Gaming Strategy
Featured Stories
Legal News Financial News Casino Opening and Remodeling News Gaming Industry Executives Author Home Author Archives Search Articles Subscribe
Newsletter Signup
Stay informed with the
NEW Casino City Times newsletter!
Recent Articles
Vicky Nolan

Q & A: John Cargnello

4 January 2001

IGN takes an in-depth look at the services provided by accredited independent testing agencies with an interview of John Cargnello, CEO of Technical Systems Testing (TST). With offices in Australia and North America, the Australian firm has a long history of helping both land-based and Internet gaming and wagering companies meet various government regulatory requirements.

Only a few nations have established meaningful technical requirements for issuing an operator's license to online gaming and wagering sites, but the market for this type of service is expanding. New countries are entering the Net betting arena, and some of these countries' governments will implement stringent requirements to attract quality operators. Australia has developed some of the highest standards--standards that are being considered in countries with less regulatory structure, such as Antigua and Dominica.

Further, the United Kingdom is considering licensing Internet casinos, while there is a swelling support for regulation of Net betting in the United States. Consequently, technical requirements could become even more rigorous.

Of course, some of this is conjecture, but that's the fun part of prognostication. Nonetheless, learning about the certification process can be helpful. Even for operators that aren't required to meet technical requirements established by their licensing jurisdiction, showing customers that your site has undergone certification can establish credibility. As such, certification could be what sets your site above the competitors.

IGN: How did TST get involved in the gaming industry?

JC: Back in 1993, in Australia, which has a large proliferation of the world's gaming devices, something like 21 percent of the world's legal electronic gaming devices, there was only one testing lab providing independent certification to government regulators. We saw an opportunity there for a second lab, as there always is where a monopoly exists. So, we established TST; we were successful. We were successful in obtaining a contract and we just went from there.

IGN: What does TST do?

JC: TST is an accredited testing lab for both terrestrial gaming in Australia and various jurisdictions in Canada and the United States and it is also an accredited testing lab for Internet gaming in Australia--only Australia right now because nobody else uses accredited testing labs.

IGN: Nobody else in Antigua, Costa Rica or elsewhere?

JC: Well, they do, but it's not required yet by law. I believe it will be required by law in a relatively short amount of time.

IGN: Do you know the jurisdictions where that's going to be changing?

JC: Antigua, for one. Dominica for another, and South Africa, I think, as a third. Great Britain, and I believe, Canada will eventually come aboard. I think, for that matter, even jurisdictions in the United States. I was at the International Gaming Regulators Conference and New Jersey regulators gave the Kyl bill a 50-50 chance of passing. They feel it's less than 50-50 now, and they felt that if the bill failed it will become a matter of state regulation, which means you could see some states in the U.S. allowing Internet gaming, and other prohibiting it.

Either way, you have to do something. Unless you're going to pass laws that are unenforceable, you have to be able to do something to implement it.

IGN: When you say you are the accredited testing lab, what is that, especially regarding online gaming.

JC: There are various aspects to any online gaming site. I mean there are aspects to do with the design of the game, the operation of the software--things like authentication, encryption, the way the back end system works, what sort of events need to be flagged and recorded, and so on. These are all laid down in regulatory requirements in the jurisdictions, for example, in Australia. The Australian authorities require a lab with the appropriate expertise to be able to tell them that the gaming site meets those particular requirements. Although they set the requirements they do not evaluate the sites themselves, as it's a very complex and time-consuming operation. That's where we come in.

IGN: You do that for the sites, but who hires you, the site or the government?

JC: If you're a site or if you're a software vender, you have to have your software or your site tested by an accredited testing lab. You have to use one of the labs they recommend. You can't, for example, use Pricewaterhouse. They're not an accredited testing lab for Internet gaming in Australia. You would have to go to one of the labs that specializes in the technology and is aware of what the regulatory requirements are and have your site evaluated.

When it's evaluated, what we would do, is we would then issue a report to both the site, the software vendor and the government will, if it passes, recommend the site for approval. It is the government that certifies a site, that is the government's responsibility, but what we do is recommend a site for approval. That is the same for all testing labs.

IGN: And what about sites outside of Australia?

JC: Yeah, many sites will use our services for a number of reasons. One, we can evaluate software at any stage of development, including its initial design and conception. We can say, '"Look, we can tell you right now the software is going to pass or not going to pass regulatory requirements." And, the fact is the Australian regulatory requirements are becoming the de facto standards for the rest of the world.

People use us because we are very, very efficient in the testing process. That's all we do. We are very good at testing games and we are very, very good at evaluating mathematics, making sure that random number generators are not exposed. As you are probably aware, some sites have made major losses because of the weaknesses in their random number generators. We would make sure the site is protected, and so in that respect, we add value. But, I believe they also use us because TST is a recognized name around the world of people who know gaming. If it is independently certified by TST, it meets those particular requirements. Obviously any gaming vendor can test the software themselves for the Australian requirements. I don't believe they would do it as efficiently because they don't do that on a regular base, where we do. Even beyond that, even if they do, if you go to Australia, it doesn't mean anything. They'll still say, 'well, you have to be certified by an accredited testing lab anyway.' So, they might as well get us involved as early as possible.

