Casino gaming network design — compliance-grade wireless for the gaming floor

PCI DSS 4.0.1 (effective March 31, 2025) drives four wireless design inputs. Requirement 11.5.1 mandates quarterly scanning for unauthorized wireless access points inside the CDE — that obligation is continuous, not a one-time survey, so the controller must run Wireless IPS with detection thresholds documented. Requirement 11.5.3 requires a documented response procedure when a rogue AP is found.

Requirement 4.2.1 requires strong cryptography for cardholder data in transit — WPA2-Enterprise is the floor for CDE-adjacent wireless; WPA3-Enterprise is preferred for new build.

Requirement 1.4 requires CDE network segmentation from untrusted networks, including every guest SSID.

The WFHS deliverable includes a CDE segmentation diagram, a rogue-scan runbook with detection thresholds, and WPA configuration notes — formatted for your PCI QSA to review without a translation layer.

Yes. Nevada Gaming Commission Regulation 5 governs surveillance system requirements at commercial properties, and the 2024 Technology Standards Committee updates reinforce surveillance-network isolation from other property networks. California tribal Class III compacts and NIGC oversight extend comparable separation requirements to tribal gaming operations. In practice this means zero shared VLANs, zero shared controllers, and zero shared authentication systems between surveillance (cameras, DVR/NVR, VMS) and the guest or corporate WLAN.

WFHS treats surveillance as an untouchable adjacent network during wireless engineering — we do not terminate surveillance traffic on WLAN controllers, do not route surveillance VLANs through enterprise core switches carrying guest traffic, and do not share PoE budget between IP cameras and enterprise APs.

The installation runbook includes an as-designed separation diagram formatted for TGRA or Gaming Control Board inspection.

Gaming-floor high-density design runs on three disciplines. First, 20 MHz channel width across the 5 GHz band — wider channels cost airtime per client and are counterproductive above ~150 clients per AP.

Second, tight AP spacing — typically 1,000–1,500 sq ft per AP on the gaming floor itself rather than the 2,000 sq ft that open-plan office supports, with under-rail or column-embedded AP placement at pit and table zones to keep cell size small.

Third, 802.11r fast BSS transition configured on the controller with 15–20% cell overlap at the ‑67 dBm boundary, confirmed by active roaming validation against a production client to confirm the deployed configuration actually achieves 50 ms or less handoff.

Predictive modeling alone does not prove handoff behavior — the AP-on-a-Stick and active validation passes do.

Slot machine BOS connectivity from Bally, Light & Wonder, IGT, and Aristocrat is typically wired for SAS/G2S protocol traffic under most TGRA and Nevada Technology Standards Committee interpretations, and wired remains the preferred connectivity class.

Where wireless telemetry is used — service-light status, meter polling, progressive network heartbeats, contractor diagnostic access — the design isolates that traffic on a dedicated SSID bound to a dedicated VLAN with WPA3-Enterprise or certificate-based authentication, terminated behind a firewall zone separate from both guest and corporate employee WLAN.

WFHS does not install or certify gaming devices; the slot-floor IoT workstream is a connectivity-layer design coordinated with the operator’s slot operations team and the gaming-device vendor’s field technicians.

Our scope ends at the WLAN SSID, VLAN, and policy enforcement boundary.

Surveillance coordination during a casino wireless engagement has three phases. Before design, we document the existing surveillance infrastructure in the ceiling plenum — coax, CAT6, fiber runs, IP camera mounting positions, and head-end rack terminations — so AP cable pathways do not conflict with existing surveillance cabling.

During design, we flag any proposed AP mounting location that would physically obstruct a surveillance camera sightline and relocate the AP; the camera is not moved.

After install, we confirm in the validation report that no new wireless traffic shares a VLAN, controller, switch path, or authentication system with the surveillance network.

The WFHS team does not touch surveillance cameras, DVR/NVR, or the VMS head-end — that work belongs to the operator’s approved surveillance contractor.

Our scope is wireless; surveillance remains the operator’s or their contractor’s responsibility.

Yes, both. California tribal gaming operations are concentrated along the I-15, I-10, and CA-99 corridors — Pechanga in Temecula, Morongo in Cabazon, San Manuel’s Yaamava’ in Highland, Agua Caliente in the Coachella Valley, Cache Creek in Brooks, Thunder Valley in Lincoln — and are accessible on standard mobilizations from our Valencia, California hub. Nevada Strip and Downtown Las Vegas commercial properties are mobilized from SoCal on standard commercial engagements.

These tribal and commercial properties are referenced as venue archetypes, not as claimed engagements; under VAR relationships and NDA constraints, we do not name specific casino clients on public pages.

