iGaming Payment Processing in 2026: The Operator's Step-by-Step Launch Playbook
What makes iGaming payment processing different from standard e-commerce?
Online gambling sits under MCC 7995 — the Merchant Category Code that most card networks treat as high-risk by default. That single classification means standard payment processors like Stripe or Braintree will terminate your account on sight. You need specialist acquiring, dedicated fraud tooling, and a compliance posture that satisfies both the card network rules and your gambling regulator simultaneously.
The core problem is that gambling transactions carry a disproportionate chargeback rate compared to retail e-commerce. Players dispute deposits after losing, claim fraud, or simply exploit the dispute process. Visa and Mastercard respond to this by imposing strict chargeback thresholds — 1% for Visa's standard program, with elevated monitoring starting around 0.9% — and they enforce these at the acquirer level. If your acquirer's overall portfolio takes too many chargebacks because of you, they lose their acquiring license. That's why mainstream banks don't want your business regardless of how legitimate your operation is.
The regulatory overlay compounds the technical challenge. A Curaçao eGaming licensed operator is legal in its licensing jurisdiction but classified as 'unlicensed gambling' in dozens of other countries. Card networks have their own geographic block lists that don't always align with your license scope. You can be fully compliant with your regulator and still have Mastercard transactions blocked from certain markets because the card network's own rules prohibit it. This is one of the first things operators discover too late — your license and your payment acceptance footprint are two different things.
Finally, the AML and KYC burden in iGaming is heavier than most verticals. Payment providers expect you to have documented source-of-funds checks, player identity verification, and transaction monitoring in place before they'll process your volume. If you're launching on a white-label platform like SoftSwiss or EveryMatrix, some of that infrastructure comes bundled. If you're building custom, you're sourcing it separately — and your PSP will ask to see the documentation before going live.
How do you get an online gambling merchant account — what's the actual process?
Getting a gambling merchant account is a formal underwriting process, not a sign-up flow. You submit a business pack to a specialist acquirer or iGaming PSP, they assess your license, traffic source, projected volume, and fraud controls, then negotiate rates and reserve terms. Realistically allow 4–8 weeks from first contact to live processing — longer if your license is still pending.
The underwriting pack is where most first-time operators stall. Acquirers want to see your gambling license (or at minimum a letter of intent from the licensing authority), your company incorporation documents, a detailed business plan with projected monthly GGR and transaction volumes, your AML/KYC policy, your responsible gambling framework, and evidence of technical integration with a certified platform. If you can't produce these, the conversation stops. I've seen operators spend two months chasing an acquirer only to discover the bottleneck was a missing AML policy document.
Specialist iGaming PSPs worth contacting at the start of your process include Payvision (now part of ING but still active in the space), Safecharge (acquired by Nuvei), Praxis Tech, Skrill/Paysafe, and PaymentIQ — which is a payment orchestration layer rather than a direct acquirer but connects you to multiple acquiring banks behind a single API. For offshore-licensed operators, companies like Fonix, Payneteasy, and Interkassa are worth evaluating. Rates and willingness to onboard vary quarter to quarter depending on their portfolio chargeback exposure, so what worked six months ago may not be the easiest path today.
One structural point: try to get two acquiring relationships approved before launch, not one. Single-acquirer setups are a single point of failure. I've watched operators go dark for 72 hours because their sole acquirer froze their account over a fraud spike. That's 72 hours of zero deposits. The redundancy conversation feels like unnecessary overhead until the moment you need it.
What fees and reserve terms should operators realistically expect?
For a newly licensed iGaming operator, expect card processing fees of 3–8% of transaction value, a rolling reserve of 5–10% held for 90–180 days, and a setup fee ranging from a few hundred to several thousand dollars depending on the provider. These numbers improve as you build processing history and demonstrate a clean chargeback ratio below 0.5%.
The rolling reserve is the cash-flow hit that surprises operators most. If you process $500,000 in deposits in your first quarter and your acquirer holds 7% for 180 days, that's $35,000 sitting in escrow you can't touch for six months. Multiply that across a year of growth and the reserve becomes a meaningful working capital constraint. Some providers offer a diminishing reserve structure — the percentage steps down after 6 or 12 months of clean processing — so negotiate for that from the start rather than accepting a flat structure.
Beyond the headline processing rate, watch for: authorization fees (typically $0.10–$0.30 per attempt, including declines), chargeback fees ($20–$50 per dispute plus the transaction value), currency conversion margins if you're accepting multi-currency, and monthly minimum fees if your volume is low in early months. A provider quoting you 3.5% can easily cost 5.5% all-in once you account for declines, chargebacks, and FX. Model the full cost, not the headline rate.
