The ARJEL-compliant Trusted Solution For Online Gambling And Betting Operators

DICTAO

152 avenue de Malakoff

75116 PARIS, France

Tel.: +33 (0)1 73 00 26 00

www.dictao.com

White PaperWhite PaperWhite PaperWhite Paper

The trusted solution

for online gambling

operators in France


75116 PARIS, France

Tel.: +33 (0)1 73 00 26 00

www.dictao.com – [email protected]

White PaperWhite PaperWhite PaperWhite Paper


for online gambling

operators in France


for online gambling

operators in France

CONTENTS

1111 THE REGULATORY FRAMETHE REGULATORY FRAMETHE REGULATORY FRAMETHE REGULATORY FRAMEWORKWORKWORKWORK .................................................................................................................................................................................................................................................................................................................................................................................................................... 4444

1.1 The principles behind introducing competition .................................................................................................................. 4

1.2 Creation of a regulatory authority and definition of operator regulations ........................................................................... 5

The future regulatory authority's missions ............................................................................................................................... 5

Regulations concerning gambling platforms, organization and services .................................................................................. 5

1.3 The ARJEL licensing procedure ........................................................................................................................................... 6

Estimated schedule .................................................................................................................................................................. 6

Licensing application content .................................................................................................................................................. 6

Transition period ..................................................................................................................................................................... 7

2222 THE NEED FOR TRUSTTHE NEED FOR TRUSTTHE NEED FOR TRUSTTHE NEED FOR TRUST ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 8888

2.1 Gamblers ........................................................................................................................................................................... 8

2.2 Operators .......................................................................................................................................................................... 8

2.3 Authorities ......................................................................................................................................................................... 8

3333 THE TECHNICAL SOLUTITHE TECHNICAL SOLUTITHE TECHNICAL SOLUTITHE TECHNICAL SOLUTIONONONON ............................................................................................................................................................................................................................................................................................................................................................................................................................................ 9999

3.1 Architecture with a front-end in French territory ................................................................................................................ 9

3.2 The front-end retrieves and secures traces of transactions ................................................................................................ 9

Front-end interface ............................................................................................................................................................... 10

Capteur ................................................................................................................................................................................. 10

Back-end relay ...................................................................................................................................................................... 10

Vault (upper part of front-end) .............................................................................................................................................. 10

3.3 Vault function (upper part of front-end)........................................................................................................................... 11

A key part of supervisory and monitoring activities ............................................................................................................... 11

Mandatory FNISA certification ................................................................................................................................................ 11

Initialized by the future regulatory authority .......................................................................................................................... 11

Hosted under the responsibility of the operator..................................................................................................................... 11

4444 ARJEL SPECIFICATIONSARJEL SPECIFICATIONSARJEL SPECIFICATIONSARJEL SPECIFICATIONS ................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 12121212

4.1 Front-end requirements ................................................................................................................................................... 12

General requirements ............................................................................................................................................................ 12

The capteur ........................................................................................................................................................................... 12

The vault ............................................................................................................................................................................... 12

4.2 Gambling application requirements.................................................................................................................................. 13

4.3 Gambling platform requirements ..................................................................................................................................... 13

4.4 Information system maturity requirements ...................................................................................................................... 13

5555 DICTAO'S OFFER: DICTAO'S OFFER: DICTAO'S OFFER: DICTAO'S OFFER: A SOLUTION COMPLIANTA SOLUTION COMPLIANTA SOLUTION COMPLIANTA SOLUTION COMPLIANT WITH THE FUTURE AUTHWITH THE FUTURE AUTHWITH THE FUTURE AUTHWITH THE FUTURE AUTHORITY'S REGULATIONS ORITY'S REGULATIONS ORITY'S REGULATIONS ORITY'S REGULATIONS AS AS AS AS

OF THE INTRODUCTION OF THE INTRODUCTION OF THE INTRODUCTION OF THE INTRODUCTION OF COMPETITIONOF COMPETITIONOF COMPETITIONOF COMPETITION ................................................................................................................................................................................................................................................................................................................................................................ 15151515

5.1 An offer technically based on our D3S solution ................................................................................................................ 15

Overview of D3S solution ....................................................................................................................................................... 15

Archiving for legal purposes .................................................................................................................................................. 16

Digital vault room layout ....................................................................................................................................................... 16

5.2 Packaging adapted for online gambling operators............................................................................................................ 17

D3S compliance with ARJEL requirements

Managing multiple brands and licenses

User management adapted for online gambling

5.3 Three versions to meet the specific needs of each operator

Publisher offering ................................

Hosted service offering ................................

Turnkey offering with support for integration and obtaining ARJEL licensing

The trusted solution for online gambling operators in France

D3S compliance with ARJEL requirements ................................................................................................

Managing multiple brands and licenses ................................................................................................

User management adapted for online gambling ................................................................................................

Three versions to meet the specific needs of each operator ................................................................

................................................................................................................................

................................................................................................................................

Turnkey offering with support for integration and obtaining ARJEL licensing ................................


1

.............................................................. 18

................................................................. 18

.................................................... 19

............................................................. 20

.................................................................. 20

.......................................................... 21

......................................................................... 21

A MESSAGE FROM

JACQUES PANTIN

CEO and Founder of Dictao CEO and Founder of Dictao CEO and Founder of Dictao CEO and Founder of Dictao

In 2010, the French online gambling market will open up to competition

with, in particular, the creation of a regulatory authority, the ARJEL.

To enter the French market, online g

many types of requirements, which means that their market plans will have to take into account

regulatory, marketing and technical constraints.

Dictao, a security software publisher, would like to offer these operators a

solution that enables them to easily meet the traceability requirements for gambling data that are

currently being finalized by the future authority.

Security and trust make up our core area of business. To meet the needs of our clients

public (e.g. ministry for the economy, defense segment) and banking sectors (e.g.

France), and more generally of all stakeholders, we have developed an electronic vault solution,

Dictao Secure Storage Server (D3S), based on the Dictao sig

that have been qualified and certified at the EAL3+ level of the international Common Criteria

standard. We are currently the only company in Europe to have achieved this level.

Consequently, we believe that the D3S

specifications recently published by the authority's pre

working to have this product qualified according to a CSPN (

Niveau) security target, which will allow us to quickly supply a compliant product.

Dictao's offering, based on the D3S solution, will allow online gambling operators to abide by

Article 22 of the French bill on introducing competition to this market, whic

technical device, located in metropolitan France, for traceability purposes:

"Operators shall be required to archive, in real time and on a physical medium located in

France, all data mentioned...All data exchanged between the gamble

shall pass through this medium." (Unofficial translation)

We are already prepared to meet your needs by providing, independently or with our partners, a

high-quality solution that we are committed to bringing into line with the specific

future requirements issued by the regulatory authority, and that can meet the highest objectives in

terms of performance and availability.


A MESSAGE FROM

JACQUES PANTIN

In 2010, the French online gambling market will open up to competition

with, in particular, the creation of a regulatory authority, the ARJEL.

To enter the French market, online gambling operators will have to meet


regulatory, marketing and technical constraints.

Dictao, a security software publisher, would like to offer these operators a


currently being finalized by the future authority.

Security and trust make up our core area of business. To meet the needs of our clients

ministry for the economy, defense segment) and banking sectors (e.g.


Dictao Secure Storage Server (D3S), based on the Dictao signature and signature verification tools



Consequently, we believe that the D3S solution will easily fulfill the requirements defined in the

specifications recently published by the authority's pre-configuration mission. We are currently

working to have this product qualified according to a CSPN (Certification de Sécurité de Premier

) security target, which will allow us to quickly supply a compliant product.


Article 22 of the French bill on introducing competition to this market, which imposes the use of a

technical device, located in metropolitan France, for traceability purposes:


France, all data mentioned...All data exchanged between the gambler and the operator



quality solution that we are committed to bringing into line with the specific


terms of performance and availability.


