Papaya Gaming
About the Company
Papaya Gaming is a market-leading mobile games company. With powerful, innovative technologies, they develop a platform that turns popular, casual, single-player games into skill-based, multiplayer experiences enjoyed by millions worldwide.
Product Used: Universal Tokens
Balancing security and compliance
As a former PCI Qualified Security Assessor, Papaya Gaming Chief Information Security Officer (CISO) Michael Abramov knows the challenges of storing sensitive payment information. Especially since the time and effort of PCI compliance audits can take away from other pressing security issues.
“I’m always balancing compliance requirements with security requirements and procedures,” Abramov said. “We want to focus on securing our data and securing our users, and not spend all our time just on compliance processes.”
In his role as CISO, a big part of compliance is ensuring that Papaya follows the Payment Card Industry Data Security Standards (PCI DSS). These standards ensure that customer payment information is handled safely and securely.
Working with IXOPAY gave Papaya an easy solution to address PCI DSS concerns. Payment information could go directly to IXOPAY and then to their payment processors. None of its customers’ payment information would be stored in their internal systems.
Easy audits and multiple processors
One immediate benefit of working with IXOPAY is the reduced effort for PCI audits. “Our scope for the PCI audit will be really small,” Abramov says. “We don’t need to meet all the requirements because we are not storing any sensitive payment information. We don’t store the cardholder data, and the payment processing goes through IXOPAY.”
If Papaya weren’t using IXOPAY and had to store this sensitive information in their internal systems, it would be a significant and costly change to their infrastructure. According to Abramov, “We would need to change our whole environment, hardening all of our servers and enabling a lot of monitoring. And meeting these PCI requirements alone would take away from other security-related initiatives.”
Finally, working with IXOPAY allowed Papaya to easily work with multiple payment processors. With IXOPAY, there is a single token that can be used across all of its payment processors. And it gives Papaya the flexibility to easily add new processors in the future if needed.
How it works
Papaya utilizes the IXOPAY Mobile API to capture sensitive data in its mobile application. When a customer using the app provides credit card information, this information is sent directly to IXOPAY. IXOPAY stores the data and returns a non-sensitive token to Papaya. This ensures that payment information never enters their internal systems, drastically reducing their PCI scope.
When Papaya needs to charge a customer, they send the token for that customer to IXOPAY. IXOPAY detokenizes the payment information and sends it to the appropriate payment processor. Since the IXOPAY token isn’t tied to a specific payment processor, it works with all of their existing payment processors and gives Papaya the flexibility to work across multiple payment processors.
“I definitely recommend using IXOPAY. I know how it has eased my life as a CISO. We are not storing any payment data within our platform, and that’s a big success for me. I don’t need to deal with it because it’s not a risk for us.”