Screenshot of iGaming PCI DSS & Compliance page showing compliance overview and security badges

PCI DSS & Compliance Coverage for iGaming Payment Gateway: 12 PCI Requirements, 4 Other Frameworks, and Who Owns Each

PCI DSS and compliance coverage for an iGaming payment gateway is not one certificate hung on a wall. It is a deliberate division of responsibility — across PCI DSS, anti-money-laundering, data classification, audit trail, and sanctions screening — that determines which obligations sit with the managed gateway and which inevitably land on the operator. The honest answer is that no vendor can absorb every compliance dimension, and the ones that pretend to are the ones to worry about. This page draws the responsibility line explicitly.

A compliance lead reading a payment vendor's brochure is looking for exactly two things: which obligations the vendor genuinely handles, and which quietly land back on the operator's lap once the contract is signed. The article below uses the standard PCI DSS framework plus four adjacent compliance areas, and for each maps who owns what.

12
PCI DSS Requirements Mapped
4
Other Frameworks Covered
3
Data Classifications

PCI DSS — The 12 Requirements and Who Owns Each

The PCI DSS framework defines 12 high-level requirements grouped into six control objectives. They're public, well-defined, and the same across every payment context. What varies vendor to vendor is which side of each requirement the gateway operates, and which side the operator is left to handle on their own. The mapping for our managed model:

PCI DSS · Responsibility Matrix managed-gateway model
Req.
Requirement (summary)
Us
Shared
Operator
01
Install & maintain network security controls (firewalls, segmentation)
02
Apply secure configurations to all system components
03
Protect stored account data (encryption, key management, retention)
04
Protect cardholder data with strong cryptography during transmission
05
Protect all systems from malicious software
06
Develop and maintain secure systems & software
07
Restrict access to system components by business need-to-know
08
Identify users & authenticate access to system components
09
Restrict physical access to cardholder data
10
Log and monitor all access to system components and cardholder data
11
Test security of systems and networks regularly
12
Maintain an information security policy
● Us — owned and operated on our side ◐ Shared — joint responsibility, your-side policy applies ○ Operator — your side of the line

The honest read on this matrix: 11 of 12 requirements are fully or primarily on our side; the remaining one (requirement 12, your own information security policy) is yours because no vendor can write your internal security policy for you. Most of the "shared" items reflect the fact that you also have an admin panel — and your admin users need their own access discipline, MFA posture, and policy on top of ours.

The Other 4 Frameworks Compliance Actually Touches

PCI DSS is the most named framework in payments, but it's far from the only one. A working iGaming gateway has to address four adjacent regimes, and a vendor that only talks about PCI is quietly under-disclosing. The four:

Framework 1

PCI DSS

Cardholder data security framework, enforced by card networks. Mapped above in detail.

Our coverage: the 12 requirements as mapped — managed scope on our side.
Framework 2

AML & KYC

Anti-money-laundering monitoring, know-your-customer verification, transaction screening, suspicious-pattern detection.

Our coverage: transaction-level AML monitoring + KYC step-up workflow + suspicious-activity reporting infrastructure.
Framework 3

Data Protection & Residency

Player personal data, retention periods, lawful basis for processing, deletion rights, regional residency expectations.

Our coverage: data classification, encryption at rest and in transit, retention policy enforcement, in-region hosting where applicable.
Framework 4

Audit Trail & Reporting

Immutable record of every state-changing action, queryable by regulators and internal auditors, with sufficient retention for the jurisdictions in scope.

Our coverage: append-only audit log, structured event format, configurable retention, exportable per-tenant.

PCI Scope — What's In Our Scope and What's Not

The single most powerful question a compliance lead can ask a payment vendor is: "what's in your PCI scope and what's not?" The answer to that question determines exactly how much compliance burden you inherit. For our managed model:

— PCI Scope Boundary —

Inside our scope

  • Card primary account numbers (PAN) entering the cashier
  • Sensitive authentication data during processing
  • Tokenisation of card data for storage
  • Encryption key management for stored card data
  • Cardholder data environment infrastructure
  • Network segmentation around the CDE
  • Vulnerability scanning & penetration testing of CDE
  • Logging & monitoring of CDE access
YOUR SIDE

Outside our scope (your side)

  • Your own internal IT systems & networks
  • Your admin users & their authentication policies
  • Your customer support tooling that doesn't see PAN
  • Your marketing & analytics platforms
  • Your CRM & player communication systems
  • Your jurisdictional gaming licence compliance
  • Your downstream legal entity structure
  • Your information security policy

The boundary is deliberately drawn so that your systems and processes outside the cashier surface do not handle PAN at all. That means your PCI scope on your side is dramatically smaller — typically a SAQ-A or SAQ-A-EP profile rather than a full SAQ-D — because you never see, transmit, or store raw card data. The tokens we return are scope-reducing by design.

Data Classification — Three Categories That Behave Differently

PCI DSS distinguishes between three categories of data, each with different handling rules. A clean compliance posture treats them differently from each other; lumping them together is how vendors quietly leak scope back to the operator. The honest classification:

Classification Examples How we handle it
PAN — Primary Account Number Full card number (16 digits) Captured by hosted fields inside our CDE; tokenised immediately; full PAN never crosses into systems outside our scope. Operators receive tokens only.
SAD — Sensitive Auth Data CVV, magnetic-stripe data, PIN block Never stored post-authorisation, full stop. Captured for the authorisation handshake; not persisted; not logged.
Metadata & Tokens Tokens, transaction IDs, masked PAN (last 4) Returned to operators for reference and reconciliation. Not PAN; outside PCI scope when handled correctly. Used in webhooks, admin views, audit logs.
Audit & Event Data Order state transitions, action logs Append-only event ledger. Retained per configured policy. Available to authorised operators and to auditors with appropriate access.

