What PCI DSS covers
PCI DSS is maintained by the PCI Security Standards Council on behalf of the major card networks (Visa, Mastercard, American Express, Discover, JCB). The standard sets out twelve high-level requirements grouped under six control objectives: build and maintain a secure network, protect cardholder data, maintain a vulnerability-management programme, implement strong access control, regularly monitor and test networks, and maintain an information-security policy. The current published version is PCI DSS v4.0, with v4.0.1 clarifying selected requirements.
Compliance is not a regulatory requirement under gambling law, but it is contractually required by acquirers and card networks. Operators that fail to comply risk fines from the networks, increased per-transaction costs, and (in severe cases) loss of card-processing privileges. Most licensed operators treat PCI DSS as a baseline obligation alongside their gambling licence.
PCI DSS levels and validation
PCI DSS defines four merchant levels by annual transaction volume. Level 1 (more than 6 million transactions per year) requires a full annual on-site assessment by a Qualified Security Assessor (QSA), quarterly Approved Scanning Vendor (ASV) scans, and a detailed Report on Compliance. Levels 2 to 4 typically allow a Self-Assessment Questionnaire (SAQ) supplemented by ASV scans. Most large iGaming operators fall into Level 1.
The standard also defines the Attestation of Compliance (AoC), the formal document that demonstrates a merchant’s PCI DSS status. Operators provide their AoC to acquirers and to B2B partners as part of vendor due diligence. B2B service providers handling card data carry their own PCI DSS service-provider obligations.
Scope reduction and tokenisation
The most expensive part of PCI DSS is the scope: the systems, people, and processes that touch cardholder data. Operators reduce scope through architectural choices that keep card data out of their environment. The standard pattern is to route payments through a hosted payment page or a tokenisation service operated by the PSP, so that the operator’s systems only ever see a token, never the raw Primary Account Number (PAN).
Tokenisation reduces scope materially but does not eliminate it. The operator’s environment around the payment integration, key management, and back-office access controls all remain in scope. For B2B platform vendors, presenting a clean and current AoC accelerates contract closure with operator customers.
Frequently asked questions about What Is PCI DSS in iGaming?
Not directly. Gambling regulators such as UKGC and MGA require operators to protect customer data and maintain financial-crime controls; PCI DSS is the contractually mandated standard from card networks. In practice, regulators treat PCI DSS compliance as evidence that an operator’s payment environment is appropriately secured, and failings are likely to be raised in an enforcement context.
Levels are defined by annual transaction volume. Level 1 (more than 6 million transactions) requires an annual on-site assessment by a Qualified Security Assessor. Levels 2 to 4 cover smaller volumes and allow a Self-Assessment Questionnaire. All levels require quarterly ASV scans where externally facing systems are in scope.
If the operator never accepts payment-card transactions, PCI DSS does not apply. Most operators accept card payments alongside crypto, in which case PCI DSS applies to the card flows. Crypto-only operators are still subject to other security standards (commonly ISO 27001) and to AML obligations under their gambling licence.
For a mature operator with appropriate scope reduction, a Level 1 assessment typically runs 8 to 12 weeks from kick-off to AoC issuance. For first-time certifications or environments with high scope, the timeline commonly extends to 6 to 12 months, including remediation work identified during the initial gap analysis.