Our service model is vendor-agnostic across Cisco, Aruba, Juniper Mist, Ruckus, and Extreme; we work under the operator’s approved-vendor list rather than a fixed vendor preference.

Pool decks, cabanas, and arena exteriors in Coachella Valley and Mojave environments routinely hit 115 °F ambient in summer, with direct-sun enclosure surface temperatures substantially higher. Outdoor APs specified for these deployments require NEMA 4X rating, IP66 or higher ingress protection, UV-stable radome material, salt-corrosion resistance for coastal properties, and an operating temperature range that covers the full desert summer without thermal throttling.

Representative hardware includes Juniper Mist AP64 outdoor, Cisco Catalyst 9124AXI, and Aruba AP-387; WFHS is vendor-agnostic and specifies the outdoor AP on the basis of the existing enterprise controller tenancy and the operator’s approved-vendor list.

Mounting hardware and enclosures are stainless steel or powder-coated aluminum rated for coastal-desert exposure; AP cable pathways use outdoor-rated shielded CAT6A with proper transition glanding at every enclosure penetration.

Timeline depends on scope. A single-outlet refresh (single restaurant, single retail outlet) with complete as-built drawings can be predictively modeled and quoted within three business days of the scoping call and validated on-site in one to two days.

A full gaming-floor refresh with hotel tower, outdoor pool, arena, and convention spaces typically runs 8–16 weeks from floor plan receipt to final deliverable, because the survey phase includes multiple environment classes, the compliance deliverable requires CDE and surveillance segmentation diagrams formatted for TGRA or QSA review, and the validation phase is phased to match the operator’s cutover window across gaming-floor peak hours.

Greenfield new-build resort engagements run longer and phase with the general contractor’s construction schedule.

Every engagement is scoped and quoted as a fixed-fee SOW before work begins — the timeline, scope, and deliverables are defined in writing, and we do not bill hourly against an open-ended estimate.

25 CFR 547.15(b) is the binding federal technical standard. It prohibits open or unsecured wireless on Class II gaming systems, requires wireless access points to be inaccessible to the general public, and mandates a security methodology that makes eavesdropping, access, tampering, intrusion, or alteration impractical.

In practice, that means WPA2-Enterprise at minimum (WPA3-Enterprise preferred) on any AP within RF range of a Class II gaming component, public or guest SSIDs logically and physically isolated from the gaming VLAN, and a documented wireless-security methodology ready for Tribal Gaming Regulatory Authority review.

WFHS writes the 547.15 compliance statement directly into the wireless site survey SOW so the TGRA has the audit artifact on file from day one.

25 CFR 543.21(e) sets a seven-day minimum retention for all surveillance recordings, with a one-year minimum for recordings tied to suspected crimes, suspicious activity, or security-agent detentions discovered within that initial seven-day window. That is the federal MICS floor; many tribal-state compacts and TGRAs require longer.

The math drives network design: 500 cameras at 6 Mbps H.265 for 7 days is roughly 227 TB of raw storage before compression, and the flagged-event archive tier must survive 365 days on write-once media. Storage, NVR, and VMS transport must live on a dedicated surveillance VLAN — never shared with gaming or hotel systems.

25 CFR 543.2 defines Network Communication Equipment to include cables, switches, hubs, routers, wireless access points, landline telephones, and cellular telephones. That broad definition pulls the entire transport layer into 543.20 logical-security and physical-security scope.

Cisco Catalyst C9800 wireless controllers, Aruba 9200 controllers, Catalyst 9300/9400 access stacks, Aruba CX 6300/6400 switches, every AP, and every VoIP handset are all in-scope.

The TGRA expects three deliverables: a physical-security plan for locked IDF and MDF rooms, a logical-security plan with a segregated management VLAN and access-list enforcement, and a credential inventory on a TGRA-approved rotation interval.

25 CFR 543.20(e)(4) requires communications to and from gaming systems via Network Communication Equipment to be logically secured from unauthorized access. The regulation stops short of mandating encryption explicitly, but combined with 547.15 for wireless, the practical engineering floor is Layer 2 and Layer 3 isolation with strict access control.

Minimum design: a dedicated slot-floor VLAN with an access-list between it and the Casino Management System core, a surveillance VLAN isolated end-to-end on its own controller, no guest Wi-Fi bridging gaming VLANs, 802.1X port authentication on every gaming-facing access switch port, and network admission control through Cisco ISE or Aruba ClearPass on the management plane.

Nevada Gaming Control Board Regulation 5 Surveillance Standards require recordings to sit on a minimum fault-tolerant RAID 5 configuration on non-volatile media approved by the Chair’s designee.

Category A licensees — commercial operators above $40M annual gross gaming revenue — must maintain auxiliary and backup power capable of immediate restoration of the surveillance system covering every table game still open for play and all dedicated-camera areas.

