What PCI DSS level do I need?

Most operators fall under Level 3 or 4. If you use a hosted payment page from your PSP, you need SAQ-A. just 22 questions. Don't store card data on your servers.

When do I need to verify player identity (KYC)?

UK, Germany, Sweden, Netherlands, US, Brazil: before first deposit. Malta (MGA): before first withdrawal but tightening. The trend is pre-deposit verification everywhere.

Which countries ban credit card gambling?

UK (2020), Australia (2023), Brazil (April 2026), Belgium (2023), Pennsylvania (restricted). Germany limits via €1K cap. Expect 3-5 more jurisdictions by 2028.

What happens if I fail a compliance audit?

Ranges from warning to license revocation. Fines reach millions. Your PSP may also terminate your account independently.

Do I need a dedicated compliance officer?

Small: part of general compliance role. Medium+: dedicated payment compliance or MLRO recommended. UKGC and MGA require designated MLRO.

What's the difference between my obligations and my PSP's?

PSP handles PCI DSS, 3DS, basic fraud. You handle KYC, AML, SAR filing, deposit limits, self-exclusion, affordability, audit docs. Using a PSP doesn't transfer liability.

How does MiCA affect crypto in iGaming?

EU crypto processors need VASP license under MiCA. Grandfathering expires mid-2026. If your processor isn't licensed, you carry the risk.

iGaming Payment Compliance: KYC, AML, PCI DSS & Jurisdiction Rules (2026)

Compliance Finder

Click your target market to see what's required. No other page in the search results provides this.

Select your target market to see payment compliance requirements:

Click a market above to see its compliance requirements

The Four Compliance Layers

1Universal

PCI DSS, data protection. Applies everywhere.

2License-Specific

Your gambling license rules (MGA, UKGC, Curaçao).

3Jurisdiction-Specific

Where your PLAYERS are. Deposit limits, method bans, KYC timing.

4Provider-Specific

Your PSP adds their own KYC, reserves, country restrictions.

Key: You follow the rules of your license AND the jurisdiction of each player. An MGA-licensed operator with UK players must comply with both.

PCI DSS Compliance

Which Level Do You Need?

Level	Transactions	Requirements
Level 1	> 6 million/yr	On-site QSA audit, annual ROC
Level 2	1-6 million/yr	Annual SAQ, quarterly scan
Level 3	20K-1M/yr	Annual SAQ, quarterly scan
Level 4	< 20,000/yr	Annual SAQ (self-assessment)

SAQ Types. What Applies to You

SAQ-ALowest. 22 questions

All card data handled by PSP (hosted page)

Recommended for most operators

SAQ-A-EPMedium. 139 questions

Your website impacts transaction security

SAQ-DHighest. 329 questions

You store/process card data yourself

KYC and AML Requirements

Use the Compliance Finder above to see KYC timing for your specific market. Below: Enhanced Due Diligence triggers that apply everywhere.

Enhanced Due Diligence Triggers

Cumulative deposits > €2,000 (MGA) / £2,000 (UKGC) → source of funds

Single deposit > €10,000 → enhanced AML review, possible SAR

Player from FATF grey-list country → enhanced monitoring

PEP identified → ongoing monitoring, senior management approval

Large deposits + minimal play + quick withdrawal → suspicious activity

UKGC: £125 net loss/month → financial vulnerability assessment

Credit Card Ban Wave

The trend is expanding. UK started it in 2020. More jurisdictions are following.

🇬🇧

UK2020

First major market

🇦🇺

Australia2023

Credit + debit limits

🇧🇪

Belgium2023

Full ban

🇧🇷

Brazil2026

April 2026

🌍

More coming2028?

3-5 jurisdictions expected

What This Means for Operators

Technical: BIN-level blocking

Credit card BINs have specific ranges. Your PSP can filter them per jurisdiction. Must be implemented per country. UK debit OK, UK credit blocked.

Commercial: offer alternatives

Players whose credit cards are blocked need another way to deposit. Open Banking, e-wallets, and debit cards fill the gap.

Strategic: prepare now

If you operate in markets where credit cards are still allowed. build the blocking capability anyway. The ban is coming to your market.