The table below gives a realistic range comparison across provider types. Note these are indicative ranges based on market conditions as of early 2026 — actual quotes depend on your license, jurisdiction, volume, and chargeback history.
| Provider Type | Processing Fee | Rolling Reserve | Reserve Hold Period | Setup Cost | Best For |
|---|---|---|---|---|---|
| Specialist iGaming PSP (e.g., Nuvei/Safecharge) | 3.5–6% | 5–8% | 90–180 days | $500–$2,000 | Licensed EU/offshore operators with documented compliance |
| Payment Orchestration Layer (e.g., PaymentIQ) | 4–7% (acquirer-dependent) | 5–10% | 90–180 days | $1,000–$5,000 integration | Operators wanting multi-acquirer redundancy via one API |
| Crypto PSP (e.g., CoinsPaid, BitPay) | 0.5–1.5% | None typically | N/A | $0–$500 | Offshore/crypto-native casinos, Curaçao/Anjouan licensed |
| E-wallet aggregator (e.g., Paysafe/Skrill) | 2.5–4.5% | Varies by agreement | 60–90 days | Negotiated | European operators needing Skrill/Neteller access |
| Local bank transfer solutions (e.g., Trustly, Volt) | 0.8–2.5% | Low or none | 30–60 days | Integration cost | Regulated EU markets (MGA, UKGC, Sweden) |
How does MCC 7995 affect your card acceptance rates and what can you do about it?
MCC 7995 is the Merchant Category Code assigned to betting and casino transactions. Card issuers use it to apply blanket blocks — many US banks, for example, automatically decline any transaction coded 7995 regardless of the merchant's legitimacy. Acceptance rates of 60–75% are common for new offshore operators; mature operators with the right acquiring setup and local card options routinely hit 85–90%.
The decline problem is partly technical and partly issuer policy. Some declines are hard blocks — the issuing bank has a policy-level rule that rejects all 7995 transactions, full stop. Others are soft declines triggered by fraud scoring on an unfamiliar merchant descriptor. You can't fix the hard blocks through technical means, but you can address soft declines by working with your acquirer on descriptor optimization, 3DS2 implementation, and velocity rules that reduce false positives.
3D Secure 2 (3DS2) is worth implementing even where it's not mandated. It shifts fraud liability to the issuing bank on authenticated transactions, which reduces your chargeback exposure, and modern 3DS2 flows have frictionless authentication for low-risk transactions — so you're not adding a step that kills conversion for every player. Providers like Nuvei and PaymentIQ have built-in 3DS2 routing logic that applies authentication selectively based on risk score.
The longer-term fix for acceptance rates is market-appropriate payment methods. In Germany, Sofort (now Klarna) and direct bank transfers are more accepted than cards for gambling. In Brazil, Pix is the dominant method. In Scandinavia, Trustly's Open Banking rails bypass the card network entirely. Building a payment mix that matches your target player geography is more effective than trying to optimize a card acceptance rate that's structurally constrained by MCC 7995.
What's the right approach to crypto casino payments — and what are the real trade-offs?
Crypto payments solve the acquiring problem for offshore operators: no MCC 7995 blocks, no rolling reserves, fees under 1.5%, and near-instant settlement. The trade-offs are real though — you inherit volatility risk, heightened FATF scrutiny, and the operational complexity of wallet management and on-chain AML. For Curaçao or Anjouan-licensed operators, crypto is often the primary deposit rail, not an optional extra.
The practical setup involves integrating a crypto payment processor — CoinsPaid is the dominant specialist in iGaming, processing a significant share of global crypto gambling volume. BitPay and NOWPayments are alternatives. These services handle wallet generation, exchange rate locking at time of deposit (so you're not holding volatile BTC on your balance sheet), and auto-conversion to a stablecoin or fiat if you want. The integration is typically an API or a white-label checkout widget that plugs into your platform's cashier. On SoftSwiss, CoinsPaid integration is essentially native.
The AML obligation is where operators underestimate the work. FATF's updated guidance on virtual assets means you need transaction monitoring on crypto flows — blockchain analytics tools like Chainalysis or Elliptic screen wallet addresses for links to known illicit activity. Your crypto PSP may offer basic screening, but for any meaningful volume you want your own analytics layer. Regulators in Curaçao and Malta are increasingly asking for evidence of crypto AML controls during license renewals, not just at initial application.
Volatility management is the other operational reality. If a player deposits 0.01 BTC when Bitcoin is at $60,000 and you don't lock the rate immediately, a 5% move before settlement costs you real money. Most crypto PSPs offer instant conversion to USDT or fiat at point of deposit — use it. Running a crypto casino with unhedged BTC exposure on your balance sheet is a treasury problem, not just a payments problem.
How should operators build their payment stack — what's the recommended order of operations?
