GH GambleHub

International Payments and Legal

1) Channel and calculation diagrams map

Cards (Visa/Mastercard/local schemes): deposits, returns, chargeback/Dispute; PCI DSS and SCA/3DS requirements.
Bank transfers: SWIFT (MT/ISO 20022), SEPA/SEPA Instant, Faster Payments/UK, RTP/US, PIX/BR, UPI/IN, A2A/Open Banking (initiation of payments through API).
Electronic money/wallets: EMIs, local e-wallets, vouchers.
Crypto on/off-ramp: exchanges, custodial providers, stablecoins (taking into account Travel Rule and sanctions).

Settlement models: T + 0/T + 1/T + N, gross vs net settlement, rolling reserve/hold, split payments (marketplace/white-label).

2) Regulation and licensing of providers

EMI/PI (Europe), MSB (USA), PSP/Acquirer, Sponsor bank: determine the right to hold client funds, issue e-money, provide acquiring/issuing, conduct A2A.
Safeguarding/segregation: client facilities are separate; capital, reporting and audit requirements.
Passporting/agency models: the right to serve a cross-border of customers through branches/agents.
Operator iGaming: usually not a payment organization, relies on partner licenses; exceptions - own cash-handling statuses in offline/hybrid models.

3) Sanctions and export controls

Screening of payer/receiver, correspondent banks, BIC/routes; ownership/control rules (50% +).
Geo-blocks and service bans in embargo jurisdictions; export restrictions on cryptography/software and remote access.
Contractually - the right to suspend, step-in and alternative corridors when blocking the route.

4) AML/CFT, KYC/KYB и Travel Rule

KYC/KYB/UBO when onboarding; SoF/SoW for high-risk; daily sanctions rescreening/PEP/Adverse Media.
Transaction Monitoring: velocity, geovelositi, no-play withdrawals, multi-account, circular routes.
Travel Rule (crypto/VA): transfer of sender/receiver identifiers between VASPs at thresholds; whitelist policy/limits/chain-analysis.

5) Privacy and data protection

GDPR/similar modes: roles (controller/processor), legal grounds, DPIA for high-risk, cross-border transmissions (standard mechanisms).
PCI DSS: PAN tokenization, prohibition of storing full PAN/CVV outside certified providers; map environment segmentation.
Secrets and keys: HSM/secret management, rotation, access restriction.

6) Card Rules and SCA

3DS 2. x/SCA: mandatory authentication enhancement (exceptions: low-value, low-risk transactions, MIT/recurring - according to schema rules).
Chargeback/Dispute: timing, reasons (Reason Codes), evidence (game report, IP/device, compliance with the offer).
Tokenization/Network Tokens: conversion stability and risk mitigation.

7) Taxes, currencies and cross-border

WHT (withholding tax): possible for royalties/services to non-residents under contracts; brut-up clauses and residency certificates.
VAT/GST: B2C gambling services are often exempt/out of scope; B2B services - place-of-supply and reverse charge.
FX risks: selection of the settlement currency (functional vs settlement), hedging (NDF/forwards), conversions on returns.

8) PSP/Bank Contracts: What to Fix

1. Licenses and coverage, sub-processors, audit rights.
2. SLA: uptime, cut-off, T + N, P1/MTTR, Time-to-Wallet.
3. Risks and holds: rolling reserve, hold logic (fraud/sanctions), limits and anti-abuse.
4. Fees: MDR/Interchange/FX/chargeback payment/payouts; transparent reports.
5. Security: PCI DSS, encryption, key custody, incident-report ≤72 h.
6. Sanctions/exports/AML: obligations, right to suspend.
7. Data: roles (controller/processor), storage/deletion logic, CMP consent.
8. Continuity/Step-in: emergency routes, merchant/MID migration right.
9. Termination/exit: data export, final reports, return of deductions.

9) Challenges, returns and withholdings

Refund/Cancel: term/fee rules, FX on return.

Chargeback: evidence - timeline, device/IP, 3DS authentication, compliance with the offer and "short terms."

Rolling Reserve/Balance Holds: freezing conditions and defrosting calendar; reporting on deductions.

10) FX and Clearing

Methods: spot/forward/NDF; natural hedge (inbound/outbound matchmaking).
Network clearing: netting within the provider/between payment flows.
Reporting: rate, spread, trading date, exchange rate source (official/market).

11) RAG Risk Matrix

RiskR (critical)A (fixable)G (control)
Sanctions/routeSank Bank PaymentOne-time falls positiveRecipient Screening/BIC and hold
AML/TMSNo monitoringHigh FPRRBA rules, retune, QA
PCI/3DSPAN stored, SCA not enabledPartiallyFull PCI DSS, 3DS 2. x
VAT/WHTIncorrect qualificationInvoice spacesVAT/RC policies, DTT registry
SLA/ContractsNo step-in/continuityPartiallyClauses + feilover tests
FXNo hedge/accounting policyAd-hocFX policy, limits, reports

12) Checklists

Before connecting the provider

  • License (EMI/PI/MSB), coverage, safeguarding.
  • Sanctions and AML procedures, Travel Rule (for VA).
  • PCI DSS/3DS/SCA confirmed.
  • SLA, hold/reserve, fees, reporting.
  • DPA/data roles, cross-border transfers.
  • Continuity/step-in, migration plan.