Responsible Gambling Payment Controls

Control	Description	Mandatory Where
Self-imposed deposit limits	Player sets daily/weekly/monthly	MGA, UKGC, Sweden, Netherlands
Regulatory deposit cap	Government-mandated maximum	Germany (€1,000/month)
Limit decrease	Takes effect immediately	UKGC, MGA
Limit increase delay	24h (UKGC) to 7 days (MGA)	UKGC, MGA
Self-exclusion register	GAMSTOP, Spelpaus, CRUKS, OASIS	All regulated markets
Reality check timer	Reminder of time/money spent	UKGC (60 min)
Affordability assessment	Financial vulnerability check	UK (£125/mo net loss)

Your Responsibility vs Your PSP's

You

Your Responsibility

●KYC process and record keeping

●AML monitoring and SAR filing

●Deposit limit enforcement

●Self-exclusion register checks

●Affordability assessments (UK)

●Responsible gambling controls

●Cross-operator tracking (Germany)

●Player communication about limits

●Audit readiness and documentation

Even if your PSP provides tools, the liability is yours.

PSP

Provider Handles

●PCI DSS for their infrastructure

●3DS authentication

●Basic fraud rules and screening

●Card BIN identification (credit vs debit)

●Tokenization of card data

●Settlement and reporting

●Some: integrated KYC tools

Using a PSP does NOT transfer your regulatory obligations.

Payment Compliance Checklist

Universal

PCI DSS compliance (SAQ-A minimum with hosted payment page)

SSL/TLS encryption on all payment pages

Card data NOT stored on your servers (use PSP tokenization)

Transaction logging with audit trail (5+ year retention)

Refund/cancellation policy published

Clear transaction descriptor (your brand name, not PSP name)

KYC / AML

KYC verification at jurisdiction-required stage

Age verification before gambling access

Document verification flow (ID + proof of address)

Enhanced due diligence triggers configured

SAR filing process documented + assigned MLRO

PEP and sanctions list screening (initial + ongoing)

KYC records retained 5+ years after relationship ends

Staff AML training: documented, annual

Responsible Gambling

Deposit limits: daily, weekly, monthly (player self-set)

Limit decrease = immediate, increase = delayed

Self-exclusion register integration

Reality check notifications (60 min for UKGC)

Affordability checks at thresholds (UK)

Payment method restrictions enforced (credit card bans)

Jurisdiction-Specific

Credit card BIN blocking for banned jurisdictions

Geofencing for US state-level compliance

OASIS integration for Germany

CRUKS check for Netherlands

BankID integration for Sweden

PIX support for Brazil

3DS/SCA for all EU transactions (PSD2)

Provider Compliance Capabilities

Using a PSP does NOT transfer regulatory obligations. But some providers make compliance easier than others.

Provider	KYC	AML	Resp. Gambling	CC Blocking
NuveiTop Pick	Advanced	Good	Good	Advanced
AdyenSituational	Advanced	Advanced	Good	Advanced
PaysafeTop Pick	Good	Good	Good	Advanced
TrustlyTop Pick	Good	Basic	Good	—
IXOPAYSituational	Basic	Good	Good	Advanced
WorldpaySituational	Good	Good	Basic	Advanced

—BasicGoodAdvanced

7 Payment Compliance Mistakes That Lead to Fines

KYC at withdrawal only in UK

UKGC fine for unverified deposits. Multi-million penalties.

Verify before first deposit. No exceptions.

Not blocking credit cards in banned jurisdictions

Regulatory notice + fine. PSP may terminate.

BIN-level blocking. PSP can filter.

Deposit limits not enforced cross-platform (Germany)

Player exceeds €1K/month. Your liability.

OASIS integration. Check before every deposit.

SAR not filed or filed late

AML violation. Fines €50K to millions.

Designated MLRO. File immediately on suspicion.

Inadequate affordability checks (UK)

UKGC review. License conditions.

Automated checks at £125/month. Open Banking data.

No audit trail on payment decisions

Unable to demonstrate compliance in audit.

Log every decision with timestamp + reason.

Non-compliant crypto processor in EU

MiCA violation.

Verify MiCA license. Ask for proof.

FAQ

Find Compliant Providers

Compare provider compliance capabilities across 20+ iGaming payment processors.

Browse Providers Fraud Prevention Processing Guide

iGaming Payment Compliance