2


Dictao, a security software publisher, would like to offer these operators a turnkey technical


Security and trust make up our core area of business. To meet the needs of our clients in the

ministry for the economy, defense segment) and banking sectors (e.g. Banque de


nature and signature verification tools



solution will easily fulfill the requirements defined in the

configuration mission. We are currently

Certification de Sécurité de Premier

) security target, which will allow us to quickly supply a compliant product.


h imposes the use of a


r and the operator


quality solution that we are committed to bringing into line with the specifications and any


As a software solution publisher, we offer Dictao's D3S solution under a paid

agreement based solely on the number of processors chosen for implementation, not on the

number of transactions.

At the same time, we have developed partnerships with a view to offering operators a hosted

turnkey solution that will enable them to directly meet the fu

fixed annual cost based on the levels of performance and availability requested by the operators.

We can also offer an integration service to develop the

"gambler/operator" data streams, and support in compiling the technical documentation that must

be included in the licensing application submitted to the future authority.

By building on our competencies

expertise in electronic vault functions in particular, we are pleased to offer, independently or with

our partners, the technical solution best suited to your needs. We look forward to developing a

long-term partnership with you.

This latest version of our white paper has b

published by the future authority.

Jacques Pantin, CEO and Founder of Dictao

1


As a software solution publisher, we offer Dictao's D3S solution under a paid

sed solely on the number of processors chosen for implementation, not on the


turnkey solution that will enable them to directly meet the future authority's requirements at a


We can also offer an integration service to develop the capteur function required for tracing

ams, and support in compiling the technical documentation that must

be included in the licensing application submitted to the future authority.

By building on our competencies –which we consider unique in the security industry

onic vault functions in particular, we are pleased to offer, independently or with


This latest version of our white paper has been updated to reflect the specifications recently

published by the future authority.

Jacques Pantin, CEO and Founder of Dictao


3

As a software solution publisher, we offer Dictao's D3S solution under a paid-up license

sed solely on the number of processors chosen for implementation, not on the


ture authority's requirements at a


function required for tracing

ams, and support in compiling the technical documentation that must

which we consider unique in the security industry– and our

onic vault functions in particular, we are pleased to offer, independently or with


een updated to reflect the specifications recently

aferrand

Rectangle

1. THE REGULATORY FRAME

1 . 11 . 11 . 11 . 1 T H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I N

Faced with the risks involved in gambling and

France made the choice to carefully open the online gambling market to competition by limiting

the supply side, at least initially, and by aiming to monitor operations as necessary. Online

gambling operators wishing to enter the French market must obtain a license from the online

gambling regulatory authority (the ARJEL).

Under the bill on introducing competition into the online gambling market, the French government

will only grant operating licenses to com

main objectives of these conditions are to ensure the:

• Protection of gamblers (preventing both addiction and access of minors to the gambling

sites);

• Integrity, security, reliability and transparency

• Prevention of fraud and money laundering;

• Preservation of tax resources.

The bill specifies the following operating conditions as part of the strategy to carefully open the

French online gambling market:

• A licensing system must be

• A regulatory authority, the ARJEL, must be established; its activities shall include:

� Processing license applications;

� Supervising and monitoring the gambling operations;

• Three types of gambling will be open to competition: pari

pools and non-banking games (poker);

• Licensed operators must have a .fr site for gamblers based in French territory;

• Operators must provide data to the authority for supervisory and monitoring purposes;

• A certain subset of these data must b

metropolitan France.


THE REGULATORY FRAME

T H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I NT H E P R I N C I P L E S B E H I N D I N T R O D U C I N G C O M P E TD I N T R O D U C I N G C O M P E TD I N T R O D U C I N G C O M P E TD I N T R O D U C I N G C O M P E T I T I O NI T I O NI T I O NI T I O N

Faced with the risks involved in gambling and games of chance for both citizens and society,



wishing to enter the French market must obtain a license from the online

gambling regulatory authority (the ARJEL).


will only grant operating licenses to companies who meet the conditions set out by the law. The

main objectives of these conditions are to ensure the:

Protection of gamblers (preventing both addiction and access of minors to the gambling

Integrity, security, reliability and transparency of gambling activities;

Prevention of fraud and money laundering;

Preservation of tax resources.


A licensing system must be in place;

A regulatory authority, the ARJEL, must be established; its activities shall include:

Processing license applications;

Supervising and monitoring the gambling operations;

Three types of gambling will be open to competition: pari-mutuel betting on

banking games (poker);

Licensed operators must have a .fr site for gamblers based in French territory;

Operators must provide data to the authority for supervisory and monitoring purposes;

A certain subset of these data must be archived on a secure medium located in


4

THE REGULATORY FRAMEWORK

I T I O NI T I O NI T I O NI T I O N

games of chance for both citizens and society,



wishing to enter the French market must obtain a license from the online


panies who meet the conditions set out by the law. The

Protection of gamblers (preventing both addiction and access of minors to the gambling


A regulatory authority, the ARJEL, must be established; its activities shall include:

mutuel betting on horses, sports

Licensed operators must have a .fr site for gamblers based in French territory;

Operators must provide data to the authority for supervisory and monitoring purposes;

e archived on a secure medium located in

1 . 21 . 21 . 21 . 2 C R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L A

O P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N S

The future regulatory authority's missions The future regulatory authority's missions The future regulatory authority's missions The future regulatory authority's missions

Initially, the main roles of the future authority will be examining the l

whether candidates meet all the requirements and issuing licenses.

The ARJEL will be organized such that it can effectively carry out other roles:

• Defining the technical specifications for gambling platforms and software, whi

also approve;

• Verifying the certification eligibility of licensed companies over time;

• Supervising online gambling and betting operations;

• Contributing to the prevention of fraud and unauthorized sites.

Regulations concerning gambling platforms,Regulations concerning gambling platforms,Regulations concerning gambling platforms,Regulations concerning gambling platforms,

Authorized gambling services will be limited to:

• Sports pools for competitions included in a catalog compiled by the authority; bets can

only concern the outcome of these sporting events;

• Betting on horse races included in a cata

bets will be authorized;

• Non-banking games; at first only Texas Hold'em poker will be allowed.

The future regulatory authority will establish rules for licensed operators based on the following

principles:

• The obligation to generate a profit;

• A maximum player rate of return;

• The prohibition of underage gambling;

• Taxation on bets;

• The respect of gambling bans;

• The mandatory presence of moderators;

• Transparency with regard to partners and sub

• Advertising guidelines;

• Guidelines regarding the marketing actions that operators may use to attract and retain

clients;

• Regular reporting on responsible gambling, and prevention of fraud and money laundering.

Once it is created, the future regulatory authorit

gambling platforms (a draft version is currently available) with which operators must comply. Such

specifications include:

• A site dedicated to the French market, with an address ending in ".fr";


C R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L AC R E A T I O N O F A R E G U L A T O R Y A U T H O R I T Y A N D DT O R Y A U T H O R I T Y A N D DT O R Y A U T H O R I T Y A N D DT O R Y A U T H O R I T Y A N D D E F I N I T I O N O F E F I N I T I O N O F E F I N I T I O N O F E F I N I T I O N O F

O P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N SO P E R A T O R R E G U L A T I O N S

The future regulatory authority's missions The future regulatory authority's missions The future regulatory authority's missions The future regulatory authority's missions

Initially, the main roles of the future authority will be examining the license applications, checking

whether candidates meet all the requirements and issuing licenses.

The ARJEL will be organized such that it can effectively carry out other roles:

Defining the technical specifications for gambling platforms and software, whi

Verifying the certification eligibility of licensed companies over time;

Supervising online gambling and betting operations;

Contributing to the prevention of fraud and unauthorized sites.

