Consultation on update of the Danish Gambling Authority's certification programme
The Danish Gambling Authority (DGA) has updated the certification programme for online betting, land-based betting, and online casino. Interested parties are welcome to comment on the update before the final version is issued.
Comments must be sent to the DGA no later than Tuesday the 31st of August 2021. Comments must be submitted by using the contact form. Please use the category “certification”.
The DGA expects the updated certification to come into force in 2022. The final date has not been determined. A possible transition period will be described in connection with the issuing of the updated certification programme. Updated standard reports will be issued as well.
Several linguistic adjustments have been made and some guidance texts have been added/adjusted. In addition to this, the following significant changes and additions should be mentioned:
General requirements for testing organisations
The requirement stating that a testing organisation must have at least three years of experience is removed. This requirement prevented e.g. newly established testing organisations from performing certification work according to the certification programme. In relation to experience, the DGA is of the opinion that it is more important to consider the people involved in the actual work, and less important how many years a company has been in business. Therefore, we maintain the requirements regarding the employees’ experience.
Requirements for testing organisations in relation to testing standards
ISO 17020 has been removed as a possible accreditation. Looking forward, only ISO 17025 is accepted. The change is made since ISO 17025 is targeted at testing.
Information from Newsletter no. 43
On the 5th of July 2019, the DGA issued Newsletter # 43, where several requirements about certification was specified. Information from this newsletter is incorporated in i.a. the general requirements. This includes requirements about reporting and requirements about supervision of certification work among others.
Certification in connection with licence application
A section has been added, where it is specified, that the first certification shall be completed in connection with the handling of a licence application. At the same time, it is clarified, that in order to approve the first certification, it shall be completed without any errors or shortcomings.
Use of risk assessment
It has been specified, when and how risk assessment can be used to approve requirements. It is clarified that risk assessment cannot be used to, for instance, select a spot sample of which requirements that need to be looked at. Risk assessment is used if a requirement IS NOT fulfilled. In this situation, the testing organisation shall make a risk assessment of the impact and based on this decide whether the requirement can be approved anyway. At the same time the licence holder must of course remediate the error. See section 2.1.4 in the general requirements.
Deadline for submitting reports
It has been clarified directly in the certification programme, when the deadline is for submitting documentation for completed certifications.
Vulnerability scan and penetration testing
Renaming of “indtrængningsefterprøvning”
In the Danish version Indtrængningsefterprøvning has been renamed to penetrationstest, since this phrasing is more commonly used.
Requirements for testing organisations
It is no longer a requirement to have an ISO-accreditation to perform vulnerability scans and penetration testing. The requirement to be an Approved Scanning Vendor in accordance with OCI DSS is however maintained. This requirement is maintained after input from testing organisations, and because it is the DGA’s opinion that the approval says a lot about the organisations qualifications and maturity. All licence holders already have, either directly or indirectly through a testing organisation, a cooperation with an Approved Scanning Vendor. A cooperation which looking forward must cover the tasks previously performed by the ISO-accredited testing organisation.
Requirements regarding qualifications of persons, who attest the certification reports have been updated as well.
Vulnerability scan shall be PCI approved
It has been clarified that a PCI approved vulnerability scan must be completed before a licence is granted and hereafter every 3 months. This has always been the intention, but it turns out, that vulnerability scans of a lower standard have often been used, since the requirements have not been clear enough.
At the same time, it is clarified that the vulnerability scan, which is typically completed ahead of a penetration test, can be considered a valid quarterly vulnerability scan, if it is completed in compliance with the requirements.
“Guidelines” is changed to “requirements”
The title of the documents has changed from guidelines to requirements, to make it clear that they are actual requirements.
Requirements if a penetration test is not passed
It has been specified which procedure must be followed in relation to reporting and new testing, if a penetration test is not passed.
“Passed”, “Passed after remediation” and “not passed”
The DGA has previously found that reporting of whether a vulnerability scan or penetration test was passed or not, was not in accordance with facts. It has therefore been clarified, which status shall be used in which situation.
Use of internal function
The section on use of an internal function to perform vulnerability scans and penetration tests has been removed. The option to use an internal function was limited to situations, where components in the gambling system were updated. There can still be a need for a vulnerability scan when updates are made, but the DGA does not set the requirements for this scan. If a PCI approved vulnerability scan is completed when components are updated, it can be considered a valid vulnerability scan in accordance with the requirements, and it can be reported to the DGA.
RNG requirements have been merged
RNG requirements regarding result generating and RNG requirements regarding other functionality have been merged in one section.
Test of equipment used for live casino
Requirements regarding test of equipment used for live casino have been added. This covers for instance requirements for roulette, card shufflers and card shoes.
The rule of 3 seconds
The requirements regarding the gambling system ensuring that it takes at least 3 seconds to complete a game have been moved from the inspection standards to the testing standards. The DGA believes, they require testing and therefore rightly belong here.
The structure in the document has changed, so the headings now appear in the following order:
- Written presentation
- Visual presentation
- General gambling functionality
- Special gambling functionality
This has led to new positions for several requirements to put them in the correct context. This is especially the case for requirements in the former section 4.
The requirements for online bingo have been moved to the section on peer-to-peer games to clarify, that this is the type of online bingo, that can be offered under an online casino licence.
Visual presentation of card games
The specific requirements on visual presentation of Blackjack and Baccarat/Punto Banco have been removed because they are already covered by general requirements for card games. See section 5.1.5.
Closure of bets
Two requirements regarding closure of bets before they are settled (cash out) have been added to the section on Special gambling functionality. See section 7.1.2.
Storing of customers ROFUS status
The requirement saying that the gambling system should store the customers’ status in ROFUS has been removed. The DGA believes that licence holders as a rule should not store information about customers’ status in ROFUS after the information has been used for the purpose, for which it was collected.
Records, logs and data retention
The title of the section on “Records, logs and data retention” has been changed to “Registration, maintenance and storage of data”, and the requirements in the section has been re-written to clarify what needs to be registered in which situations.
Change management programme
Prior approval of change from the Danish Gambling Authority
Looking forward, the description of situations, where the DGA needs to give a prior approval of new and changed games, will only appear from the DGA’s technical requirements for online casino and betting, and not in the certification programme. A new version of the technical requirements will be issued along with the updated certification programme.
The prior approval ensures that the licence holder can report correct and sufficient game data. New games, which do not fit in the existing data reporting requirements, can give rise to extensive system development on the DGA’s side, which is why information must be given to the DGA in plenty of time before launching the game.