(A) Casino operators and gaming related vendors shall ensure their electronic gaming equipment supports a port and protocol, referred to as game authentication terminal (GAT), for gaming equipment verification.
(B) Electronic gaming equipment submitted for approval on or after December 1, 2012 shall provide the following support for authenticating critical program storage media (CPSM):
(1) Employ a verification mechanism, approved by the commission, which authenticates all CPSM. The authentication mechanism shall:
(a) Be accessible by a communication port and protocol approved by the commission;
(b) Possess an approved communication port located within the locked electronic gaming equipment cabinet and be accessible without requiring access to the locked logic compartment;
(c) Provide on-demand authentication of electronic gaming equipment CPSM. This function shall not require the electronic gaming equipment power to be cycled and the execution time shall not exceed twenty minutes;
(d) Generate a unique signature for each CPSM utilizing secure hashing algorithm-1 (SHA-1) with hash-based message authentication code (HMAC), as defined by the "National Institute of Standards and Technology (NIST), Federal Information Processing Standards Publication 180-4: Secure Hash Standard (March 2012)"; and
(e) Provide support for escrowing verification results. Verification results shall be preserved and retrievable pending a subsequent verification request or a loss of power; and
(2) Provide means for the use of third party authentication tools approved by the commission.
(C) All electronic gaming equipment submitted for approval before December 1, 2012 which offers a communication port, shall comply with the requirements in paragraph (B), except paragraph (B)(1)(b) of this rule, upon the installation of new CPSM, and shall comply with this rule by December 1, 2012, unless otherwise approved in writing by the executive director or designee.
(D) Electronic gaming equipment submitted for approval before December 1, 2012 which do not offer a communication port are excluded from this rule.