Regulations concerning gambling platforms,Regulations concerning gambling platforms,Regulations concerning gambling platforms,Regulations concerning gambling platforms, organization and servicesorganization and servicesorganization and servicesorganization and services

Authorized gambling services will be limited to:

Sports pools for competitions included in a catalog compiled by the authority; bets can

only concern the outcome of these sporting events;

Betting on horse races included in a catalog compiled by the authority; only pari

banking games; at first only Texas Hold'em poker will be allowed.


he obligation to generate a profit;

A maximum player rate of return;

The prohibition of underage gambling;

The respect of gambling bans;

The mandatory presence of moderators;

Transparency with regard to partners and sub-contractors;

Guidelines regarding the marketing actions that operators may use to attract and retain

Regular reporting on responsible gambling, and prevention of fraud and money laundering.

Once it is created, the future regulatory authority will formalize technical specifications for


A site dedicated to the French market, with an address ending in ".fr";


5

E F I N I T I O N O F E F I N I T I O N O F E F I N I T I O N O F E F I N I T I O N O F

icense applications, checking

Defining the technical specifications for gambling platforms and software, which it must

organization and servicesorganization and servicesorganization and servicesorganization and services

Sports pools for competitions included in a catalog compiled by the authority; bets can

log compiled by the authority; only pari-mutuel

banking games; at first only Texas Hold'em poker will be allowed.


Guidelines regarding the marketing actions that operators may use to attract and retain

Regular reporting on responsible gambling, and prevention of fraud and money laundering.

y will formalize technical specifications for


A site dedicated to the French market, with an address ending in ".fr";

• A "front-end" for archiving gambling traces in France in real time;

• The conditions for guaranteeing secure hosting and operation.

The ARJEL's pre-configuration mission published this first version of the specifications on March 1,

2010.

Companies that obtain licenses w

meeting the requirements defined in the specifications.

1 . 31 . 31 . 31 . 3 T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G

Estimated scheduleEstimated scheduleEstimated scheduleEstimated schedule

This schedule should enable the first operators to legally provide gambling services

market by the 2010 FIFA World Cup.

Licensing application contentLicensing application contentLicensing application contentLicensing application content

The specifications list all the elements that an operator applying for licensing must provide:

• Personal information (e.g. identity, address, legal sanctions, business names);

• Economic, financial and accounting information (e.g. balance sheet, fiscal representative);

• Gambling site (e.g. description of .fr site, advertising, affiliations);

• Gambling operations offered (e.g. types of gambling, general terms of business);

• Gambler accounts (e.g. registration, provisional accounts, funding to and withdrawal from

accounts);

• Prevention of fraud and money laundering;

• Prevention of addiction;

• Prevention of conflicts of interest (e.g. sponsoring a team or competition);

• Information system (IS)

applications, audit reports, maturity, compliance with specifications).

According to the licensing procedure announced by the ARJEL, it will respond to licensing

applications within four months

turnaround time for processing applications, we presume that the first batch of applications will

October

13, 2009

•Vote at first

reading

(Assemblée

Nationale)

February

24, 2010

•Vote at first

reading

(Sénat)

March 30,

•Adoption at

second

reading

(Assemblée

Nationale)


or archiving gambling traces in France in real time;

The conditions for guaranteeing secure hosting and operation.

configuration mission published this first version of the specifications on March 1,

Companies that obtain licenses will have one year to be certified by a recognized audit firm as

meeting the requirements defined in the specifications.

T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G T H E A R J E L L I C E N S I N G P R O C E D U R EP R O C E D U R EP R O C E D U R EP R O C E D U R E

This schedule should enable the first operators to legally provide gambling services

Cup.


Personal information (e.g. identity, address, legal sanctions, business names);

onomic, financial and accounting information (e.g. balance sheet, fiscal representative);

Gambling site (e.g. description of .fr site, advertising, affiliations);

Gambling operations offered (e.g. types of gambling, general terms of business);

unts (e.g. registration, provisional accounts, funding to and withdrawal from

Prevention of fraud and money laundering;

Prevention of conflicts of interest (e.g. sponsoring a team or competition);

architecture (e.g. front-end and vault, approval of software

applications, audit reports, maturity, compliance with specifications).


applications within four months of submission. If the ARJEL expects this to be the normal


March 30,

2010

Adoption at

second

reading

(Assemblée

Nationale)

Early April

2010

•Promulgation

of the law

•Creation of

the ARJEL

Mid-April

2010

•Publication of

orders

respecting the

application of

the law

Early May

2010

•Submission of

licensing

applications


6

configuration mission published this first version of the specifications on March 1,

ill have one year to be certified by a recognized audit firm as

This schedule should enable the first operators to legally provide gambling services on the French


Personal information (e.g. identity, address, legal sanctions, business names);

onomic, financial and accounting information (e.g. balance sheet, fiscal representative);

Gambling operations offered (e.g. types of gambling, general terms of business);

unts (e.g. registration, provisional accounts, funding to and withdrawal from

Prevention of conflicts of interest (e.g. sponsoring a team or competition);

end and vault, approval of software


of submission. If the ARJEL expects this to be the normal


Early May

2010

Submission of

applications

Early June

2010

•Licensing of

first batch of

operators by

the ARJEL

•Actual

introduction

of competition

into the

market

be processed in a shorter period of time to allow a limited number of operators to provide legal

online gambling services for the 2010 FIFA World Cup.

Transition periodTransition periodTransition periodTransition period

The specifications allow for a transition period during which some of the front

may not be met.

During this period, which may last a maximum of six months following lic

authority may exceptionally agree to allow operators to trace only the following in the front

• Gambler account data; and

• Either (to be chosen by the operator):

o Betting/game data (placing of bets, sequence of actions in a poker

o Financial data.

In all cases, data that the operator chooses to not trace directly on the front

the ARJEL by some other means for the duration of the transition period.



ine gambling services for the 2010 FIFA World Cup.

The specifications allow for a transition period during which some of the front

During this period, which may last a maximum of six months following licensing by the ARJEL, the

authority may exceptionally agree to allow operators to trace only the following in the front

Gambler account data; and

Either (to be chosen by the operator):

Betting/game data (placing of bets, sequence of actions in a poker

In all cases, data that the operator chooses to not trace directly on the front

the ARJEL by some other means for the duration of the transition period.


7


The specifications allow for a transition period during which some of the front-end specifications

ensing by the ARJEL, the

authority may exceptionally agree to allow operators to trace only the following in the front-end:

Betting/game data (placing of bets, sequence of actions in a poker game); or

In all cases, data that the operator chooses to not trace directly on the front-end must be sent to

2 . THE NEED FOR TRUST

2 . 12 . 12 . 12 . 1 G A M B L E R SG A M B L E R SG A M B L E R SG A M B L E R S

Gamblers open gambling accounts with operators, entrust them with money, make bets in the

hopes of winning with certain odds, and play against other gamblers. They must be able to trust

the operator with whom they gamble to be sure they can:

• Recover any amounts initially paid

• Recover their winnings, whether from a bookmaker or other players (pari

and poker).

To facilitate the establishment of trusted relationships between multiple gamblers and between

gamblers and operators, gamblers must be able to call on a third party in the event of a dispute to

provide evidence of their transactions. This role of trusted third party will be played by the future

regulatory authority.

2 . 22 . 22 . 22 . 2 O P E R A T O R SO P E R A T O R SO P E R A T O R SO P E R A T O R S

The data handled by operators are extremely sens

regarding their clients, which must be protected, and in part because these data could be of

strategic interest to their competitors. Operators cannot share these data with a third party unless

they are sure that the third party is completely trustworthy.

2 . 32 . 32 . 32 . 3 A U T H O R I T I E SA U T H O R I T I E SA U T H O R I T I E SA U T H O R I T I E S

The authorities ensure that the activities undertaken by online gambling operators do not

jeopardize social or public order. They must be able to draw on reliable control data to monitor for

money laundering and fraudulent or criminal activity, and to ensure the protection of minors and

persons at risk. Furthermore, authorities use these reliable data to check the tax bases of French

operators.