Build your payment stack in layers: start with a primary card acquirer and one alternative method (crypto or e-wallet), add a payment orchestration layer for routing and redundancy, then expand to local payment methods as you validate specific player geographies. Don't try to launch with 15 payment methods — launch with 3 solid ones and expand based on actual deposit data.
The sequencing matters because each integration takes time and compliance work. Trying to onboard six PSPs simultaneously before launch is a guaranteed way to delay your go-live date. My recommended sequence: First, get your primary card acquirer approved — this takes the longest because of underwriting. While that's in progress, integrate a crypto PSP (CoinsPaid or equivalent) since crypto onboarding is faster and less document-intensive. Third, add one e-wallet option relevant to your target market — Skrill for European players, for instance. That three-method stack covers the majority of deposit intent for most offshore operators at launch.
Payment orchestration is the layer that makes the stack manageable at scale. Tools like PaymentIQ, Devcode, or Praxis Tech sit between your platform and your multiple PSPs, handling routing logic, failover, and reporting in one place. Without orchestration, you're managing separate integrations, separate reconciliation, and separate dashboards for each provider — which becomes operationally painful fast. If you're on a white-label platform, check what orchestration is built in before buying a standalone tool.
The expansion phase — adding Pix for Brazil, Interac for Canada, UPI for India — should be driven by deposit data, not assumptions. Pull your first 60 days of deposit attempt data, segment by player country, and identify where you're losing transactions to unsupported methods. That's your roadmap for phase two payment expansion. Launching with every method imaginable sounds comprehensive but creates compliance overhead, reconciliation complexity, and customer support burden before you have the team to handle it.
How do you manage chargebacks in iGaming — and what are the thresholds that matter?
Visa's chargeback monitoring program triggers at 0.9% ratio (standard) and 1.8% (excessive), with fines and potential account termination. Mastercard's threshold is 1.5%. In iGaming, chargebacks spike predictably around bonus abuse, account takeovers, and losing streaks. Active chargeback management — dispute responses, velocity limits, and player verification — is not optional; it's a condition of keeping your merchant account.
The most common chargeback reason code in gambling is 'transaction not recognized' — the player's family member sees an unfamiliar descriptor on the bank statement and disputes it. Descriptor optimization helps: your merchant descriptor should be recognizable, not a cryptic string of characters. Some operators use a recognizable brand name in the descriptor plus a customer service phone number. A player who can call and get a quick explanation often withdraws the dispute before it becomes a formal chargeback.
On the fraud side, the highest-risk moment is a new player's first deposit. Account takeover fraud — where a fraudster uses stolen card details to fund a gambling account — generates chargebacks that look legitimate to the issuing bank. Velocity rules (blocking multiple deposit attempts from the same IP or device fingerprint), 3DS2 authentication, and requiring KYC before the first withdrawal all reduce this exposure. Some operators require KYC before the first deposit for high-risk markets, which reduces fraud but also reduces conversion — a real trade-off you need to make consciously.
When a chargeback does arrive, you have a representment window — typically 18–45 days depending on the card network — to submit evidence. For gambling disputes, compelling evidence includes: the player's signed terms and conditions, login timestamps, game session logs, device fingerprint matching the cardholder's registered device, and any responsible gambling self-exclusion checks. Winning representments is possible but requires you to have collected and stored this evidence at the time of play, not reconstructed after the fact. Build your logging infrastructure with chargeback defense in mind from day one.
| Card Network | Standard Monitoring Threshold | Excessive / High-Risk Threshold | Consequences at Threshold | Fine Range |
|---|---|---|---|---|
| Visa | 0.9% ratio OR 100+ chargebacks/month | 1.8% ratio OR 1,000+ chargebacks/month | Enrollment in VDMP; acquirer required to submit remediation plan | $50–$100 per chargeback in excessive tier |
| Mastercard | 1.5% ratio AND 100+ chargebacks/month | 2.0% ratio AND 1,000+ chargebacks/month | Enrollment in MATCH list risk; potential acquirer fines | $1,000–$100,000 monthly fine in excessive tier |
| Amex (where accepted) | Varies by agreement | Generally stricter than Visa/MC | Account review and potential suspension | Case-by-case |
What payment compliance obligations does a licensed iGaming operator carry?
Your payment compliance obligations run in parallel with your gambling license conditions. At minimum: AML transaction monitoring, KYC identity verification before withdrawal (and often before deposit), source-of-funds checks at defined thresholds, GDPR-compliant data handling for EU players, and PCI DSS compliance if you're touching cardholder data. Skipping any of these doesn't just risk your license — it risks your PSP relationships.
PCI DSS is the one compliance requirement that surprises operators who assumed their PSP handles it. If your platform passes card data through your servers — even briefly — you're in scope for PCI DSS. Most modern payment integrations use hosted fields or redirect flows specifically to keep cardholder data off your infrastructure and reduce your PCI scope to SAQ A (the lightest tier). Confirm with your platform provider exactly what your PCI scope is before launch. If you're on SoftSwiss or EveryMatrix, their hosted cashier handles this for you. If you're building a custom cashier, you need a PCI-compliant tokenization setup.