IGN: Do you work with software developers before they even sell the software?

JC: Yes, we do.

IGN: So an operator can buy a turnkey package from a company that's already gone through you?

JC: Yes. We deal with the software people, the operators and the regulators. They are our three top clients and sometimes we deal with all three at one time.

IGN: For one site? Does that ever cause a problem?

JC: No, because the requirements are normally quite clear. And ultimately everyone has the same objective, and that is meeting requirements.

IGN: What are the most common problems you see when testing software?

JC: Probably the common problems would be weaknesses in the random number generator or the mathematical side of the software, which can mean not only that the player doesn't get a fair return, and it could mean, for example, that the site is exposed to attack. Or it could be that the site is paying too much money, or you play particular strategy where you're paid better than 100 percent return, for example, that would be common.

Design faults in the software that could bring the software down or security weaknesses in the site, which could result in breaches in security, or someone or the site being subject to denial of service attack.

Scalability issues (regarding the ability of the site to perform under increasing user loads). For example, a site might work absolutely fine with 100 users, then with 1,000 users it might degenerate significantly. It might degenerate to the point where the site completely falls down. Sometimes buffers can overflow and the site can shut down. In a worst case scenario, security measures will fail and you might be able to penetrate the firewall and get behind the firewall. Confidential information might be revealed. Can't say till you actually look, but certainly when people do launch attacks on sites, frequently attacks are launched just on flooding a site. That's a common method of attack.

IGN: Do you ever have customers that disagree with your suggestions or customers that don't want to implement your suggested changes?

JC: On occasion. Some of those occasions they'll have real differences of opinion. Now if it's a regulated jurisdiction, that's not hard to resolve because either its something which is required or not required. In non-regulated jurisdictions we work for the client. We will inform them what the situation is, whether they choose to do anything about it is up to them.

So, for example, if we test a site and found the site was subject to a denial of service attack because of a particular weakness in the way the site was configured. The site might say, "No, I don't think its worthwhile hardening my operating system to the degree you say we should." That's a business decision. Our role is to point out what the potential problems are.

IGN: How often do you think a site should have the software re-tested?

JC: Well the software should really be tested whenever a change is made. Obviously a lot of testing would be trivial because the changes would be very minor. But, with each incremental line of code which is changed, exposure increases exponentially. I once heard that for every code that you change, seven lines are affected. There have been circumstances when even trivial changes to programs have resulted in serious problems.

IGN: What was TST's role in the "black box" proposed for use in Antigua?

JC: That was something that was requested by the Department of Offshore Gaming. That is not a service we normally provide. But they came to us with a request for proposal saying that this one of the requirements that we would have to respond to. Because it was something that was outside our area of expertise, we went to another co that had specialist expertise in this area. That was Riptide/eSuccess. In retrospect, we should have probably said this was something outside our area of expertise, it is best you deal with an appropriate vendor directly. The problem is, what we do is try to be a total solutions provider to our clients. So if our clients say "we want something" and it's outside our area of expertise, we will normally try to find someone who will do it, and that's the case in Antigua.

IGN: Has that whole effort died out?

JC: I believe so.

IGN: Did any other licensing jurisdiction look at what occurred in Antigua with an eye as to whether they should be making the same move?

JC: No, the general feeling is that if you have a comprehensive set of technical requirements--such as those in Queensland or Tasmania, or those used by the Kahnawake Indians--and you have your software tested and approved, tested up to those requirements by someone in an accredited testing lab with expertise in the area, that's all you need.

IGN: You don't worry, for example, that the random number generator would be changed or something else?

JC: No, we would look for controls in place to make sure that doesn't happen. These controls would be reviewed on an ongoing basis by auditors. Either it's something we can do or the government can do.

One of those controls is change control. One of the benefits of change control--the whole point to change control--is that you can make sure only authorized changed can be made to the programs.

IGN: Is it typical for TST to go back and check a site on a regular basis?

JC: Sometimes it's us, sometimes government inspectors do it.

IGN: What does a typical contract encompass?

JC: They normally sign up for one service. What we do is, most of our relationships with clients are ongoing partnership relationships. There's no such thing as static software. It's always changing or growing. There are always things we can do for our clients to make their lives easier for them.

IGN: Is TST involved with the development of legislation or regulations in any jurisdictions?

JC: Yes, we have, but normally in relation to the technical requirements. We are not involved in input in areas that involve the probity of operators. What we do provide input into cases like Antigua and Dominica, is we will actually get involved with writing the technical standards.

IGN: So you're doing that in Antigua?

JC: It's already been done. Obviously those technical requirements are nothing without the legislative background. The legislative backing will say you have to meet these technical requirements. The Antigua technical requirements will be very similar to the Queensland requirements. We were asked initially to base them closely on the Australian requirements. This seems to be the way things are going.

