Payment architecture in iGaming

Payment architecture in iGaming

1) Role of payments in P&L and compliance

• Deposit conversion (Auth Rate, Friction, 3DS/SCA) and withdrawal rate (T + 0/T + 1).
• Cost: MDR/interchange, PSP/bank fees, FX/conversion, anti-fraud/chargebacks.
• Risk and regulatory: KYC/AML, limits and Responsible Gaming (RG), PSD2/SCA/GDPR/PCI DSS.
• Reliability: fault tolerance, failover PSP, risk diversity and stable SLAs.

2) Target landscape

Input channels: cards (Visa/Mastercard/MIR/UnionPay), APM (Apple/Google Pay), open banking/instant payments (SEPA Instant, Faster Payments, Pix, UPI), e-wallets, vouchers, cash terminals (local).
Output channels: outgoing SEPA/ACH/FPS, Pix/UPI, card-to-card (OCT/Original Credit Transfer), wallets, local rails; for "cash at cage" - offline payments.
Intermediate layers: PSP orchestrator, anti-fraud, compliance gateway (KYC/AML/sanctions), Ledger (game/money), token storage, reconciliation (Reconciliation), reporting.

3) Functional domains

3. 1 Acquiring payments

Smart routing: PSP selection by BIN/country/bank/risk/value check; cascade (Retry → Alt-PSP) and partial approvals.
3DS/SCA: dynamic orchestration (frictionless vs challenge), TRA/Whitelisting, PSD2 exceptions (LVA, MOTO, MIT).
Tokenization: safecards and network tokens (NTokens), COF/CIT/MIT framing, vaulted cards.
UI/UX: currency localization, APM auto-test by GEO/UA, "1-click" after KYC, transparent fees/limits.

3. 2 Payouts

Priority rules: speed (instant/near-instant), cost, channel availability.
Anti-arb and RG: delayed conclusions (cool-off), checks of the source of funds, velocity-limits, deferred controversial winnings (fraud/AML).
KYT (Know Your Transaction): pattern monitoring (mulling/bounce), device and card links, exception lists.

3. 3 Antifraud and risk

Signals: fingerprint device, behavioral biometrics, BIN/debit credit, proxy/VPN, velocity, runtime events from the game core (abnormally fast win→withdraw).
Scoring: hybrid ML + rules (weighted features, SHAP control), A/B on threshold policy.

3DS strategy: we target only high risk/high check; optimize "challenge rate" and "frictionless share."

Chargers: early alert, Order Insight/CAA, RDR/ODR (vendor), evidence data (KYC, IP, login-trace, game log).

3. 4 KYC/AML/Sanctions/PEP

Tiering: L0 (email/phone) → L1 (ID/age) → L2 (Proof of Address/SOW/SOF) → L3 (EDD).
Sanctions/REP: orchestration of providers, fuzzy-matching, auto-escalation.
Transactional monitoring: rules + ML, SAR/STR scenarios, threshold reports, boundaries for cash/crypto bridges (if applicable).
KYC update frequency: risk-base; events (device/channel/behavior change) trigger refresh.

3. 5 Ledger, wallets and accounting

Two-accounting: Game Ledger (balance, bets, winnings, bonus obligations) and Money Ledger (deposits/conclusions/commissions/taxes).
Deferred liabilities: bonuses/freespins/jackpots/progressives - as liabilities.
Reconciliations: T + 0/T + 1 with PSP/banks, discovery of inconsistencies, auto-creation of adjustments.
Multicurrency/FX: spot/conversion accounting, course directory (provider), PnL by FX delta.

4) Non-functional requirements

Availability and scale

Active-active orchestrator (multi-region), automatic failover PSP, degradation while preserving the kernel path.
SLO/SLA: reception ≥ 99. 95%, average authorization <3 s, cascade success <7 s; payments instant ≤ 60 s (share), near-instant ≤ 15 min.

Security and privacy

PCI DSS: segmentation of zones, abbreviation "Cardholder Data Environment" (CDE), tokenization, scans/pen tests.
GDPR/local analogues: data minimization, DSR/deletion, access audit.
Supply-chain security: signed assemblies, SBOM, SAST/DAST, keys/secrets (HSM/KMS), tamper-evident logs.

5) PSP orchestration and routing

Routing algorithm (reference)

1. Pre-scoring: GEO, BIN/IIN, risk profile, check.
2. Cost/success rules: historical Auth Rate × Fee → fast PSP.
3. Technical health: latency/errors/bounces - realtime fine.
4. 3DS/SCA policy: TRA/Exemptions → flow selection.
5. Cascade: PSP-A → PSP-B → APM → open banking; maintain idempotency.