AML thresholds vary by jurisdiction. Under Curaçao's updated framework (post-2023 reforms), operators must implement transaction monitoring and file Suspicious Transaction Reports. Under MGA rules, enhanced due diligence kicks in at €2,000 in a single transaction or €10,000 in 30 days — though in practice most MGA-licensed operators apply EDD at lower thresholds to stay ahead of regulator scrutiny. Your PSP will often ask for your AML policy document and may conduct periodic audits of your transaction monitoring setup.
GDPR compliance intersects with payments because payment data is personal data. Your PSP data processing agreements need to be in place, data retention periods for payment records need to be defined, and player data subject access requests need to include payment history. This is operational overhead that's easy to underestimate when you're focused on the technical integration, but regulators in the EU are increasingly coordinating between gambling and data protection authorities.
How do payment requirements differ across key iGaming jurisdictions?
Jurisdiction shapes your entire payment stack. A Curaçao-licensed operator primarily runs on crypto and alternative methods because mainstream card acquiring is harder to secure. An MGA-licensed operator can access Visa/Mastercard acquiring more readily but faces stricter player protection payment rules. A US state-licensed operator (New Jersey, Pennsylvania, Michigan) works within a tightly regulated acquiring framework with state-specific requirements. These aren't minor variations — they require fundamentally different payment architectures.
Curaçao and Anjouan-licensed offshore operators have historically relied on a mix of crypto, Skrill/Neteller, and specialist high-risk acquirers willing to process MCC 7995 for offshore merchants. Post-2023, Curaçao's Gaming Control Board has tightened its requirements, and some acquirers that previously served Curaçao-licensed operators have pulled back. The practical result is that crypto has become even more central to the offshore payment stack — not by choice, but by necessity.
MGA (Malta Gaming Authority) is the most acquirer-friendly license for card processing. Visa and Mastercard recognize MGA as a credible regulator, and most major European acquirers will process for MGA-licensed operators. The trade-off is the regulatory cost and the player protection requirements — mandatory deposit limits, self-exclusion integration with national registers in some markets, and strict bonus term disclosure rules that affect how you structure deposit bonuses. Payment-wise, MGA operators also need to comply with the EU's revised Payment Services Directive (PSD2) for European card transactions, which mandates Strong Customer Authentication (SCA).
US state-licensed operators (iGaming is currently live in New Jersey, Pennsylvania, Michigan, Connecticut, Delaware, West Virginia, and Rhode Island as of early 2026) work with state-approved payment processors and are subject to state-specific rules around payment methods. New Jersey, for example, prohibits credit card use for gambling deposits — players must use debit cards, e-wallets, or bank transfers. Each state has its own approved payment method list, and your platform must be certified by the state gaming board before accepting real-money transactions. The acquiring landscape is more stable here — major US banks participate — but the regulatory overhead per state is significant.
What payment infrastructure do you need on your platform before going live?
Before your first live transaction, you need: a certified cashier integration with your PSP(s), a working KYC/AML module connected to your player account system, a dispute management workflow, reconciliation reporting, and a tested withdrawal flow. The withdrawal side is where operators cut corners and regret it — players who can't withdraw quickly become chargebacks and regulatory complaints.
The cashier is the front-end interface where players select a payment method, enter amounts, and initiate transactions. On white-label platforms, this is typically provided — SoftSwiss's cashier, for instance, supports hundreds of payment methods and handles the UX. On custom builds, you're either building it yourself or licensing a cashier module. The cashier must handle deposit limits (mandatory under most licenses), responsible gambling prompts at defined thresholds, and method-specific flows (e.g., crypto QR codes, Open Banking redirects, card tokenization for saved cards).
Reconciliation is the back-office function that operators chronically underinvest in. Every transaction that hits your platform needs to reconcile against your PSP settlement reports, your player account balance movements, and your bonus accounting. Discrepancies — which happen, especially across multiple PSPs with different settlement timing — create both financial exposure and compliance risk. If your platform doesn't have a reconciliation module, you'll be doing this in spreadsheets at 2am during month-end. That's not a sustainable operating model.
The withdrawal flow deserves specific attention. Most chargebacks in gambling come from players who couldn't withdraw — either because KYC was required and they didn't complete it, or because the withdrawal method didn't match the deposit method (a common anti-money-laundering rule), or because processing was slow. Set a target of 24-hour withdrawal processing for verified players. Anything slower creates player dissatisfaction that converts into disputes and negative reviews. Your PSP selection should factor in withdrawal speed and supported withdrawal methods, not just deposit processing.
Comments
No comments yet — be the first.