Consequently, the future authority must be able to

and gamblers in such a way that it can, if necessary, re


THE NEED FOR TRUST

accounts with operators, entrust them with money, make bets in the


the operator with whom they gamble to be sure they can:

Recover any amounts initially paid that do not end up being wagered;

Recover their winnings, whether from a bookmaker or other players (pari


blers must be able to call on a third party in the event of a dispute to


The data handled by operators are extremely sensitive, in part because they contain personal data



e that the third party is completely trustworthy.



ney laundering and fraudulent or criminal activity, and to ensure the protection of minors and


Consequently, the future authority must be able to track all relevant operations between operators

and gamblers in such a way that it can, if necessary, re-create them.


8

accounts with operators, entrust them with money, make bets in the


that do not end up being wagered;

Recover their winnings, whether from a bookmaker or other players (pari-mutuel betting


blers must be able to call on a third party in the event of a dispute to


itive, in part because they contain personal data





ney laundering and fraudulent or criminal activity, and to ensure the protection of minors and


track all relevant operations between operators

3 . THE TECHNICAL SOLUTI

3 . 13 . 13 . 13 . 1 A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A

Article 22 of the French bill on introducing competition to t

use of a technical device located in metropolitan France:


France, all data mentioned...All data exchanged between the gambler a


In practice, this article translates into the use of a "front

front-end is a server that can be accessed

data exchanged between gamblers and operators must flow through this server and be recorded

so that the regulatory authority can, if necessary, examine it. The architecture can be represented

as follows:

The .fr front-end server is the technical representation of the trusted third party required for

online gambling in France.

3 . 23 . 23 . 23 . 2 T H E F R O N TT H E F R O N TT H E F R O N TT H E F R O N T ---- E N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S E

T R A N S A C T I O N ST R A N S A C T I O N ST R A N S A C T I O N ST R A N S A C T I O N S

The front-end intervenes without interrupting the data stream. It must a

to manage a French interface for gamblers, manage the various regulatory displays, execute the

traceability functions required by the bill, and efficiently manage relations with their "back offices".

As shown in the diagram below,

the front-end interface, the capteur

make up the lower part of the front


THE TECHNICAL SOLUTION

A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A A R C H I T E C T U R E W I T H A F R O N TF R O N TF R O N TF R O N T ---- E N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I T

Article 22 of the French bill on introducing competition to the online gambling market imposes the

use of a technical device located in metropolitan France:


France, all data mentioned...All data exchanged between the gambler a


In practice, this article translates into the use of a "front-end" that must be hosted in France. The

end is a server that can be accessed at an address ending in “.fr”. The b



Simplified architecture

end server is the technical representation of the trusted third party required for

E N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S EE N D R E T R I E V E S A N D S E C U R E S T R A C E S O F C U R E S T R A C E S O F C U R E S T R A C E S O F C U R E S T R A C E S O F

end intervenes without interrupting the data stream. It must allow gambling operators



As shown in the diagram below, there are four main modules within the operator's .fr front

capteur, the back-end relay and the electronic vault. The first three

make up the lower part of the front-end.


9

ON

E N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I TE N D I N F R E N C H T E R R I T O R YO R YO R YO R Y

he online gambling market imposes the


France, all data mentioned...All data exchanged between the gambler and the operator

end" that must be hosted in France. The

. The bill stipulates that



end server is the technical representation of the trusted third party required for

C U R E S T R A C E S O F C U R E S T R A C E S O F C U R E S T R A C E S O F C U R E S T R A C E S O F

llow gambling operators



there are four main modules within the operator's .fr front-end:

end relay and the electronic vault. The first three

The electronic vault function is run independently

to protect traces over a long period of time. This is the upper part of the front

The electronic vault stores and protects traces from the information collected by the capteur

FrontFrontFrontFront----end interface end interface end interface end interface

In standard web architecture, this is the presentation layer. This module implements the gambling

site interface in French, including all the moderators required by the future authority (e.g. pop

ups, warnings).

CapteurCapteurCapteurCapteur

This module is required by the bill

and supervisory activities from the requests sent by gamblers to the presentation layer. The nature

and format of the data traced (XML) is imposed by the future authority. This means that th

capteur module will also have to format the retrieved data according to the specifications.

BackBackBackBack----end relayend relayend relayend relay

This module transfers the transactions initiated by gamblers to the operator's back

engines. It establishes the secure link between th

may be located outside of France. As with the front

module not be the weak link in terms of performance and availability.

Vault (upper part of frontVault (upper part of frontVault (upper part of frontVault (upper part of front----end)end)end)end)

The vault module collects the traces produced by the

manner. This module is essential for the purposes of the bill. If required, the future authority must

be able to access the electronic vault either on site or remotely.


The electronic vault function is run independently of the gambling operator's business, and is used

to protect traces over a long period of time. This is the upper part of the front



site interface in French, including all the moderators required by the future authority (e.g. pop

This module is required by the bill. It must allow operators to retrieve data relevant to monitoring


and format of the data traced (XML) is imposed by the future authority. This means that th

module will also have to format the retrieved data according to the specifications.

This module transfers the transactions initiated by gamblers to the operator's back

engines. It establishes the secure link between the front-end in France and the operator's IS, which

may be located outside of France. As with the front-end interface, it is very important that this

module not be the weak link in terms of performance and availability.

end)end)end)end)

ault module collects the traces produced by the capteur to preserve them in a secure


be able to access the electronic vault either on site or remotely.


10

of the gambling operator's business, and is used

to protect traces over a long period of time. This is the upper part of the front-end.



site interface in French, including all the moderators required by the future authority (e.g. pop-

. It must allow operators to retrieve data relevant to monitoring


and format of the data traced (XML) is imposed by the future authority. This means that the

module will also have to format the retrieved data according to the specifications.

This module transfers the transactions initiated by gamblers to the operator's back-end gambling

end in France and the operator's IS, which

end interface, it is very important that this

to preserve them in a secure


3 . 33 . 33 . 33 . 3 V A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P E

A key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activities

The future regulatory authority will supervise and monitor operators' activities, a role that relies on

the transaction traces preserved in the electronic vault. S

operator and the regulatory authority, disagree on some point, these data shall be regarded as

official. They must therefore be completely reliable and admissible in a court of law.

Mandatory FNISA certificationMandatory FNISA certificationMandatory FNISA certificationMandatory FNISA certification

The French Network and Information Security Agency (FNISA), is the national reference body for IT

security. The future regulatory authority will impose a security target for the electronic vault,

which the FNISA will use as criteria in the CSPN first level secu

approving the vault application used.

Initialized by the future regulatory authorityInitialized by the future regulatory authorityInitialized by the future regulatory authorityInitialized by the future regulatory authority

The electronic vault must be initialized by the future regulatory authority. The authority will certify

the generation of the secrets, befor

operation is what makes it possible to guarantee the security of data preserved in the vault.

Hosted under the responsibility of the operatorHosted under the responsibility of the operatorHosted under the responsibility of the operatorHosted under the responsibility of the operator

The electronic vault constitutes part of the ope

responsible for hosting it, or finding a host for it, under satisfactory perimeter security conditions.

The operator is responsible for ensuring that the electronic vault functions correctly.


V A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P EV A U L T F U N C T I O N ( U P P E R P A R T O F F R O N TR P A R T O F F R O N TR P A R T O F F R O N TR P A R T O F F R O N T ---- E N D )E N D )E N D )E N D )

A key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activitiesA key part of supervisory and monitoring activities


the transaction traces preserved in the electronic vault. Should an operator and a gambler, or an



rench Network and Information Security Agency (FNISA), is the national reference body for IT


which the FNISA will use as criteria in the CSPN first level security certification process for

approving the vault application used.

