SECURITY

KEEPING YOU SECURE
IS OUR #1 JOB
 

We at Xsolla are here to help your gaming business succeed, built on a foundation of always-evolving data and transaction safety practices.

The Xsolla team backs every product, tool, and service with technology and procedures that meet and exceed the highest industry standards for security, monitoring, and privacy. And we always seek newer, more effective ways to ensure every corner of our network stays airtight.

Though that work is complicated, our approach is simple: we have zero tolerance for anything other than 100% security. We regularly collaborate with our clients to evaluate measures and outcomes, followed by necessary adjustments and upgrades to continue keeping everyone’s business and information safe.

Security 

24/7 SAFETY, FOR YOU
AND YOUR PLAYERS

Security has two sides: protecting the information your customers entrust to you and that you entrust to us, and ensuring no one creates an account or completes a transaction with stolen information.

Our practices address both — tailored exclusively for the video gaming industry. All while providing maximum security and maximum successful transactions.

360-degree defense

Multiple, layered systems and procedures

Practices
We use data center hosting partners that are SOC-2, PCI DSS, and ISO27001 certified for security and availability, and they have built in multiple levels of redundancy.
We have implemented intrusion detection and prevention systems to identify potential security issues.
We encrypt all sensitive data with Transport Layer Security (TLS) with Perfect Forward Secrecy (PFS), and by default.
We perform regular penetration tests to keep secure the perimeter and discover security threats.
We have implemented Distributed Denial of Service (DDoS) attack protection system to mitigate all known attacks.

Monitoring and testing

99.95%+ systems uptime

We constantly monitor key metrics to continually improve availability and performance. Our availability status is published in real time, and our infrastructure takes advantage of elastic scale, geo-redundancy, and fault tolerance.
Practices
We execute multiple daily backups of all systems and services, local and external, with 30-day retention, for guaranteed data loss prevention.
We follow ITIL-based service operations processes: event management, incident management, problem management, request fulfillment, and knowledge management.
Our systems have built-in fault tolerance, meaning all critical systems have redundancy, so there is no single point of failure.
Our disaster recovery plan includes a backup standby data center in case of major failure of the primary site.
Our global monitoring system covers all layers of technical infrastructure, using best-in-class solutions such as New Relic, Nagios, Grafana, and Pingdom Uptime.
Our team handles requests 24/7, including weekends and holidays, with an escalation system ensuring the right people are connected and can quickly resolve issues.
Our infrastructure architecture is scalable, allowing us to easily expand and contract our resource pool for heavier loads inputs.

Fraud prevention

99% of fraud blocked + maximum transaction success

Practices
Our proprietary machine learning algorithm filters fraudulent traffic from approved, and is automatically updated with machine learning based on over a decade of game and transaction data.
We design and deploy our specialized technology to prevent chargebacks, scammer fraud, and game key theft.
We prevent fraud stemming from various payment forms, including bank card, eWallet, bank transfer, mobile, prepaid cards, and cash.
Our multi-level verification includes 3D Secure and micro-transaction verification to confirm player’s bank account access. We cross-reference cardholders’ address with card issuers’ records, for non-face-to-face transactions.
Our fraud solution goal is maximum valid transactions, for maximum income. We use multiple verification steps, including manual review for all suspicious transactions, for minimum false positives.
We use configurable prevention techniques that can address different business models and game genres. These custom parameters allow analysis of player registration dates, hours played, and in-game behavior.
We use cross-game analytics to prevent fraud detected in one game from migrating to others, enabling cross-game blacklisting to defeat serial fraudsters.
Our Region Lock feature allows region-specific adaptability, to prevent cross-border arbitrage.
We assume liability for chargebacks and fraud, as your Seller and Merchant of Record, including all legal and financial responsibility and repercussions.
Privacy 

YOUR DATA ALWAYS
BELONGS TO YOU

Our data collection and processing procedures require the least information necessary to provide the service you need.

Personally identifiable data

You may always withdraw your consent for access or use.

Third-party access

Every partner meets Xsolla standards and Privacy Policy.

Data access, use, storage

We collect the least information possible.

Practices
We comply 100% with industry regulatory standards, including EU General Data Protection Regulation (GDPR), in effect May 25, 2018. To prepare, Xsolla audited and updated our internal legal review process, verifying GDPR compliance with our security measures. We also trained privacy personnel and employees and helped our partners prepare for GDPR implementation.
We collect the minimum data necessary for fulfillment and processing purposes, and our use of that data is limited, meaning we use it exclusively for purposes set out in our Privacy Policy.
We store personally identifiable data for minimum time necessary for fulfillment and processing purposes.
We process personal data legally, fairly, transparently. We make information about purposes, methods, and Volumes of personal data processing as accessible and simple as possible.
We immediately remove or correct inaccurate personal data at your request. You have the right to demand correction of your inaccurate personal data without undue delay on Xsolla’s part.
You may decline to share personally identifiable data with Xsolla or withdraw your consent for the processing of personal data and request the withdrawal of information, though in some cases this will affect our ability to deliver certain features and functionality.
You may require Xsolla to remove your personal data submitted to us earlier, and we will do it immediately if such data is no longer needed for processing purposes.
You may review and opt out of receiving personalized ads and sharing your information with third parties for direct marketing purposes at any time, by visiting http://optout.aboutads.info.
We require all third parties with access to personal data (for purposes of providing services such as web hosting, order fulfillment, and data analysis and reporting) to process that information in compliance with our Privacy Policy. We authorize only a limited use of such information, and we require these parties to use reasonable confidentiality measures.
COMPLIANCE 

EXAMINE THE STANDARDS
WE HOLD OUR SYSTEMS TO

We look to reputable organizations worldwide to share best practices and dedicate ourselves to fulfilling them all — and then some.

PCI DSS compliant

v3.2 Level 1 standard as a Service Provider

ISO compliant

27001 standards met for private servers

ITIL implementation

For efficient event and incident management
Practices
We comply with the PCI DSS v3.2 Level 1 standard as a Service Provider, meaning Xsolla meets the key security standard within the payments industry.
Our practices adhere to SSAE16 SOC-1 Type II, ISO 27001 standards through Equinix Data Center colocation. Our private servers are located in Equinix, one of the most reliable data centers in the world — a Tier 3 data center certified as compliant.
We comply with VISA Third Party Agent Registration Program, a program ensuring Visa clients comply with Visa Rules, Payment Card Industry Data Security Standard (PCI DSS), other security standards regarding use of Third Party Agents.
We implement DDoS prevention through advanced protection systems that can mitigate attacks with effectiveness of up to 100 gbps.
We use ITIL-based processes to maintain the efficient delivery of service, including event management, incident management, problem management, request fulfillment, and knowledge management.
PARTNERS
WORLDWIDE 

MEET OUR PAYMENT PARTNERS
AROUND THE GLOBE

We rely on a vast network of professionals to deliver what you need, and we ensure every partner and third party meets the highest standards.
Xsolla works only with the most reputable, broad-reaching partners in the payments industry. And we seek regional and local payment partners who meet or exceed the same standards our largest partners do.
165+
Payment provider
partners
130+
Countries and
territories
700+
Payment methods

HAVE MORE QUESTIONS ABOUT SECURITY AT XSOLLA?

Our team is here to answer them.
We rely on a vast network of professionals to deliver what you need, and we ensure every partner and third party meets the highest standards.