TESTING GAMING SOFTWARE – ECOGRA’S OUTCOME APPROACH. (PUBLISHED IN WORLD ONLINE GAMBLING LAW REPORT, VOLUME 02 ISSUE 09 SEPTEMBER 2003) eCOGRA - which stands for e-Commerce and Online Gaming
Regulation and Assurance - is an independent organisation
established to assure fair gaming practices. eCOGRA requires its
approved software providers and operators to comply with a comprehensive list of minimum requirements called eCOGRA
Generally Accepted Practices (also known as “eGAP”) addressing
player protection, fair gaming and responsible operator conduct, and
a core aspect of these requirements is the effective and appropriate
testing of gaming software. To achieve this, eCOGRA has adopted
an advanced form of output-based testing called Total Gaming
Transaction Review (“TGTR”). For reasons that I enumerate here,
eCOGRA strongly believes that TGTR verification is far superior,
and far fairer to all parties concerned, than source code
Some testing companies argue that the only way to be certain that
the random number generator (RNG) - the key to computerbased
casino games, whether realworld slot machines or online slots
and table games - is operating properly is to study the source code
of its program. They maintain that such a time-consuming analysis
is required for regulators to be assured that a game will perform as
it’s supposed to.
Testing companies have provided valuable contributions to the
landbased casino industry, and their work toward assurances for fair
and honest gaming in this environment cannot go unnoticed.
The difficulty arises as the gaming environment evolves from
traditional casino floor with secure stand-alone machines to Internetbased gaming, which utilizes individual personal computers.
I think the problem is that testing companies, along with many of the
regulators who rely on their work, are far too enmeshed in the
mindset of land-based gaming. Traditional gaming has been with
us far longer than online gaming, and most regulators and testing
company employees come from a background in traditional gaming.
In a real-world slot machine, the RNG and the machine form a
single, integrated unit of hardware that is locked to the outside world.
Once the software is reviewed and burned into the EPROM chip of
the unit, it cannot be physically changed. In addition to their access
to surveillance cameras, regulators typically require casinos to keep
detailed records of any incident of the machine being opened, to
minimise the chance that an operator could substitute one
EPROM chip for another.
By analysing the source code of the game, regulators, or the testing
companies that they hire, can be confident that the game performs
as specified. These procedures have worked well in the traditional
The world of online and network gaming, however, is far more
complex. To begin with, no one except the player has any control
over the hardware on which the game is being played, which is
usually the player’s personal computer. The gaming server, the
computer that runs the game, assumes a critical role for which
there is no counterpart in realworld gaming. Companies such as
Microsoft, Oracle and Sun spend hundreds of millions of dollars to
develop and refine their proprietary server products.
Likewise, gaming software developers invest huge sums in
their proprietary gaming servers.
The server does much more than house a random number
generator. It has to link into a highly sophisticated transaction
processor and controller that routes the millions of messages
coming into the system each minute, providing each message
with a response, creating complete records of all messages (in and
out), while being able to provide summary information. All of this is
done in real time.
The design of these amazing servers is jealously guarded by
software developers, who are constantly refining them to offer a
better and faster experience for the end user, while increasing security
and reducing maintenance costs.
The server is the core competitive advantage for these companies.
It is the culmination of the intellectual property that is their
I realise that regulators and testing firms are aware of the need
for the utmost confidentiality in their work, and that testing
companies have a proven track record in land-based gaming that is
without reproach. But consider the ramifications if a rogue employee
were to steal this intellectual property, perhaps posting it on the
Internet.Who would bear the legal liability and pay the enormous
damages if this happened?
Much of the modern world, in both business and government,
depends on the products of companies such as Microsoft,
Oracle, Sun and SAP. Yet they do not supply their source code to
their customers. Their products are assessed on the basis of their total
performance, not on their source code.
This is the fallacy of regulators and testing companies who insist
on source code review.While they may be well intentioned, their
model - land-based gaming - is obsolete when dealing with online
games. It is eCOGRA’s position that they should be taking their
cues from the software industry, not the gaming industry.
The problems with source code testing extend far beyond the issue
of intellectual property, for this approach is also impractical.
Regulators often don’t appreciate how much maintenance work
must be done on gaming servers.Nearly all of them rely on operating
systems from Microsoft or Sun, who release security patches almost
every week. These have to be added to the system.
Hardware failures (in the form of network cards, memory card,
power supplies) occur and need to be rectified. Unlike a traditional
gaming machine, a network system has many more points of ongoing
failure, which need to be monitored and fixed. This requires
constant access to the server system.
Requiring the software provider to get approval from a regulator or
testing house every time the provider needed access to the
system would be an operational nightmare. In fact, this very issue is
understood to be one of the reasons that Kerzner Interactive
closed its Isle of Man online casino earlier this year.
Practically speaking, the software provider must have round-theclock
access to its system. But if such access is permitted, there is
nothing to prevent a provider from temporarily replacing source code.
The code could be tested and digitally signed by the testing
company. But if the provider could temporarily bypass the tested code,
what is the value of such testing? If the provider is trusted not to do
that, why bother testing the code in the first place? Source code testing
is fully capable of giving regulators, and players, a false sense of
TGTR verification is not just an alternative; it’s the best way for
regulators to handle their quite legitimate need for testing. Rather
than attempting to test each individual component of the
system, as source code testing tries to do, test the system as a whole.
One of the best features of this approach is that it can be done on
a continual basis. Let’s remember the purpose of
testing.We all want to ensure that the player gets a fair game in
accordance with the rules, that the government gets its correct tax
allocation and that the regulators can easily ensure that all players
adhere to the law. Fortunately, using the tried and tested practices
of the software and auditing industries, this can be easily done.
It does, however, require a shift of thinking away from “traditional
gaming testing” towards “systems testing.”
By continually checking both the input and output of the system, it
is perfectly feasible to test that the system is meeting the regulatory
requirements while providing the operators and software developers
with complete operational flexibility. By checking each and
every transaction for its completeness, together with spot
testing of transactions, it is possible to verify that all transactions are
By performing further analysis of the summary data and subjecting
the vast amounts of data to rigorous statistical testing, one can
further confirm the integrity of the random number generator in
particular and of the system as a whole. After all, it’s the fairness
the final outcome that players, and the regulators who protect them,
really care about.
With TGTR verification, the online gaming industry has a
solution that goes far beyond trying to match the security of a
real-world slot machine. This is solution that allows for rapid
advances in technology, reduces development and regulatory costs,
provides for easier dispute resolution and is easily
implemented using existing methods from the broader
Among its core principles, eCOGRA recognises the need for
rigorous regulation of online gaming. Ongoing testing by
independent parties is a key component of any regulatory
regime worth its salt. The very fact that the industry is having this
discussion about the best method of testing is a healthy sign.
CEO & Executive Director of eCOGRA« Back