Initialized by the future regulatory authorityInitialized by the future regulatory authorityInitialized by the future regulatory authorityInitialized by the future regulatory authority


the generation of the secrets, before logically and physically sealing the vault. This initialization


Hosted under the responsibility of the operatorHosted under the responsibility of the operatorHosted under the responsibility of the operatorHosted under the responsibility of the operator

The electronic vault constitutes part of the operator's infrastructure. Consequently, the operator is




11


hould an operator and a gambler, or an



rench Network and Information Security Agency (FNISA), is the national reference body for IT


rity certification process for


e logically and physically sealing the vault. This initialization


rator's infrastructure. Consequently, the operator is



4 . ARJEL SPECIFICATIONS

On March 1, 2010, the ARJEL's pre

specifications with which the IS of operators licensed in France must comply.

4 . 14 . 14 . 14 . 1 F R O N TF R O N TF R O N TF R O N T ---- E N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T S

General requirementsGeneral requirementsGeneral requirementsGeneral requirements

• The front-end shall be located in metropolitan France;

• The front-end shall rely on a highly available architecture;

• Only data transmitted from the gambler to the operator may be traced, such that the data

correspond to the gambler's perception of how the bet was placed or how

played out;

• The front-end shall operate without interrupting the data stream;

• Data streaming from French IP addresses or gamblers registered as French citizens shall be

redirected towards this front

The The The The capteurcapteurcapteurcapteur

• The capteur shall retrieve data corresponding to gambling or betting actions to create

traces in the vault;

• The annex to the specifications provides a detailed definition of the XML format expected

for each type of poker, horse

• Only data related to gambling events shall be traced. Consequently, most presentation

data, such as images, shall not be traced;

• The capteur shall prepare the data to be traced and submit them to the vault after receiving

acknowledgment of correct proce

The vaultThe vaultThe vaultThe vault

• The vault shall guarantee the integrity and completeness of archived data;

• Access to the vault part of the front

mechanisms;

• Data stored in the vault shall be e

• The vault shall have CSPN certification covering:

o Submission or injection of recorded data;

o Modification of recorded data;

o Theft of data;

o Denial of service;

o Strong authentication of users and administrators;

o Event chaining;

o Event encryption;

o Signature of events;


SPECIFICATIONS

On March 1, 2010, the ARJEL's pre-configuration mission published a first version of the detailed

specifications with which the IS of operators licensed in France must comply.

E N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T SE N D R E Q U I R E M E N T S

be located in metropolitan France;

end shall rely on a highly available architecture;

Only data transmitted from the gambler to the operator may be traced, such that the data

correspond to the gambler's perception of how the bet was placed or how

end shall operate without interrupting the data stream;

Data streaming from French IP addresses or gamblers registered as French citizens shall be

redirected towards this front-end.

ve data corresponding to gambling or betting actions to create

The annex to the specifications provides a detailed definition of the XML format expected

for each type of poker, horse-racing and sports betting events that shall be trace

Only data related to gambling events shall be traced. Consequently, most presentation

data, such as images, shall not be traced;

shall prepare the data to be traced and submit them to the vault after receiving

acknowledgment of correct processing from the gambling platform.

The vault shall guarantee the integrity and completeness of archived data;

Access to the vault part of the front-end shall be controlled using strong authentication

Data stored in the vault shall be encrypted such that only the ARJEL can read them;

The vault shall have CSPN certification covering:

Submission or injection of recorded data;

Modification of recorded data;

Strong authentication of users and administrators;

Signature of events;


12

configuration mission published a first version of the detailed

Only data transmitted from the gambler to the operator may be traced, such that the data

correspond to the gambler's perception of how the bet was placed or how the poker game

Data streaming from French IP addresses or gamblers registered as French citizens shall be

ve data corresponding to gambling or betting actions to create

The annex to the specifications provides a detailed definition of the XML format expected

racing and sports betting events that shall be traced;

Only data related to gambling events shall be traced. Consequently, most presentation

shall prepare the data to be traced and submit them to the vault after receiving

The vault shall guarantee the integrity and completeness of archived data;

end shall be controlled using strong authentication

ncrypted such that only the ARJEL can read them;

• Only the ARJEL shall be able to manage profiles and users for this vault. ARJEL

representatives acting on behalf of the authority shall define this configuration during a

Key Ceremony to initialize th

• Storage spaces shall be compartmentalized to separate:

o Configuration data from stored gambling data;

o Data related to the different ARJEL licenses;

• The cryptographic functions shall respect the general security framework (RGS)

recommendations;

• The electronic signature shall, by a certain time, meet the XAdES

• The ARJEL shall be able to remotely access the vault to:

o Consult traces based on a specific time frame;

o Synchronize with data stored in the vault;

• On site, the ARJEL shall be able to

• For performance purposes, the vault shall be able to cryptographically process recorded

data in batches.

4 . 24 . 24 . 24 . 2 G A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O N

• Gambling applications shall be approved by the ARJEL;

• ARJEL approval includes:

o Supplying the application's source code;

o Supplying the source code for the random

o A security vulnerability audit;

o An audit validating the quality of the random

o An audit certifying that the application co

4 . 34 . 34 . 34 . 3 G A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R E

• The platform shall be located in a country or territory that is not considered a tax haven by

international organizations;

• The platform shall allow the operator to generate activity reports containin

indicators for the ARJEL;

• The platform shall, by a certain time, interface with the ARJEL's database of banned

gamblers;

• The platform shall have undergone a security audit.

4 . 44 . 44 . 44 . 4 I N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M M

The operator must prove the maturity of its IS, especially of those aspects related to security. To

do this, the operator's licensing application shall include documentation proving that:

• Administration and operation procedures have been implemented;

• Technical architecture specificatio

• Denial of service protection is implemented;


Only the ARJEL shall be able to manage profiles and users for this vault. ARJEL


Key Ceremony to initialize the vault;

Storage spaces shall be compartmentalized to separate:

Configuration data from stored gambling data;

Data related to the different ARJEL licenses;

The cryptographic functions shall respect the general security framework (RGS)

electronic signature shall, by a certain time, meet the XAdES-T standard;

The ARJEL shall be able to remotely access the vault to:

Consult traces based on a specific time frame;

Synchronize with data stored in the vault;

On site, the ARJEL shall be able to copy all data from the vault onto a removable medium;

For performance purposes, the vault shall be able to cryptographically process recorded

G A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O NG A M B L I N G A P P L I C A T I O N R E Q U I R E M E N T SR E Q U I R E M E N T SR E Q U I R E M E N T SR E Q U I R E M E N T S

Gambling applications shall be approved by the ARJEL;

Supplying the application's source code;

Supplying the source code for the random-number generator;

A security vulnerability audit;

An audit validating the quality of the random-number generator;

An audit certifying that the application conforms to gambling rules.

G A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R EG A M B L I N G P L A T F O R M R E Q U I R E M E N T SQ U I R E M E N T SQ U I R E M E N T SQ U I R E M E N T S

The platform shall be located in a country or territory that is not considered a tax haven by

international organizations;

The platform shall allow the operator to generate activity reports containin

The platform shall, by a certain time, interface with the ARJEL's database of banned

The platform shall have undergone a security audit.

I N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M MI N F O R M A T I O N S Y S T E M M A T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T S

turity of its IS, especially of those aspects related to security. To


Administration and operation procedures have been implemented;

Technical architecture specifications (hardware and software) are met;

Denial of service protection is implemented;


13

Only the ARJEL shall be able to manage profiles and users for this vault. ARJEL


The cryptographic functions shall respect the general security framework (RGS)

T standard;

copy all data from the vault onto a removable medium;

For performance purposes, the vault shall be able to cryptographically process recorded

number generator;

gambling rules.

