PPayline
Compliance

Compliance isn't a feature.
It's the foundation.

Every line of Payline was written knowing a prosecutor or auditor might read it. HB 353, FinCEN, PCI scope — they're not afterthoughts. They're the constraint we designed around.

Georgia HB 353
Built for July 1, 2026.
FinCEN
Money services compliance.
Audit
Tamper-evident hash chain.
PCI
Minimum-scope card data.
Georgia HB 353

Built for July 1, 2026.

HB 353 mandates cashless redemption for all Class B COAM payouts in Georgia by July 1, 2026. Payline was architected against the bill text — receipt structure, $999/transaction cap, full reconciliation between operator/location/master shares, and an audit chain that survives subpoena.

  • Receipt structure aligned with HB 353 § 50-27-83 reporting
  • Operator share / location share / master share split enforced in code
  • Mutha Goose master report parser validated against real receipts
  • Daily reconciliation report exportable to PDF + CSV
FinCEN

Money services compliance.

Payline operates under the $999/transaction limit FinCEN sets for gift card programs to avoid MSB classification. Velocity rules, AML flags, and daily/weekly caps are enforced server-side, not just client-side.

  • $999 per-transaction hard cap (cents-precise: 99,900)
  • Per-player daily and weekly velocity limits
  • AML rule: 12 redemptions / 24h triggers review
  • Suspicious activity hooks for SAR filing
Audit

Tamper-evident hash chain.

Every event — redemption, reload, operator action, service ticket, AXES HW event — is hashed and chained. SHA-256, append-only, exportable. The chain is verifiable: change any entry and the next hash breaks.

  • SHA-256 hash chain over every audit event
  • Append-only — no UPDATE, no DELETE, by schema
  • Quarterly cryptographic proof export for regulators
  • Operator and master actions both recorded
PCI

Minimum-scope card data.

Payline never sees a full PAN. Our issuing partner issues the cards directly; we receive only the last 4, the expiry, and our internal card_id. The consumer Payline wallet renders tokenized data via the issuer SDK.

  • Issuer-rendered card detail (via our issuing partner)
  • No PAN in our database, no PAN in logs
  • PCI scope: SAQ A (the smallest)
  • Webhook signature verification on every issuer callback

Need our compliance binder?

We share architecture diagrams, audit-chain proofs, and counsel letters with serious operators under NDA.

Request the binder