Smart Retry

We post "reason codes," use time-backoff, change the 3DS strategy, gateway account, BIN-white/black-lists.
We store "payment intent" and idempotency key to avoid double load on Ledger.

6) Regional archetypes (quick recipes)

EU/UK: PSD2/SCA, SEPA Instant, Faster Payments, cards + open banking; high weight of 3DS strategy and afillates.
USA: cards + ACH (two-stage checks), PayPal/Cash App; retention on instant P2P payments, charge management is critical.
LATHAM: Pix (Brazil), SPEI (Mexico), PSE (Colombia), vouchers/cash; path - APM-heavy, anti-fraud on devices and documents.
Turkey/CA: local AWP/crypto bridges (if allowed), bank transfers; high proportion of AML/sanctions.
India/Asia: UPI, e-wallets, local card networks; limits, velocity and real-time risk.

7) Responsible play (RG) in the payment loop

Limits: deposits/losses/time/withdrawals; cool-off and self-exclusion → blocking all payment channels.
Affordability: open banking/credit indicators - soft requests.
Marketing: no risk ban; transparent T&C bonuses; control of affiliates/traffic source.

8) Reporting, analytics and forecasting

Daily reports: Authorizations, Statements by reason, Chargeback rate, Refund rate, Payout time, Net Payment Margin.
Cross-reconciliation: Ledger ↔ PSP Payouts ↔ Bank; triangulation of anomalies.
Forecasts: seasonality of conversion, elasticity per commission/fraud threshold, need for working capital for payments.

9) KPI/metrics (benchmarks)

Auth Rate (cards): EU 85-92%, US 80-88%, LATAM 70-85% (before orchestration).
Share of Instant Payouts: ≥ 70% on passenger checks.
Chargeback Rate: < 0. 5% by count, 0. 9% by volume (depends on product/region).
3DS Challenge Rate: <10-20% (segmental), Frictionless ≥ 70%.
PSP Concentration: Herfindahl-index <0. 35 (diversification).
OPEX for payments (as% of deposit): target corridor 1. 2–2. 0% in mature orchestration.

10) Incidents and resilience

Playbooks: Massive Declines (issuer/PSP outage), 3DS ACS degradation, Pix/UPI delays, bank holidays, surge in chargebacks.
Stability features: the term "grace balance" for a short period (only for secure profiles), auto-switch APM, "queued payouts" in case of bank failure, "circuit breaker" for anomalies.
Communications: status page, notification templates, compensations/vouchers.

11) Compliance checklists

PCI DSS

• CDE segmentation, tokenization, PAN outside of applications.
• Annual certification, scans, pen tests, access registers.

GDPR/Privacy

• Data minimization, DSR/deletion, DPIA for anti-fraud, at-rest/in-transit encryption.
• DPA with PSP/providers, cross-border flows.

KYC/AML

• CDD/EDD policies, sanctions/PEP, KYT, STR/SAR scenarios.
• Threshold limits and revisions; decision log.

RG/Marketing

• Limits/self-exclusion, visible disclaimers.
• Audit of affiliates, prohibition of youth targeting.

12) Architectural standard (layers)

1. Checkout Layer (UI/localization/APM Discovery).
2. Payment Orchestrator (routing, retries, rules, A/B).
3. Risk Engine (device, behavior, ML, 3DS policy).
4. Compliance Hub (KYC, sanctions, KYT, RG).
5. Wallet & Ledgers (game/cash, bonus liabilities).
6. Reconciliation & Reporting (PSP/bank/GL, taxes).
7. Observability & Security (metrics/logs/traces, PCI/GDPR).
8. Data/ML (fraud models, LTV scoring, limit personalization).

13) Implementation Roadmap

Phase 0 (2-4 weeks): audit of current PSP/metrics, GAP by PCI/KYC/RG, setting KPI, choice of orchestrator.
Phase 1 (6-8 weeks): multi-PSP admission + open banking/APM, basic anti-fraud, 3DS policy, tokenization.
Phase 2 (8-12 weeks): instant payouts, KYT, T + 0/T + 1 full reconciliations, CFO reporting.

Phase 3 (12 + weeks): ML fraud, dynamic cost/success routing, affordability, real-time "circuit breaker."

14) What's important to remember

Payment architecture is orchestration: the right combination of channels, PSP and anti-fraud increases conversion and reduces costs.
Security/compliance (PCI, GDPR, KYC/AML, RG) - foundation; without them, scaling is dangerous.
Reconciliations and accounting - support for CFO/audit: T + 0/T + 1, full traceability, separate ledgers.
Regionality solves: open local rails (Pix/UPI/SEPA Instant/FPS) and adapt UX and 3DS strategy for the issuing bank/region.