The platform shall be located in a country or territory that is not considered a tax haven by

The platform shall allow the operator to generate activity reports containing aggregate

The platform shall, by a certain time, interface with the ARJEL's database of banned

A T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T SA T U R I T Y R E Q U I R E M E N T S

turity of its IS, especially of those aspects related to security. To


ns (hardware and software) are met;

• CERTA (Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques

informatiques, the French IT attack response and processing governmental expertise

center) alerts are monitored and recommendations are observed;

• Administrator access to equipment and applications is controlled;

• Configuration files are updated and their integrity guaranteed;

• Gambling application source codes are provided;

• Data is archived for five years after a gambler account is closed;

• The clock is precise to within 1 sec of UTC time;

• Logs of technical traces are kept;

• User interventions are traceable;

• Physical access to technical locations is secured.


CERTA (Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques


erts are monitored and recommendations are observed;

Administrator access to equipment and applications is controlled;

Configuration files are updated and their integrity guaranteed;

Gambling application source codes are provided;

years after a gambler account is closed;

The clock is precise to within 1 sec of UTC time;

Logs of technical traces are kept;

User interventions are traceable;

Physical access to technical locations is secured.


14

CERTA (Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques


5 . DICTAO'S OFFER

A SOLUTION COMPLIANT

FUTURE AUTHORITY'S

REGULATIONS AS OF TH

INTRODUCTION OF COMP

5 . 15 . 15 . 15 . 1 A N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L Y

Overview of D3S solutionOverview of D3S solutionOverview of D3S solutionOverview of D3S solution

For organizations looking to protect and archive their digital data such that they retain legal value,

Dictao Secure Storage Server, or D3S, is an infrastructure solution that makes it possible to:

• Protect archived electronic dataProtect archived electronic dataProtect archived electronic dataProtect archived electronic data

(only authorized persons may access the data);

• Archive data with legal valArchive data with legal valArchive data with legal valArchive data with legal val

any moment, such that they can be used as evidence in the event of a dispute. To

accomplish this, D3S ensures the authenticity, integrity, traceability and availability of

archived information over the long term.

An industrial solution, D3S has been proven in various contexts, for example at the

French Ministry of DefenseMinistry of DefenseMinistry of DefenseMinistry of Defense, the French

the INPIINPIINPIINPI (French National Institute for Intellectual Property),

D3S is the only solution on the market to be built on components whose quality, security and

regulatory compliance are regularly validated by the FNISA through audits, certifica

recertification at the Common Criteria EAL3+ level.

Dictao is currently working to obtain CSPN certification for D3S early in 2010 so that it meets the

requirements of the future online gambling regulatory authority.

D3S guarantees the following:

• Long-term preservation of archived documents;

• Intact retrieval of certified copies of archives;

• Access control for archived documents;

• Legal value of archives;

• Traceability of actions carried out.


DICTAO'S OFFER :

A SOLUTION COMPLIANT WITH THE

FUTURE AUTHORITY'S

REGULATIONS AS OF THE

INTRODUCTION OF COMPETITION

A N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L YA N O F F E R T E C H N I C A L L Y B A S E D O N O U R D 3 S S O LB A S E D O N O U R D 3 S S O LB A S E D O N O U R D 3 S S O LB A S E D O N O U R D 3 S S O L U T I O NU T I O NU T I O NU T I O N


tao Secure Storage Server, or D3S, is an infrastructure solution that makes it possible to:

Protect archived electronic dataProtect archived electronic dataProtect archived electronic dataProtect archived electronic data: D3S guarantees data confidentiality and access control

(only authorized persons may access the data);

Archive data with legal valArchive data with legal valArchive data with legal valArchive data with legal valueueueue: D3S guarantees the continuity and intact retrieval of data at



on over the long term.

An industrial solution, D3S has been proven in various contexts, for example at the

, the French Ministry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and Employment

titute for Intellectual Property), CegedimCegedimCegedimCegedim, and the Paris chamber of notariesParis chamber of notariesParis chamber of notariesParis chamber of notaries


regulatory compliance are regularly validated by the FNISA through audits, certifica

recertification at the Common Criteria EAL3+ level.


requirements of the future online gambling regulatory authority.

term preservation of archived documents;

Intact retrieval of certified copies of archives;

Access control for archived documents;

Traceability of actions carried out.


15

WITH THE

ETITION

U T I O NU T I O NU T I O NU T I O N


tao Secure Storage Server, or D3S, is an infrastructure solution that makes it possible to:

: D3S guarantees data confidentiality and access control

: D3S guarantees the continuity and intact retrieval of data at



An industrial solution, D3S has been proven in various contexts, for example at the Banque de FranceBanque de FranceBanque de FranceBanque de France, the

Ministry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and EmploymentMinistry for the Economy, Industry and Employment (MINEI),

Paris chamber of notariesParis chamber of notariesParis chamber of notariesParis chamber of notaries.


regulatory compliance are regularly validated by the FNISA through audits, certification and


Archiving for legal purposes Archiving for legal purposes Archiving for legal purposes Archiving for legal purposes

Archiving for legal purposes differs from regular storage in that it guarantees the quality and

reliability of the information.

To preserve the legal value of born

readability and durability must be ensured.

Dictao's security and trust functions guarantee the:

• Integrity of archived documents, through electronic signature;

• Confidentiality of these documents, through data encryption and access control;

• Traceability of actions performed (e.g. filing, retrieval, re

• Durability of data (e.g. evidence, documents), through periodic re

possible to preserve archives for a longer period of time.

Documents archived using this solution have legal value most notably because D3S's k

components are certified at the Common Criteria EAL3+ level. The information retrieved after

archiving can therefore be used as evidence in the event of a dispute.

D3S provides archiving for legal purposes

Digital vault room layout Digital vault room layout Digital vault room layout Digital vault room layout

D3S is organized according to a digital vault room layout, with master electronic vaults that each

contain one or more smaller vaults.

Each of these vaults may be empty or may contain one or more digital items.


poses differs from regular storage in that it guarantees the quality and

To preserve the legal value of born-digital documents, their authenticity, integrity, accessibility,

readability and durability must be ensured.

ao's security and trust functions guarantee the:

Integrity of archived documents, through electronic signature;

Confidentiality of these documents, through data encryption and access control;

Traceability of actions performed (e.g. filing, retrieval, requests for copies);

Durability of data (e.g. evidence, documents), through periodic re-signing, which makes it

possible to preserve archives for a longer period of time.

Documents archived using this solution have legal value most notably because D3S's k


archiving can therefore be used as evidence in the event of a dispute.

D3S provides archiving for legal purposes

according to a digital vault room layout, with master electronic vaults that each

contain one or more smaller vaults.



16

poses differs from regular storage in that it guarantees the quality and

digital documents, their authenticity, integrity, accessibility,

Confidentiality of these documents, through data encryption and access control;

quests for copies);

signing, which makes it

Documents archived using this solution have legal value most notably because D3S's key


according to a digital vault room layout, with master electronic vaults that each


The diagram below illustrates how D3S is organized.

D3S is organized according to the following principles:

• Divided into master vaults, each containing several smaller vaults;

• Vaults allocated to a single group of users or shared between multiple groups;

• Request for access to a va

• Integrity, confidentiality, access control, traceability ensured by each vault;

• Notification of document availability.

5 . 25 . 25 . 25 . 2 P A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F O

D3S was designed to be configurable

implementations. To simplify and speed up integration of D3S into online gambling operator

platforms, we offer a pre-configured version that complies with requirements of both the future

authority and operators.


The diagram below illustrates how D3S is organized.

Digital vault room layout

D3S is organized according to the following principles:

Divided into master vaults, each containing several smaller vaults;

Vaults allocated to a single group of users or shared between multiple groups;

Request for access to a vault approved by a group of approving officers;

Integrity, confidentiality, access control, traceability ensured by each vault;

Notification of document availability.