Operational cycle

  • Daily B2C/B2B/payment sledging.
  • QA chargeback cases and win-rate.
  • Monitor Time-to-Wallet and route failures.
  • Monitor FX spreads and deviations.
  • Periodic Pen/PCI Scans.

Quarterly

  • SLA provider audits and commission repricing.
  • Alarm route test/step-in.
  • Updating VAT/DTT registers.
  • Backtesting TMS/retune rules.

13) Contract item templates (fragments)

A. Sanctions and suspension

💡 Provider has the right to withhold/reject sank risk transactions; merchant undertakes not to direct traffic from block geo. At system risk - start Continuity/Step-in procedure.

B. SLA and credits

💡 Uptime 99. 9%; P1 response ≤15 min, MTTR ≤2 h. Violation - service loans under Appendix No. __.

C. Security and PCI

💡 The provider supports PCI DSS (current version), encryption in transit/in storage, notifies about incidents ≤72 h; PAN storage - tokenized only.

D. Taxes/VAT/WHT

💡 B2B invoices are issued with reverse charge; at WHT - the DTT rate is applied when presenting the certificate of residence, otherwise - gross-up.

E. Data and privacy

💡 Data roles (controller/processor), cross-border transmissions legally; retention and disposal periods after termination; shadow copy prohibition.

F. Continuity/Step-in

💡 If routes/banks are unavailable, the provider undertakes to use alternatives; the merchant has the right to initiate a temporary step-in to ensure the continuity of payments.

14) Recommended registries (YAML)

14. 1 Register of payment providers

yaml provider_id: "PSP-UK-001"
name: "AcquirerX Ltd"
licenses: ["UK-PI", "EEA-passport"]
channels: ["cards", "A2A", "SEPA", "FPS"]
sla: { uptime: "99. 9%", p1_resp_min: 15, mttr_h: 2 }
fees:
cards_mdr: "2. 1%+€0. 10"
sepa: "€0. 15"
fx_spread_bps: 40 risk:
rolling_reserve: "5% for 180 days"
holds: "rule-based"
compliance:
pci_dss: "v4. 0"
sanctions_screening: "daily"
aml_tms: true dpa_signed: true continuity_step_in: true status: "active"
owner: "Payments Ops"

14. 2 Route/Corridor Register

yaml route_id: "EU-SEPA-01"
method: "SEPA Instant"
cutoff: "24/7"
settlement: "T+0"
limits: { per_tx: 100000, daily: 500000 }
blocked_geos: ["RU","BY","IR","KP","SY","CU"]
alt_routes: ["EU-SEPA-STD", "EU-A2A-OB-01"]

14. 3 VAT/WHT counterparty card

yaml counterparty: "ProviderX B.V."
service: "royalty - game content"
vat: { place_of_supply: "customer_country", reverse_charge: true }
wht:
dtt: true base_rate: 0. 10 dtt_rate: 0. 00 residency_certificate: "2025_valid. pdf"
gross_up_clause: true

14. 4 FX Policy

yaml base_currency: "EUR"
hedge_policy:
method: ["natural_hedge", "monthly_forward"]
hedge_ratio: 0. 7 pricing_source: "ECB"
deviation_alert_bps: 25

15) Playbooks (operational scenarios)

P-PAY-01: Block payment due to sanctions

Hold → check BIC/Corbanks/recipient → alternative route → in case of failure - refund, registry entry, notification.

P-PAY-02: Splash chargeback

RC/Reason Codes analytics → 3DS/SCA and fraud correction → support training on evidence → mitigation plan and weekly report.

P-PAY-03: Down-time provider

Failover to alt-route → activation of step-in → the community to players (payment status) → post-sea and service loans.

P-PAY-04: Crypto deposit with mixer label

Freeze → chain analysis → SoF → SAR/STR, if necessary → repeat block, update rules.

P-PAY-05: VAT Errors/Reverse Charge

Invoice revision → correction/additional billing → template update and billing training.

16) KPI/Metrics

Time-to-Wallet (p95) by channel.
Success Rate/Decline Rate by Route and Cause.
Chargeback Rate and Win-Rate on disputes.
Rescreening Coverage% (customers/payments/partners).
FX Deviation bps to politics.
SLA Compliance% and the volume of service loans.

17) Mini-FAQ

Can I use crypto without Travel Rule? For VASP, no; follow local thresholds and data sharing.
Do I need PCI DSS if PAN is not stored? Yes, if the environment processes/transfers card data; downgrade via tokenization/redirect/SDK.
Who carries WHT? Under the contract: either brute-up at the payer, or the DTT rate with a certificate.
How to reduce the risk of blocks by banks? Sank screening of routes, correct purpose codes/MCC, alternative corridors and transparent offers.

18) Disclaimer

The norms for payments, sanctions, taxation and privacy vary by country and change. Material - operational framework; check with local rules and consultants before application.

19) Conclusion

International payments in iGaming are a process architecture: licensed partners, sanctions and AML contours, PCI/3DS, clear tax rules and strong PSP/bank contracts. Formalize SLAs, registries and playbooks - and your payment flow becomes predictable, scalable and resistant to regulatory shocks.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.