In deployment, that usually means RAID 6 or erasure-coded object storage exceeding the RAID 5 floor, UPS plus generator redundancy scoped to the surveillance subnet (not shared with gaming or hotel feeds), and a staffed 24×7 surveillance operations room rather than an unattended equipment cabinet.

Nevada Technical Standard 3 requires chairman-approved encryption on every communication that initiates a gaming-device pay command, an approved error detection and correction scheme on all data communication, and that on-line slot systems only communicate with external equipment through a secure interface. Error-log events archive for a minimum of 30 days.

Slot-to-CMS transport in practice uses a TLS-wrapped G2S channel approved under Regulation 14. The path stays on a dedicated wired VLAN, and any wireless hop — a handheld slot-tech tablet, for example — requires a separate NGCB Reg 14 filing. Error logs feed a SIEM or log-management platform on the management VLAN with authenticated access and 30-day minimum retention.

Under 31 CFR Part 1021 (Bank Secrecy Act rules for casinos and card clubs), casinos with gross annual gaming revenue above $1 million file a Currency Transaction Report by Casinos (FinCEN Form 112) for each cash-in or cash-out transaction exceeding $10,000 in a single gaming day. 31 CFR 1010.430 sets a five-year BSA record retention period, and 31 CFR 1021.320(d) requires SARs and their supporting documentation to be retained five years from the SAR filing date.

Engineering consequence: cage, kiosk, and player-tracking transaction logs must survive five years on tamper-evident, write-once, time-stamped storage with off-site replication. SIEM retention on cage and kiosk VLANs aligns to the same timeline.

25 CFR 543.20(f) requires that every user has an individual access credential (no shared accounts), that credentials rotate at a TGRA-approved interval (typically 60 to 90 days), that deactivation procedures cover lost or terminated credentials, and that access-credential records are maintained. Section 543.20(l) adds cryptographic signature verification for software downloads.

Network-admission design: 802.1X on every gaming-access port, RADIUS through Cisco ISE or Aruba ClearPass for slot-tech, surveillance-ops, and CMS-admin roles, MFA on the management plane (controllers, core switches, firewalls), and a privileged-access management jumpbox for any vendor remote-support session documented under 543.20(h). Shared service accounts are forbidden on any gaming-system component.

25 CFR 547.15(d) requires Class II gaming systems to record unauthorized access attempts, and 547.15(g) requires logging of the establishment and loss of communications between system components. That is a federal mandate for intrusion detection and session-event logging at the network fabric, not just the application layer.

Minimum design: NetFlow or sFlow on gaming-VLAN distribution switches, WIDS/WIPS on the wireless controller covering the gaming-floor airspace (Cisco CleanAir or Aruba WIPS), syslog aggregation into a SIEM with 30-day hot retention plus one-year archive, and correlation rules tuned for unknown MAC on a slot port, slot-to-CMS session loss, and rogue AP in the regulated RF airspace.

Yes — 25 CFR 543.20(h) permits remote access for support, provided each session is documented with the authorizing agent name, the accessing agent name, identity verification, the reason, a work description, and session start and end timestamps, and the access travels over secured methods. TGRA may require per-session pre-approval.

Vendor support for IGT, Aristocrat, Light & Wonder, Konami, Everi, or AGS systems must traverse a TGRA-approved jumpbox or bastion with MFA, full keystroke recording, and a per-session ticket ID. Persistent vendor VPN tunnels direct to gaming-VLAN endpoints are prohibited. Firewall rules permit the vendor jumpbox to reach the gaming system only during an active approved session window.

Yes. The 2017 Morongo Compact and parallel language in Pala, United Auburn, and Tuolumne amended compacts filed with the California Gambling Control Commission require the tribe to maintain a closed-circuit television surveillance system consistent with industry standards, approved by the Tribal Gaming Agency, and not modified without TGA approval.

The California Bureau of Gambling Control holds inspection rights. Engineering consequence: adding APs, changing VLANs, swapping controllers, or migrating NVRs on the surveillance network requires TGA approval in writing before the change.

The WFHS design package delivers drawings, before/after topology, firmware versions, and impact analysis ready for TGA review — no field changes without a signed memo in hand.

PCI DSS v4.0.1 Requirement 11.2.1 requires rogue wireless AP detection at least quarterly at every location containing the cardholder data environment. The method can be a quarterly wireless-analyzer site walk or a deployed wireless IDS/IPS generating continuous alerts, but the quarterly cadence applies either way.

Casino hotel PCI scope typically covers cage cash-to-card, kiosk cashless wagering, front desk, F&B, retail, spa, parking, and box office. Design: Cisco C9800 controller with Cisco Spaces or Catalyst Center rogue-AP feed, or Aruba 9200 controller with AirMatch and WIPS license. Quarterly site walks document every detected SSID and BSSID against an approved-AP inventory feeding the PCI Report on Compliance.