P A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F OP A C K A G I N G A D A P T E D F O R O N L I N E G A M B L I N G O PR O N L I N E G A M B L I N G O PR O N L I N E G A M B L I N G O PR O N L I N E G A M B L I N G O P E R A T O R S E R A T O R S E R A T O R S E R A T O R S

D3S was designed to be configurable so that it could be adapted specifically to various client


configured version that complies with requirements of both the future


17

Vaults allocated to a single group of users or shared between multiple groups;

ult approved by a group of approving officers;

Integrity, confidentiality, access control, traceability ensured by each vault;

E R A T O R S E R A T O R S E R A T O R S E R A T O R S

so that it could be adapted specifically to various client


configured version that complies with requirements of both the future

D3S compliance with ARJEL requirementsD3S compliance with ARJEL requirementsD3S compliance with ARJEL requirementsD3S compliance with ARJEL requirements

D3S meets all the ARJEL's requirements, including the main ones presented in the table below.

RequirementRequirementRequirementRequirement

1 The vault shall guarantee the integrity and

completeness of archived data.

2 Access to the vault part of the front

controlled using strong authentication mechanisms;

3 Data stored in the vault shall be encrypted such

that only the ARJEL can read them;

4 The vault shall have CSPN certification.

5 Only the ARJEL shall be able to manage profiles and

users. ARJEL representatives acting on behalf of the

authority shall define this configuration during a

Key Ceremony to initialize the vault.

6 Storage spaces must be compartmentalized to

separate:

• Configuration data from stored gambling

data;

• Data related to the different ARJEL licenses.

7 Cryptography shall respect the RGS rules.

8 The electronic signature shall, by a certain time,

meet the XAdES-T standard.

9 The ARJEL shall be able to remotely access the vault

to:

• Consult traces based on a specific time

frame;

• Synchronize with data stored in the vault.

10 On site, the ARJEL shall be able to copy all data

from the vault onto a removable me

11 For performance purposes, the vault shall be able

to cryptographically process recorded data in

batches.

Managing multiple brands and licenses Managing multiple brands and licenses Managing multiple brands and licenses Managing multiple brands and licenses

The bill stipulates that online gambling operators will have to obtain different licenses for

type of gambling they plan to offer: sports pools, horse racing betting and poker. To technically

compartmentalize these licenses, which may be obtained and revoked independently, we can


D3S compliance with ARJEL requirementsD3S compliance with ARJEL requirementsD3S compliance with ARJEL requirementsD3S compliance with ARJEL requirements


RequirementRequirementRequirementRequirement Native supportNative supportNative supportNative support

The vault shall guarantee the integrity and

eness of archived data.

Access to the vault part of the front-end shall be

controlled using strong authentication mechanisms;

Data stored in the vault shall be encrypted such

that only the ARJEL can read them;

ertification.

Only the ARJEL shall be able to manage profiles and

users. ARJEL representatives acting on behalf of the

authority shall define this configuration during a

Key Ceremony to initialize the vault.

ces must be compartmentalized to

Configuration data from stored gambling

Data related to the different ARJEL licenses.

Cryptography shall respect the RGS rules.

The electronic signature shall, by a certain time,

T standard.

The ARJEL shall be able to remotely access the vault

Consult traces based on a specific time

Synchronize with data stored in the vault.

On site, the ARJEL shall be able to copy all data

from the vault onto a removable medium.

For performance purposes, the vault shall be able

to cryptographically process recorded data in

Managing multiple brands and licenses Managing multiple brands and licenses Managing multiple brands and licenses Managing multiple brands and licenses

The bill stipulates that online gambling operators will have to obtain different licenses for




18


ARJEL ARJEL ARJEL ARJEL

configurationconfigurationconfigurationconfiguration

CSPN certification

pending

The bill stipulates that online gambling operators will have to obtain different licenses for each



configure D3S to contain three distinct logical vaults. The tech

perfectly adapted to the operator's license situation.

Some operators may want to market their online gambling platform under multiple brands, or

make their platform available to other operators as a white label product.

brand will be associated with a master vault.

The diagram below shows how D3S can be configured to accommodate multiple brands, by

assigning one master vault to each brand. Each master vault will in turn be configured to contain

smaller vaults corresponding to each type of license obtained.

Example D3S configuration for online gambling

User management adapted for online gambling User management adapted for online gambling User management adapted for online gambling User management adapted for online gambling

D3S user management supports the definition of profiles with restricted rights tailored for each

use scenario. In the online gambling context, the ARJEL's specifications identify different types of

"users" with whom we associate the following profiles in D3S:

• The The The The capteurcapteurcapteurcapteur, the technical component responsible for collecting the data to be traced, is

authenticated to the electronic vault using a "depositor" profile to file information in the

vault. The depositor profile is only authorized to write data to the vault;

• Technical personnelTechnical personnelTechnical personnelTechnical personnel in charge of the daily operation of the electronic vault are

authenticated using an "operational administrator" profile. These people are employed by

the operator or, if the service is hosted, by the hosting service provider. The operational

administrator profile only allows these users to start and stop the electronic vault, add

storage media and query the operation indicators;


configure D3S to contain three distinct logical vaults. The technical configuration would then be

perfectly adapted to the operator's license situation.


make their platform available to other operators as a white label product. In our approach, each

brand will be associated with a master vault.



ler vaults corresponding to each type of license obtained.

Example D3S configuration for online gambling

User management adapted for online gambling User management adapted for online gambling User management adapted for online gambling User management adapted for online gambling


cenario. In the online gambling context, the ARJEL's specifications identify different types of

"users" with whom we associate the following profiles in D3S:

, the technical component responsible for collecting the data to be traced, is

cated to the electronic vault using a "depositor" profile to file information in the


in charge of the daily operation of the electronic vault are

using an "operational administrator" profile. These people are employed by



storage media and query the operation indicators;


19

nical configuration would then be


In our approach, each




cenario. In the online gambling context, the ARJEL's specifications identify different types of

, the technical component responsible for collecting the data to be traced, is

cated to the electronic vault using a "depositor" profile to file information in the


in charge of the daily operation of the electronic vault are

using an "operational administrator" profile. These people are employed by



• Representatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authority

authenticated using a "reader" profile. This profile only authorizes the retrieval of data and

proofs of submission associated with the electronic vault;

• Representatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authority

authenticated using an "administrator" profile. This profile only allows these

representatives to configure profiles and attribute them to us


5 . 35 . 35 . 35 . 3 T H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M E

O P E R A T O RO P E R A T O RO P E R A T O RO P E R A T O R

Building on D3S, and in cooperation with our partners, Dictao proposes three offerings for online

gambling operators:

• A publisher offering (vaulA publisher offering (vaulA publisher offering (vaulA publisher offering (vault application)t application)t application)t application)

operators can purchase the product (paid

transactions);

• A hosted service offeringA hosted service offeringA hosted service offeringA hosted service offering, provided jointly with our partners, which allows operators to quick

meet the technical and organizational front

• A turnkey offeringA turnkey offeringA turnkey offeringA turnkey offering where we provide, with our partners, all the services needed to implement

and operate a .fr site, along with a commitment to comply with all recommendations issued by

the ARJEL's pre-configuration mission.

Publisher offeringPublisher offeringPublisher offeringPublisher offering

Dictao offers operators an electronic vault solution compliant with the future authority's

expectations.

D3S can be purchased in license mode, for unlimited use (regardless of the number of

transactions) under a paid-up license with an annual support and maintenance fee.


Representatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authority with monitoring and audit responsibilities are


sociated with the electronic vault;

Representatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authorityRepresentatives of the future authority in charge of managing the profiles are


representatives to configure profiles and attribute them to users.


