Millions of microtransactions
Customer story: E-Commerce

Video Game Payment Software Solutions Speak Toward Scaling Any E-Commerce Security

Have you ever paid to change your eye color? Would you pay for an amazing cybernetic weaponized arm or turbo engines? Evidently, millions of ordinary people will. Sometimes something niche revolutionizes a much bigger industry. Enter video game payment software solutions. Nothing has done more for e-commerce and the elasticity of in-app purchases than video games exchanging virtual bounties for real-world currency. In-game purchases are filled with tough challenges around surges in traffic, international players, multiple currencies, and high-volume micropayments. At the heart of that is Xsolla, a payment solutions company designed for online gaming.

Life in 2005 witnessed the unveiling of Xbox 360 and Playstation 3, over $10.5B of US sales for the video game industry, and the newly born MMORPG World of Warcraft ranked #1 as top-grossing video game. By 2020, it’s expected that over $32B will be spent on in-game purchases alone—three times the total of the 2005 sales across the industry, from accessories to hardware.

In the early days, Xsolla operated local small and medium payment systems that let video gamers buy in-game goods with cash. Monetization of gaming was a fresh concept, growing in tandem with larger builds, open worlds, and sequences. Now, the market continues to grow. In-game purchases are a niche form of in-app purchases. And, Xsolla has grown as well. Far from the localized purchasing, they now are a multinational company that covers:

  • Payments for Ubisoft, Atari, Twitch, Epic Games, Phoenix Labs, and more
  • 200+ geographies and 20+ languages
  • 700+ payment methods and 130+ currencies
  • 42M+ transactions processed annually
  • Transactions automatically 100% PCI DSS compliant, with no additional work for the game provider
  • Compliance with regional laws, taxations, and payment fees
  • Localized UI, multilingual support
compliant with no additional work for providers

Helping Xsolla Help Their Customers Gain Potent Security

So, how does Xsolla guarantee and deliver security to its global clients? Every year they block millions of fraudulent transactions.

As a financial services company, Xsolla cannot prioritize anything more than protecting its customer’s funds and safeguarding not only Xsolla’s customer loyalty, but the reputation of their clients with paying players. The complexity of that challenge grew exponentially as Xsolla grew from a local company to a worldwide service. Their clients depend on global players paying in whatever way was most convenient. Compliance with PCI DSS was crucial.

In 2015, it wasn’t enough to rely on in-house security teams. Legacy solutions were raising concerns. Testing was showing vulnerabilities—and it wasn’t enough to wait for hackers to find an opportunity. They wanted to be as sure of their security as they told their clients. The traffic and how much depended on security were at a critical mass. Xsolla needed an application security solution that was as forward thinking as they were.

An initial implementation based on ModSecurity WAF had failed an audit. Xsolla was looking for something that would protect from the broader range of threats and at the same time would be easy to use and grow with their company. And, they wanted it to be as continuous and thorough as they are in their own CI/CD. There is no time for slow downs when the global gamer is always online.

Ideally, they could add security testing to their workflow without diverting valuable resources to backtracking and manual administration. They wanted to focus on improving their own services and expanding each client’s reach.

Xsolla needed plug-and-play security as sophisticated as the best open world MMORPG—without the years of development.

We have used Wallarm since 2015 and, after the initial training period, has extended it’s deployment to anywhere in the company and are using it in blocking mode. I can recommend this solution to anyone as a strong and effective WAF to reduce risks of hacker attacks.

Wallarm Finishes the Competition

Wallarm helped Xsolla level up their security game without reinventing the wheel. It provided the ease of use they needed, intelligent threat detection, and critically helped them with compliance.

On globalizing in 2013, Xsolla was suddenly connected with international payment and banking systems in the US, Germany, France, etc. Compliance became paramount. To be on the international market they were required to be certified under PCI DSS, specifically where requirement 6.1 called for a WAF.

Following the failed deployment with ModSecurity, Xsolla tested out Wallarm FAST and WAF. Here’s how Wallarm saved the day:

  • No ongoing feeding and care“Unlike ModSecurity, Wallarm is an Enterprise solution with full support and doesn’t require ongoing feeding and care. Once we turned on, all we do is look at the reports and, from time to time, review the rare false positives and feed the information back into the system”.
  • Compliance easeSecurity and compliance is primary to securing users’ money in addition to users’ PII. If this is lost, it’s a huge blow to the company’s reputation and can bring the entire business down”.
  • Plug-and-play deploymentWe didn’t need to change anything in the application deployment infrastructure. The installation itself didn’t need much work at all”.
  • Smarter technology means ML grows with usEach of our custom self-written application had its own load and its own traffic profile. Wallarm is self-learning system, so it was initially in the learning mode to understand each of the context and learn each of the applications”.
  • Excellent customer serviceWe have very good interactions with Wallarm technical support. We have direct channel and we get responses immediately and like it”.

“The key things we were looking for in a security solution are effectiveness, ease of use, ease of deployment and good technical support. Wallarm met all of these.”

transactions processed annually

Results TKO: More Than a Technical Win

Implementing Wallarm took about 7 months to have it learn and move it into blocking mode for all web applications. If there were any questions, issues, or the rare false positives, Xsolla was able to quickly work with a technical support to fix issues and customize the monitoring. Now, Xsolla uses Wallarm as a dynamic module for Nginx. Deploying Wallarm did not require substantial changes in the infrastructure with Wallarm installed as dynamic module on existing NGINX nodes.

Xsolla is able to extend the security it feels to its customers with their 100% guarantee of liability for player payments, in any country and currency it serves. With Wallarm deployed and people trained across Xsolla’s custom applications and distributed infrastructure, Xsolla is able to satisfy PCI DSS compliance requirements confidently.

The biggest takeaway for Xsolla was Wallarm is an incredibly easy in-use product. No sacrifice to how comprehensive its security. They love the machine learning aspect, which allows them to focus on growth. The interface is truly clear. And there were no problems training anyone in their company. Switching to Wallarm’s enterprise solution with support meant minimal resource participation from Xsolla. Once tuned initially, it just worked. Instant security upgrade.