IGN: How about the United Kingdom, are you looking to work there?

JC: According to the government regulators at the International Gaming Regulators Conference in Venice (held in October 2000), the U.K. government is looking at regulator or evaluating the possibility of introducing regulated Internet Gaming, as is the government of South Africa.

IGN: Will the U.K. Gambling Review Body be considering any technical requirements for Internet gaming?

JC: I imagine they will. So I imagine if they decide to regulate Internet gaming they will choose to develop a set of technical requirements, and they will choose to use the services of one of the accredited testing labs, because that's where all the expertise is.

IGN: Are there such companies in the U.K.?

JC: No, the only companies that have that sort of expertise are those three companies that come from Australia: TST, BMM and GGS.

IGN: So you have a good shot at having some input on this?

JC: Oh, sure. Right now we are the only one of the three companies, which is internationally based, and we have been internationally based for a long time. So, we certainly have a shot at it. We have both the technical expertise to do it, along with an established reputation.

IGN: What do you think is TST's greatest strength?

JC: Oh that's a good one. Obviously the technical competence is important. You couldn't be an accredited testing lab if you weren't technically competent. So, it is fair to say that all labs are technically competent, because if you weren't they would take away your accreditation.

We are different in terms of our customer service. When we first got started as a testing lab, it was a monopoly situation in Australia, so we had to take business from an existing lab, which was BMM. When we got started in North America, it was a monopoly situation in North America with a lab called GLO. (They're not involved with Internet gaming; they're involved with land-based gaming.)

Now, I don't think we could take business from a monopoly unless we provide a level of service, which is greater than what they can provide. If what you do is provide an equivalent level of service why should people change? So you have to offer something that's a little better. Provided the lab is competent, and I don't think anyone would be in business if they weren't competent, there's not much you do from a technical standpoint. But there is a lot you can do from a customer service viewpoint. You can make sure the customer's needs are properly addressed, you can make the testing faster and more responsive. You can make things more efficient, from a value-added point of view. That doesn't mean you do thinks for a lesser rate, but it means you add more, you add greater value to that service.

IGN: Do you receive much word of mouth recommendation?

JC: Very much. Most people in the industry know about TST.

IGN: What knowledge have you gained from your experiences testing software?

JC: When we first started out, we saw it as very, very similar to testing land-based systems. But, we found out it has all the complications of testing a land-based system, and a lot more besides.

There are aspects to do with the security and integrity of the sites, for example, that you don't have in land-based systems. The other thing I think is important is if you're involved with the Internet gaming sites, you have to be much more involved with the business practices of the site, in relation to site performance. The ability to work with your customer, for example, to allow them to make important changes to the site without a long and complicated re-testing process. Obviously changes do have to be tested, but there are different ways of doing it. You have to do it in a way that facilitates and allows your customers to make those changes on a frequent and as needed basis.

IGN: IGN: How did TST go from working with land-based gaming companies to Internet gaming?

JC: I had an interest in Internet gaming from its inception. In fact, I was among one of the very few at the first meeting of the IGC (Interactive Gaming Council) in Las Vegas. I have been involved with the IGC since that time, which has certainly been a long uphill battle to convince people of the need for testing. Now, of course, all the testing labs are members of the IGC. But, of course, we're the only ones in there since its inception.

IGN: Do your customers see your involvement with the IGC as an added value to your services?

JC: I think so, because they see other people coming in, they see what those people can do-- much the same sort of thing we can do--but we have long established relationships with our clients. They know we've been supporting the industry long before we were making money from the industry. They're also aware that we have a commitment to the industry. We didn't just come to if because the idea of testing was important and all of the sudden there was a ready market.

Also, I think the Seal of Approval is an important issue. (See IGC Unveils 'Seal of Approval' Program.) You can get the Seal of Approval if you meet the requirements of the jurisdiction where you operate. Now the problem that I believe is apparent with that Seal of Approval is if you happen to operate in a jurisdiction such as Australia, Antigua (in the near future) or Liberia, you have to meet a very strict set of requirements. And if you happen to be in a jurisdiction with no requirements, you can get the Seal of Approval without doing anything.

IGN:What do you think should be done?

You're not comparing apples with apples. And I think that what you have to do in the long run is you have to recognize those operators and those sites that do go through the process of getting the sites tested to a stringent set of technical requirements. Just saying you meet jurisdictional requirements doesn't mean anything if there are no jurisdictional requirements. What's important is that you meet a high set of technical standards. Therefore, I believe that there should something to distinguish sites which do meet that requirement, as opposed to those that choose not to.

IGN: Do you think that's something that should be part of the IGC membership?

JC: I believe there should be a high level beyond the Seal of Approval, which you can actually be given if your site tested to a recognized high set of, a premium set of requirements.

Q & A: John Cargnello is republished from
Vicky Nolan
Vicky Nolan