
- ”SCP” – Which indicates Spillemyndigheden’s Certification Programme.
- Two digits – Which indicates the type of document.
The identifiers are:
"00" General requirements
"01" Testing standards
"02" Inspection standards
"03" Information Security Management System
"04" Penetration Testing
"05" Vulnerability Scanning
"06" Change Management Programme
- Two digits – Which indicates the type of game covered.
The identifiers are:
"00" All types of games
"01" Online betting
"02" Land-based betting
"03" Online casino
"04" Charitable lotteries (Certification programme to be announced later)
"05" Land-based casino (Certification programme to be announced later)
"07" Class lottery (Certification programme to be announced later)
"08" Gaming machines with cash prizes (Certification programme to be announced later)
- ”DK” or ”EN” – Which indicates the language version. ”DK” for Danish and ”EN” for English.
- Version number
The document identifier SCP.02.02.DK.1.0 would thus be version 1.0 of the inspection standards for land-based betting in Danish.
A standard report with the identifier SCP.XX.XX.DK.1.0.SR is associated with each document and must be used when submitting certifications to Spillemyndigheden. The document identifiers for the standard reports follow the methodology above.
Changes in the updated certification programme compared to version 1.3
All documents in version 1.3 of the certification programme have been divided into the abovementioned documents. A lot of the central passages have been rewritten in order to clarify the requirements. Due to the extensive revision and creation of new documents it is not possible to provide an exhaustive list of all the changes made. The following key changes should be highlighted, just as they were on June 3, 2014 at the meeting for the committee for online casino and betting:
- Period deferment with regards to supplier certification
Several license holders have made the Danish Gambling Authority aware about the fact, that it could be difficult for them to plan their certification of suppliers within a two month window. Because of this, the Danish Gambling Authority has chosen to remove the time constraints with regards to when suppliers shall be certified.
From now on license holders can plan the certification of suppliers freely. However, the license holders testing organization must take the supplier’s certifications the past 12 months into account.
- Physical access control
As a new requirement to the Information Security Management System license holders have to have physical access controls for their systems.
- Encryption of data
Based on responses from the industry, we have concluded that the requirement about the encryption of all stored data is too burdensome and therefore we have decided to loosen the rules, so from now on its only sensitive information that should be encrypted.
- Elaborating on penetration testing and vulnerability scanning
The Danish Gambling Authority has received several questions from the testing organisations regarding the purpose of the penetration testing and vulnerability scanning. In order to elaborate on these tests, we have extracted the requirements and put them into separate documents, where we have elaborated on the contents and procedures of the tests. We have e.g. added the possibility for the testing organisations to use the National Vulnerability Database – Common Vulnerability Scoring System-scale (NVD CVSS) or equal scoring system.
- Virtualised server environments (Cloud)
Version 1.3 of the certification programme didn’t take into account the use of virtualised server environments (Cloud). In order to accommodate the use of cloud within our future framework, we have added relevant section regarding this. The changes have primarily been made to the change management system and the information security management system.
- Clarification on the period of validity
The Danish Gambling Authority has been made aware, that it lacks meaning to use a terminology where a certification is given a period of validity. A certification is a snapshot and should be treated as such.
This has required the Danish Gambling Authority to rewrite key sections in the certification programme, especially with regards to the section about certification frequency. It should be noted, that we do not intend any changes to the existing certification frequency.
- Clarification regarding the certification of RNG’s
The Danish Gambling Authority has found a need to clarify the requirement regarding certification of the RNG. All random functions shall be certified, also random functions that doesn’t generate a result.
- New requirements regarding logging for the use of the Danish Gambling Authority
License holder will have to log player complaint med information about cause, playerID, time and result. By doing this, the license holders can easier meet request from the Danish Gambling Authority regarding player complaints in the future.
The license holders gambling system must also log information about funds withheld from players, due to the closing of temporary accounts. By doing this, the Danish Gambling Authority can easier create an overview with regards to how many funds are withheld.
- Additional changes
Besides the changes already mentioned, a lot of minor changes have been made to the existing version 1.3 in order to make the updated certification programme. We have also added a lot of explanatory text in order to create a better understanding of the requirements and the certification programme in general.
New way of reporting certifications to the Danish Gambling Authority – Standard reports
In order to streamline the reports from the testing organisations, the Danish Gambling Authority will introduce standard reports to ensure a more uniform way of reporting certification results.
The standard reports are templates for the testing organisations to list whether or not a requirement is compliant.
As a new element in the reporting to the Danish Gambling Authority, the testing organizations will have to point out special circumstances regarding whether a requirement is compliant or non-compliant. The testing organizations shall, amongst other things, note it in the standard report if a requirement wasn’t compliant at the initial inspection, even though the requirement was corrected before the final certification.
If the license holder offers several game types, it is adequate to submit only one standard report for:
• general requirements,
• information security management system,
• penetration testing,
• vulnerability scanning and
• change management system.
The standard reports for the quarterly reporting in change management in both languages will be released later.
Versioning – From version 1.3 to version 1.0
Due the new documental structure in the certification programme the Danish Gambling Authority have chosen to start over with the versioning. The updated certification programme will therefore start over with version 1.0, even though the existing programme is version 1.3. The Danish Gambling Authority hopes that the version number together with the new document codes will establish the necessary clarity with regards to which version of the certification programme is valid.
Due to the creation of new documents in the certification programme, it is not possible to publish documents with track changes. The Danish Gambling Authority will aim to publish future versions with track changes.
It is only the Danish version of the certification programme which is legally binding and that the English version is meant as guidance only. It should be emphasized that this also applies to the accreditation that the testing organizations has to attain. The accreditation must reference the Danish version of the certification programme.