25 CFR 543.20(d) requires the IT environment and infrastructure to sit in a secured physical location with access restricted to authorized agents, with access devices — keys, cards, fobs — controlled by an independent agent, with access records maintained and updated, and with specific physical security for Network Communication Equipment.

MDF, IDF, server room, WLC location, and surveillance operations room all fall under that scope. Deliverables: a physical access-control system with badge reader and camera at every door, an access log with five-year retention aligned to BSA 1010.430, separation of IT custody (Facilities owns the badge system, not IT), tamper-evident cable entries on the surveillance NVR rack, and environmental monitoring tied to SIEM alerting.

GLI-26 “Wireless Systems Standard” version 2.0 (2015) is the Gaming Laboratories International standard for wireless gaming systems. GLI-13 version 3.0 (published 2024-07-21) governs Monitoring and Control Systems and Validation Systems — the systems-side counterpart — and GLI-11 governs the gaming device itself.

Jurisdictions invoke GLI-26 by reference in their testing regime; it is not self-binding but becomes binding when cited. When a California tribal compact references “GLI standards” generally, the design should assume GLI-11, GLI-13 v3.0, and GLI-26 v2.0 all apply. WFHS includes the specific GLI version references in the SOW so the testing-lab package and the jurisdiction’s testing memo line up.

NGCB Regulation 5 Surveillance Standards require the surveillance room at Category A (≥$40M annual GGR) and Category B ($15M-$40M GGR) licensees to be attended at all times by personnel trained on the equipment and knowledgeable of the games and house rules.

Malfunction and repair logs must record the time, date, nature of the malfunction, repair efforts, reasons for any delay, and the repair-completion date. Network design must support 24×7 operator workstations: Power-over-Ethernet to operator PCs, a low-latency path to the NVR and VMS, redundant uplinks, and a dedicated VLAN for operator console traffic with no shared infrastructure with gaming-floor or hotel workstations.

25 CFR 543.20(j) requires daily backups of critical systems, documented capability to restore programs, secured backup storage, redundant systems, and annual testing of recovery procedures with documented results. Design must support daily incremental and weekly full backup of the CMS, surveillance VMS, cage systems, kiosk systems, and player-tracking databases.

Backup transport stays on a dedicated backup VLAN isolated from gaming operations. The annual DR test deliverable includes a written runbook, tabletop exercise minutes, and restoration validation signed by a TGRA representative. Backup target is on-premises plus an off-site immutable copy — ransomware defense aligned with the NIGC IT Audit Toolkit guidance on emerging cyber threats.

The NIGC Compliance Division’s 25 CFR 543.20 IT Audit Toolkit and 2026 training agenda flag ransomware trends, Business Email Compromise, and emerging risks from artificial intelligence usage affecting tribal gaming operations. Those are the audit focus areas TGRAs are expected to press on.

Hardening design: for ransomware, VLAN segmentation, immutable backup, endpoint detection and response on every Windows endpoint, and MFA on the admin plane; for BEC, an email security gateway with DMARC, DKIM, and SPF enforcement on the hotel and corporate domains; for AI-driven attacks, WIDS and WIPS with anomaly-detection tuning plus behavioral analytics on slot-network traffic. WFHS bakes these into the security architecture deliverable.

25 CFR 543.21(c) requires the surveillance system to monitor and record a general overview of activity at every kiosk — maintenance, drops, fills, voucher redemption — and dedicated surveillance on progressive displays at specific reset thresholds: $1 million for wide-area progressives and $250,000 for in-house progressives.

Practical consequence: a 50-kiosk property adds at least 50 dedicated cameras before progressives are counted, and each qualifying progressive jackpot display gets its own camera. Bandwidth, NVR storage, and VLAN capacity on the surveillance network must be sized accordingly. Progressive-meter cameras feed the same surveillance VLAN but are specifically called out in the surveillance plan filed for TGRA review.

Yes. California tribal-state compacts grant the State Gaming Agency — the Bureau of Gambling Control, with the California Gambling Control Commission overseeing — inspection rights across the gaming operation, including technology systems.

Exact IT and network inspection scope is compact-specific; the “State Gaming Agency Inspections” or “Technical Standards” section typically permits SGA auditors, accompanied by the TGA, to access records, facilities, and systems. Network design must accommodate dual-agency review: the TGA technical review is primary,

and BGC/CGCC audit review is invoked under compact terms. Access paths for SGA auditors — read-only, supervised — are pre-designed into the management plane, typically a jumpbox with audit-logged sessions available on request.