Sanctions & Adverse-Media Screening Flow

Sanctions screening is not optional for a payment business — it's enforced by acquirers, by regulators, and by basic business prudence. Every party in a transaction (payer, payee, beneficial owner) is screened against the standard lists at the moment they enter the system. The flow:

— Sanctions & Screening Flow —
Input
Player onboarding · merchant onboarding · counterparty in transaction
Check
Names, IDs, jurisdictions screened against sanctions & adverse-media lists in real time
Action
Clear · escalate to manual review · block + report. All decisions logged to audit.
Lists screened against: OFAC · UN · EU · UK HMT · local jurisdiction · adverse media

Audit-Readiness Checklist — What an Operator Receives

When your auditor (internal or external) asks for compliance evidence, the things we provide on your behalf are concrete, deliverable artefacts — not vague reassurances. The honest list:

Audit-Ready Evidence Provided

Scope letter — written statement of which PCI requirements we cover, which are shared, which are yours.
Tokenisation architecture overview — how PAN is captured, tokenised, and surfaced as tokens only.
Encryption inventory — algorithms, key lifecycle, key custodianship for data at rest and in transit.
Audit log export — append-only event ledger for the period an auditor requests, in a structured format.
RBAC snapshot — who has which capabilities on your tenant's admin, sourced from the same matrix in the order-management back-end.
AML monitoring summary — high-level metrics on screened transactions, flag dispositions, suspicious-activity flow.
Penetration test & vulnerability scan summary — high-level findings and remediation status for the CDE.
Sub-processor list — third parties we use in our processing chain, for your vendor-risk assessment.

Where Compliance Fits in the Bigger Picture

The audit trail and RBAC that this article references operationally live inside our merchant admin and order management back-end — the same back-end your operations team uses day-to-day, with append-only logging and per-action attribution. The broader infrastructure of how the managed model handles operations, security, and 24/7 response is described in our managed payment infrastructure article. Compliance is not a separate vertical; it's the discipline by which the same systems are run.

Everything Else, Compressed

Scope of this article: PCI DSS responsibility mapping, the four adjacent compliance frameworks, data classification, sanctions screening, and the concrete audit-ready evidence operators receive. The line between "us" and "operator" is drawn explicitly so a compliance lead can evaluate before signing.

What we provide: managed PCI scope on our side, tokenisation so your systems never see PAN, AML & sanctions screening, append-only audit trail, encryption inventory, and the deliverable documentation auditors ask for.

What stays yours: your internal information security policy, your gaming licence compliance, your jurisdictional legal structure, and the admin-side discipline on your own users. We cover the payments scope; we don't run your company's compliance for you.

Compliance disclosure that holds up under audit scrutiny.

The responsibility line drawn explicitly — before, not after the contract.

Request a Compliance Briefing →

Compliance & PCI-Specific Questions

Are you describing certifications or capabilities?

This article describes how we operate against the framework — what we handle, where the scope sits, what evidence we produce. Specific certification statuses, current audit findings, and the formal scope letter are shared under NDA during procurement, where they can be reviewed in context.

Do my engineering and support teams need their own PCI compliance?

Only at the level your jurisdiction requires for your business as a whole. The point of tokenisation is that the systems your engineering and support teams operate never see PAN, which removes most of the PCI burden from your side. Most operators in this model file SAQ-A or SAQ-A-EP rather than the more onerous SAQ-D.

How do you handle a sanctions hit during a live transaction?

The transaction is held automatically; the matched record is logged with the source list and matching score; manual review escalates to the operator's risk team for disposition; if confirmed, the transaction is blocked and the relevant suspicious-activity workflow runs. Every action is recorded in the audit trail with actor and timestamp.

What about data residency for Asian markets?

Player personal data and payment metadata are processed in-region for the markets we serve. Specific market expectations evolve, and we maintain in-region hosting and data handling defaults to align with the cleaner posture. Specific residency obligations for your jurisdictional set are scoped during onboarding.

Can I get a written scope letter for my own auditor?

Yes. We issue a scope letter naming exactly which PCI requirements we cover for your tenant, which are shared, and which remain yours. Your auditor can take that letter as a starting point for your assessment rather than re-deriving the boundary from scratch.

How does retention work? My jurisdiction requires X years for transaction records.

Retention is configurable per tenant. We default to retention windows aligned with common payment regulations and extend on request for jurisdictions that require longer. Audit events are retained independently from operational data, so reducing operational retention doesn't shorten the audit window.

What if our jurisdiction's regulator asks to inspect your environment?

Supported via the standard auditor-engagement process. Inspections happen through documented procedures rather than ad-hoc access. You participate in the scoping; we coordinate the evidence and the contained access window with the regulator.

The Next Step

A serious conversation about PCI DSS and compliance coverage for an iGaming payment gateway starts with a single question: where is the responsibility line drawn? The matrix and the scope diagram above are how we draw it. The four adjacent frameworks, the data classification, the sanctions flow, and the audit evidence are how we operationalise it. Operators who treat compliance as something they can outsource entirely are usually mid-way through learning that no vendor can do that legally. Operators who treat it as a shared engagement with a clearly-named line tend to pass audits cleanly.

Tell us your jurisdictional set, your current compliance posture, and any specific regulators you anticipate engaging with. We will scope the responsibility line for your situation explicitly — including the bits that remain on your side — and provide the documentation your compliance lead would want to see before any further conversation.

The compliance line, drawn before the signature.

12 PCI requirements, 4 frameworks, 3 data classes — and a written scope you can hand to your auditor.

Open a Compliance Conversation →