T H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M ET H R E E V E R S I O N S T O M E E T T H E S P E C I F I C N E E DE T T H E S P E C I F I C N E E DE T T H E S P E C I F I C N E E DE T T H E S P E C I F I C N E E D S O F E A C H S O F E A C H S O F E A C H S O F E A C H


t application)t application)t application)t application), from Dictao's core business area, through which

operators can purchase the product (paid-up license, irrespective of the number of

, provided jointly with our partners, which allows operators to quick

meet the technical and organizational front-end requirements;

where we provide, with our partners, all the services needed to implement


configuration mission.



up license with an annual support and maintenance fee.


20

with monitoring and audit responsibilities are


in charge of managing the profiles are


S O F E A C H S O F E A C H S O F E A C H S O F E A C H


, from Dictao's core business area, through which

up license, irrespective of the number of

, provided jointly with our partners, which allows operators to quickly

where we provide, with our partners, all the services needed to implement




up license with an annual support and maintenance fee.

Our fee structure is based on the number of processors used, which is determined by the levels of

performance and service quality required by the operator.

Hosted service offeringHosted service offeringHosted service offeringHosted service offering

We have developed a partnership program to offer operators a hosted solution for the .fr website

(complete front-end with capteur

The cost is related to the capacity installed, but independent of the number of transactions carried

out.

Turnkey offeriTurnkey offeriTurnkey offeriTurnkey offering with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensing

We can also offer, with our partners, complete support for complying with French regulations.

• The vaultThe vaultThe vaultThe vault: Dictao's D3S meets all the vault functional and security requirements described

in the ARJEL's technical specifications document. We offer full support including integration

of the application into the operator's IS, whether as a "hosted service" or under a paid

software license;

• The The The The capteurcapteurcapteurcapteur: we propose helping the operator define the front

development work for the

• HostingHostingHostingHosting: the gambling platform must be hosted under perimeter security conditions

including following strict procedures. With our partner, we propose a hosting

meets these requirements; we can host either the vault only, the entire front

capteur and the vault, or the entire platform including the gambling engines and back

management servers;

• Gambler registrationGambler registrationGambler registrationGambler registration: we work with a partn

process gambler registration on behalf of the operator to ensure that registration complies

with French regulations;

• Payment toolsPayment toolsPayment toolsPayment tools: we can suggest a banking partner that can facilitate the process of setting

up payment tools and a bank account in France;

• IIIISSSS maturitymaturitymaturitymaturity: the licensing application must include documentation on the entire IS and

associated management procedures. Documentation on the front

detailed. We can help operators compil

prove the maturity of their IS;

• Corpus of economic, legal and financial documentsCorpus of economic, legal and financial documentsCorpus of economic, legal and financial documentsCorpus of economic, legal and financial documents

documentation, the licensing application must prove that the company exists and is

represented in France. We work with a law firm that can guide operators through these

steps of the ARJEL licensing application;

• Audit reportsAudit reportsAudit reportsAudit reports: the licensing application must include security audits on the gambling

applications, random-number generator and entire

firm recognized by the FNISA that can certify the quality of operators' solutions.



performance and service quality required by the operator.

developed a partnership program to offer operators a hosted solution for the .fr website

capteur and vault).


ng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensing


: Dictao's D3S meets all the vault functional and security requirements described

JEL's technical specifications document. We offer full support including integration

of the application into the operator's IS, whether as a "hosted service" or under a paid

: we propose helping the operator define the front-end architecture, carry out

development work for the capteur module and integrate it with D3S;

: the gambling platform must be hosted under perimeter security conditions

including following strict procedures. With our partner, we propose a hosting

meets these requirements; we can host either the vault only, the entire front

and the vault, or the entire platform including the gambling engines and back

: we work with a partner specialized in registering gamblers that can


: we can suggest a banking partner that can facilitate the process of setting

up payment tools and a bank account in France;

the licensing application must include documentation on the entire IS and

associated management procedures. Documentation on the front-end must be especially

detailed. We can help operators compile and write all the technical documents required to

prove the maturity of their IS;

Corpus of economic, legal and financial documentsCorpus of economic, legal and financial documentsCorpus of economic, legal and financial documentsCorpus of economic, legal and financial documents: as well as providing technical


nted in France. We work with a law firm that can guide operators through these

steps of the ARJEL licensing application;

the licensing application must include security audits on the gambling

number generator and entire platform. We work closely with an audit



21


developed a partnership program to offer operators a hosted solution for the .fr website


ng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensingng with support for integration and obtaining ARJEL licensing


: Dictao's D3S meets all the vault functional and security requirements described

JEL's technical specifications document. We offer full support including integration

of the application into the operator's IS, whether as a "hosted service" or under a paid-up

end architecture, carry out

: the gambling platform must be hosted under perimeter security conditions

including following strict procedures. With our partner, we propose a hosting service that

meets these requirements; we can host either the vault only, the entire front-end with the

and the vault, or the entire platform including the gambling engines and back-end

er specialized in registering gamblers that can


: we can suggest a banking partner that can facilitate the process of setting

the licensing application must include documentation on the entire IS and

end must be especially

e and write all the technical documents required to

as well as providing technical


nted in France. We work with a law firm that can guide operators through these

the licensing application must include security audits on the gambling

platform. We work closely with an audit


DICTAO

Dictao is the benchmark publisher of software solutions for strong authentication and electronic

signatures.

We develop and market solutions that provide the functions required to establish security and

trust in an electronic world: client and user authentication, binding electronic signatures and

creation of legally-binding proofs of transaction.

We assist our clients in securing sensitive applications, meeting regulatory constraints and

innovating to increase efficiency and growth.

The tangible results obtained by our clients attest to the value of our products, industry solutions

and expertise.

We support the banking sector in securing online transactions for corporate and individual

banking clients, the public sector in modernizing its administrative procedures (e.g. electronic

procedures), and the industrial world in building extended enterprises (e.g. electronic orde

invoices).

Dictao is the only publisher whose solution suite is proven in various contexts (e.g. transfer

orders, online contracting, electronic invoicing, online VAT declarations) and certified at the EAL3+

level of the international Common Criteria s

Security Agency (FNISA).

They trust us:They trust us:They trust us:They trust us:

600 financial and lending institutions, including the Banque de France, BPCE (Banque Populaire

Caisse d’Epargne) Group, BNP Paribas, La Banque Postale, LCL and Société G

industrial companies such as PSA Peugeot Citroën, Total, Alcatel and CMA CGM; French

government bodies such as the Public Finances General Directorate (DGFiP), the Ministry of

Defense, the Direction des Journaux Officiels (DJO), the Agence

(ANTS; national agency for secured vehicle registration documents and passports) and the INPI

(National Institute for Intellectual Property).



and market solutions that provide the functions required to establish security and


binding proofs of transaction.

securing sensitive applications, meeting regulatory constraints and

innovating to increase efficiency and growth.


ector in securing online transactions for corporate and individual


procedures), and the industrial world in building extended enterprises (e.g. electronic orde



level of the international Common Criteria standard by the French Network and Information


Caisse d’Epargne) Group, BNP Paribas, La Banque Postale, LCL and Société G



Defense, the Direction des Journaux Officiels (DJO), the Agence Nationale des Titres Sécurisés


(National Institute for Intellectual Property).


22


and market solutions that provide the functions required to establish security and


securing sensitive applications, meeting regulatory constraints and


ector in securing online transactions for corporate and individual


procedures), and the industrial world in building extended enterprises (e.g. electronic orders,



tandard by the French Network and Information


Caisse d’Epargne) Group, BNP Paribas, La Banque Postale, LCL and Société Générale; large



Nationale des Titres Sécurisés


Dictao's Online Gambling team is available

to provide any additiona


Dictao's Online Gambling team is available

to provide any additional information required.

[email protected]

DICTAO


75116 PARIS, France

+33 (0)1 73 00 26 00

www.dictao.comwww.dictao.comwww.dictao.comwww.dictao.com


23

The ARJEL-compliant Trusted Solution For Online Gambling And Betting Operators

Documents

restricted

psa peugeot

online vat

la banque

national reference

accommodate

licensing

distinct logical