PCI DSS for iGaming Operators: What Gambling Companies Actually Need
Every iGaming operator that processes, stores or transmits payment card data must comply with PCI DSS. With PCI DSS v4.0 now fully in effect and the bar raised significantly for software security and authentication, operators who haven't updated their compliance approach since v3.2.1 are already out of compliance.
PCI DSS v4.0 introduced 64 new or evolved requirements. Are you current?
Which PCI DSS Level Applies to You
PCI DSS compliance level is determined by annual transaction volume:
- Level 1: Over 6 million transactions/year — requires an annual on-site assessment by a Qualified Security Assessor (QSA)
- Level 2: 1–6 million transactions/year — annual Self-Assessment Questionnaire (SAQ) + quarterly scans
- Level 3: 20,000–1 million e-commerce transactions/year — annual SAQ + quarterly scans
- Level 4: Under 20,000 e-commerce transactions/year — annual SAQ recommended
Key PCI DSS v4.0 Changes for iGaming
PCI DSS v4.0 introduced significant new requirements that directly affect iGaming operators:
- Multi-factor authentication now required for ALL access to the cardholder data environment (not just remote access)
- Payment page scripts must be managed and authorised — critical for operators using third-party payment widgets
- Enhanced penetration testing requirements including testing for business logic flaws
- Phishing-resistant MFA required for all interactive user access
- Customised approach now available — allows mature organisations to define their own controls to meet security objectives
Reducing Your PCI DSS Scope
The best PCI DSS strategy is to minimise the scope of your cardholder data environment. iGaming operators can significantly reduce scope by using a payment service provider (PSP) that tokenises all card data before it touches your systems. If card data never reaches your infrastructure, your PCI DSS obligations are dramatically reduced. Review your payment architecture with this lens first.
Frequently Asked Questions
Does using a payment gateway mean we don't need PCI DSS compliance?
Using a PCI-certified payment gateway reduces your scope significantly but doesn't eliminate your obligations entirely. You still need to secure the connection to the gateway and any systems that touch payment-related data.
Is PCI DSS required for MGA licensing?
Yes. The MGA requires operators to demonstrate PCI DSS compliance for all payment card processing as part of the licensing conditions.
What happens if we suffer a card data breach without PCI DSS compliance?
Card brands (Visa, Mastercard) can impose fines of €5,000–€100,000 per month of non-compliance. If a breach occurs, fines escalate significantly and you may lose the ability to process card payments.
Do cryptocurrency-only casinos need PCI DSS?
If you don't process any payment cards, PCI DSS doesn't apply. However, crypto casinos face their own financial security requirements under AML regulations and DORA.
Review your PCI DSS compliance posture
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.