WinUpGo
Demo gamesTOP Casino
TOP CasinoSOFT CasinoWorld CasinoTelegram CasinoBOT CasinoSports CasinoHot Topics
SOFT CasinoWorld CasinoTelegram CasinoBOT CasinoSports CasinoHot Topics
Search
WinUpGo Wiki - encyclopedia of online casinos, slots and iGaming industry WUG WIKI
No deposit bonuses Bonuses
Slot machine providers Providers
Slot machines Top slots
CASWINO
SKYSLOTS
BRAMA
TETHERPAY
777 FREE SPINS + 300%
Personal account Office
Community Chat Australian Pokies
Live chat Chat
Online support Customer support
Cryptocurrency casino Crypto Casino Torrent Gear is your all-purpose torrent search! Torrent Gear

How bank card payments are regulated

Payments to bank cards are one of the most sensitive processes for online casinos: payment rules of card systems, requirements of licensing regulators, partner banks and anti-fraud converge here. An error in the settings leads to merchant locks, chargers, fines and player dissatisfaction. We analyze the architecture, rules and best practices.

Participants in the process and who is responsible for what

The player - the owner of the card/account, initiates the withdrawal.

Operator (casino) - checks KYC/AML, generates a request for payment.

PSP/Payment gateway - routes the transaction to the desired bank/scheme, applies anti-fraud.

The acquirer is the merchant's bank, accepts and processes the transaction on behalf of the operator.

Payment system - Visa/Mastercard: regulations, types of transactions, messaging.

The issuer is the player's bank, credits funds and conducts compliance checks.

Basic Legal Framework

1. Gambling license: establishes payment rules, terms, verification procedure.

2. AML/CFT: mandatory KYC/EDD, sanctions checks/PEP, "source of funds" for large amounts.

3. Payment law: requirements of local regulators and card schemes for operations with MCC 7995 (gambling).

4. Data protection: PCI DSS (working with PAN/CVV), local laws on personal data (for example, GDPR in the EU).

5. Authentication: SCA/3-D Secure 2 for accepting payments; other scenarios apply for outgoing transactions, see below.

MCC 7995 and the "special mode" of gambling operations

Merchant category code 7995 signals banks and schemes that these are gambling operations. For him, they often act:
  • strict geo-restrictions and prohibitions by country/state;
  • increased monitoring by acquirers and issuers;
  • separate requirements for limits, reporting and supervision;
  • some banks have custom locks/filters for MCC 7995.

Refund ≠ Payout: what's the difference

Refund - cancellation (full/partial) before accepted deposits on the same card and within the amount of funds deposited. This is a correction of the previous purchase, not a "win deduction."

Payout/Push-to-Card - outgoing transfer from the merchant to the client's card (usually wins/compensation). Performed through special messages of card schemes:
  • Visa Direct: OCT (Original Credit Transaction) - credit transaction on the card.
  • Mastercard Send: AFT/OCT-analogue - crediting to a card/account.

Refund and Payout live by different rules, limits and anti-fraud procedures. An attempt to "disguise" the conclusion as a return is a frequent reason for sanctions against the merchant.

What the output to the map technically looks like

1. The player requests payment → the operator passes KYC/AML (if necessary - EDD, SoF/SoW).

2. The PSP sends OCT/AFT with card details to the network (often via tokenization; PAN can be replaced by a network token).

3. The acquirer validates the MCC/limits/countries, runs the anti-fraud rules and routes them to the scheme.

4. The payment system delivers a message to the issuer; the player's bank makes its own compliance checks.

5. Upon approval, enrollment usually takes place within minutes-hours (in some countries up to 1-3 working days), depending on the bank and the availability of push-to-card.

💡 Note: OCT/AFT 3-D Secure does not apply - this is not a purchase, but an outgoing transfer; protection here is built at the expense of KYC/AML, velocity controls and merchant/bank risk rules.

Limits, deadlines and geo-constraints

OCT/AFT limits are set by schemes, acquirer and operator: daily/monthly, by transaction, by the sum of conclusions.

Terms: the operator has a license regulation (for example, X hours/days for processing), the bank has internal credit SLAs.

Geography: not all issuers and markets accept push-to-cards for MCC 7995; some countries/regions are completely blocked.

Currency: conversions at the rates of schemes/banks and additional commissions are possible.

