The Malta Gaming authority has issued guidelines on the Technical Infrastructure hosting Gaming and control systems. The purpose of these guidelines is to underline and update the MGA’s approach when implementing its regulatory requirements and procedures with respect to Technical Infrastructure. They are intended to guide operators, other providers, and stakeholders on the Authority’s compliance objectives and what is taken into consideration when evaluating an applicant’s, or a licensee’s technical set-up.
The MGA’s acceptance and approval of a particular proposal will largely depend on the treatment of risks posed by any one particular proposal. This requires a more principles-based approach rather than a set of prescriptive rules.
The principles are already embedded in the MGA’s internal regulatory policies routinely employed in assessing remote gaming licence and ongoing compliance. They shall therefore continue to apply to all remote gaming licensees and applicants.
The MGA urges service providers of co-location and cloud services to be guided by the standards referred to in the guidelines, although these do not apply directly to them.
The application of the guidelines and requirements by MGA shall be proportionate to the risks posed by the technical infrastructure/configuration presented by the operator.
The location of the technical infrastructure is critical for the attainment of the highest level of regulatory principles, hence – (a) the integrity of regulatory data, including transaction logs and gaming functionality, must be ensured at all times – (b) gaming and financial transaction logs must be accessible at all times – (c) privacy and confidentiality of data must comply with data protection rules – (d) the responsibility for the attainment of the required standards remains with the licensee .
The licensees/applicants are required to provide details of the technical infrastructure.
The Authority, in assessing a proposal or application and establishing a position, will take into consideration the geographic location of the critical components of the operation. The architecture must be located in Malta, and/or any EEA member state and/or in any other third country jurisdiction wherein the Authority is satisfied that the same principles can be obtained.
The information security level sought by MGA is that of ISO/IEC 27001:2013 and CSPs (Cloud Service Providers) are to be guided by ISO/IEC27002:2013 Information Technology.
Credit card and other payment data storage or processing information needs to comply with PCI DSS Level 1 certification.
Some components including processes are considered critical by MGA. These components are considered critical when there is increased regulatory and/or business integrity, safety, privacy and compliance risks. These include random number generators, jackpot servers, player database servers, financial database servers, gaming database servers, and any other component deemed by MGA to be critical within the system organisation of the operator.
Any decision by operators to utilise a cloud environment for the hosting of all or part of their critical components should follow the conducting of a risk assessment with the framework and process of risk management described in ISO 31000:2009.
The Authority will be satisfied that the proposed architecture meets the principles contained in its guidelines when the critical components are hosted on a private cloud environment which is not shared with other tenants on the same cloud.
Virtual cloud environments will be allowed when the authority is satisfied that the integrity and security of the critical components is not at risk.
Availability, traceability and accessibility of licensee’s regulatory data for supervision purposes are key. Hence real time information is essential. When the licensee’s infrastructure is located in other jurisdictions and, or cloud environments the data can be replicated on servers based in Malta subject to an assessment carried out by MGA.
MGA retains the right to request additional information besides those contemplated in the guidelines.
For further details one should consult www.mga.org.mt