AML/KYC and anti-fraud for payments

CCM/Age/Geo - before the first withdrawal; for large amounts - EDD and "source of funds/wealth" request.

Bundle "deposits → game → conclusion": play-through rule (minimum activity), prohibition of transfers to third parties.

Velocity-controls: frequency/speed of outputs, patterns "depozit→min. igra→vyvod," attempts to split amounts.

Device/IP analysis, BIN checks (issuer country vs player jurisdiction), negative lists, behavioral signals.

On-us/Off-us logic: different risk profiles for cards of the same bank/different banks.

Travel Rule/crypto: if the output goes to the map through the crypto provider, an on-chain screening at VASP is added.

SCA/3-DS and why it is important for the player to know

At the entrance (deposits): SCA/3-DS2 reduces the risk of chargebacks and confirms that it was the owner who paid.

Output (payout): SCA is usually not required - the operator pays "in one gate," and the risks are covered by KYC/AML and PSP/bank controls.

Chargers, controversy and returns

Chargeback is possible on a deposit (for example, "I did not pay," "service not provided").

Conclusions (OCT/AFT) in the classical sense are not charged, but may be rejected/delayed due to AML/sanctions/issuer limits.

The operator is obliged to reconcile: link deposits, gaming activity and conclusions, store logs and correspondence for possible proceedings.

Commissions and economics

For the merchant, there are interchanging/scheme/acquiring rates for models other than accepting payments.

For a player, payments are often without commission, but possible:
  • currency conversion, fees from the receiving bank, limits on the number of free withdrawals.

Technical and compliance requirements for integration

PCI DSS (if storing/processing PAN; better - tokenization at PSP).

Segregation of environments and access logging; prohibition of manual edits in prod.

Version register and hash control of payment modules; link to games backend and wallet/PAM logic.

Reporting to the regulator: payment uploads, limits, incidents, complaint/ADR management.

Transparent client communication: terms, statuses, reasons for refusals, list of documents.

Regional nuances (in general terms)

EU/UK: hard AML/KYC, SCA for deposits, increased supervision of MCC 7995, developed Visa Direct/Mastercard Send network.

USA: large cards support push-to-cards, but at the state level strict gambling rules; ASN/proven alternatives are often used.

Latin America/Asia: heterogeneous OCT/AFT support; local alternatives and payments to accounts/wallets are popular.

Turkey and a number of restricted markets: card payments under MCC 7995 may not be available; other methods are used within the framework of the law.

What should the operator do (checklist)

1. Set up the official MCC 7995 at the acquirer; do not mask operations.

2. Separate refund and payout, use Visa Direct/Mastercard Send (OCT/AFT) for conclusions.

3. Embed KYC/EDD/AML screening at the time of the output request; create a play-through policy.

4. Include velocity limits and geo/BIN checks; log solutions.

5. Publish payment terms and limits, list of valid cards/countries, reasons for possible refusals.

6. Support PCI DSS/tokenization, maintain clear reconciliation and reporting to the regulator.

7. Have fallback channels (bank transfer, wallets) in case of issuer refusal.

8. Train support to explain the differences of the refund vs payout and collect documents correctly.

As a player to understand that everything is fair (checklist)

The rules clearly spell out the deadlines, limits, the difference between return and withdrawal.

The casino asks KYC before a major withdrawal and explains what documents are needed and why.

The payment goes to the same card (or to you personally), there are no transfers to "third parties."

There are transparent complaint/ADR channels, application status history and substantive support.

Frequent misconceptions (short)

'I'm obliged to put any winnings back on the card as a refund. "- No, the refund applies only to previously made deposits; winnings - via payout (OCT/AFT).

"3-DS is required on output. "- No, other controls are used for outgoing transactions.

"You can map a friend/relative. "- In the licensed sector prohibited: only in the name of the account owner who has passed KYC.

Payments to bank cards in iGaming are regulated simultaneously by the license, AML/KYC, Visa/Mastercard rules for MCC 7995 and bank policies. The correct scheme is payout via OCT/AFT, transparent deadlines and limits, strict compliance and intelligible failure scenarios. Everyone benefits from this: the player quickly and predictably receives money, the operator retains licenses and acquiring, and banks - the purity of payment flows.

× Search by games
Enter at least 3 characters to start the search.