The question I get asked more than any other — at conferences, in client calls, in late-night emails from players who just had their first PayID transaction flag for review — is straightforward: is PayID safe for online gambling? The short answer is that PayID is meaningfully safer than the alternatives. The longer answer, the one worth reading, involves specific numbers, specific mechanisms, and a frank discussion of the risks that do exist.
Here is a data point that frames the conversation. In 2023, PayID-specific scam losses in Australia totalled around A$260,000. That same year, payment card fraud hit A$854 million. Those numbers are not directly comparable — card transactions vastly outnumber PayID transactions, and the fraud categories overlap imperfectly — but the scale difference is instructive. PayID was designed from the ground up with verification features that card networks retrofitted decades after their original architecture was built. That design advantage shows up in the fraud data.
But “safer than cards” is not the same as “safe.” PayID is not immune to social engineering, phishing, or the risks inherent in sending money to an unregulated offshore casino. Over eight years of analysing payment security in Australian iGaming, I have seen every flavour of PayID-related issue — from players who sent deposits to spoofed PayIDs, to casinos that exploited the irrevocability of NPP transfers to stall withdrawals. What follows is a security analysis grounded in how the system actually works, where it protects you, and where it does not.
How NPP Protects Your Casino Payments
I spent a full day at a banking conference in 2022 listening to engineers describe the New Payments Platform’s architecture, and the thing that stuck with me was how differently they thought about security compared to the card networks. Visa and Mastercard built fraud detection as a layer on top of a system designed in the 1970s. The NPP built security into the foundation.
The NPP — the infrastructure that powers PayID — processes over 155 million transactions every month across Australia. Every single one of those transactions flows through what engineers call the Basic Infrastructure, a centralised real-time switching layer operated by NPP Australia Limited. The system uses ISO 20022 messaging, a data-rich standard that carries far more information per transaction than older payment protocols. Where a traditional card authorisation might include a merchant name, amount, and card number, an NPP message includes structured payer and payee identification, purpose codes, and contextual data fields that make pattern detection substantially more effective.
For casino payments specifically, three architectural features matter. First, PayID’s confirmation screen. Before any payment is finalised, the system displays the registered name of the recipient. Anna Bligh, who led the Australian Banking Association during the PayID rollout, pointed to this feature as a critical safeguard — you see exactly who you are sending money to before you confirm. If you are depositing to a casino and the PayID resolves to “John’s Personal Account” instead of a registered business entity, that is an immediate red flag the system surfaces for you without any technical knowledge required on your end.
Second, real-time fraud monitoring. Each of the participating banks — and there are over 100 financial institutions connected to the NPP — runs its own transaction monitoring layer on top of the central infrastructure. When you initiate a PayID payment from your ANZ or CBA account, the bank’s fraud engine evaluates the transaction against your payment history, the recipient’s risk profile, and broader pattern data before approving it. Unusual amounts, new recipients, or transactions at atypical times trigger additional screening. This happens in milliseconds, invisibly, on every transaction.
Third, irrevocability cuts both ways. Once an NPP payment settles, it cannot be reversed by the sender. This sounds like a disadvantage — and it is, if you send money to the wrong person — but it also eliminates an entire category of fraud that plagues card payments. There are no chargebacks on PayID. A casino that receives a PayID deposit knows the funds are final, which is one reason operators prefer it and why some offer faster withdrawal processing to PayID users than to card users. The casino is not carrying the risk of a reversed payment weeks later.
There is also a layer of security that players never see but benefit from constantly: multi-factor authentication at the bank level. Every PayID transaction requires you to be logged into your banking app or portal, which means you have already passed whatever authentication your bank requires — password, biometrics, SMS verification, or a combination. Compare this to typing a card number into a casino’s deposit page, where the only verification is the three-digit CVV on the back of the card. The authentication gap between these two methods is enormous, and it explains why credential theft works against cards but not against PayID.
One more technical detail worth understanding: the NPP maintains a centralised PayID registry that maps every PayID to a specific bank account. When a casino sends a withdrawal to your PayID, the registry resolves it to your BSB and account number in real time. This registry is maintained with strict data integrity controls and is not accessible to third parties. The casino never sees your BSB or account number — they see only your PayID — which adds another insulation layer between your banking details and the operator.
PayID Fraud vs Card Fraud: The Numbers
What would you think if I told you that one payment method generated A$854 million in fraud losses last financial year and another generated roughly A$260,000 in scam-related losses in 2023? You would assume the second method was either brand new or barely used. PayID is neither. More than 27 million PayID registrations exist across Australia, and roughly 20% of all Australian payments were flowing through PayID by late 2022. This is a mainstream payment method with a fraction of the fraud exposure.
The gap demands explanation, and the explanation is architectural rather than demographic. Card fraud thrives on the separation between the card number and the cardholder. A stolen card number works from anywhere in the world, at any merchant that accepts card-not-present transactions, with no direct verification that the person entering the number is the person who owns the account. The entire online card fraud ecosystem — data breaches, carding forums, automated testing bots — exploits this single weakness. PayID eliminates it entirely. There is no “PayID number” to steal. The transaction originates from your authenticated banking session, passes through your bank’s security layers, and settles directly into the recipient’s account through the NPP. There is no intermediate network where credentials can be intercepted and replayed.
That said, the comparison requires honesty about what the numbers do and do not capture. Card fraud figures include unauthorised transactions — someone using your card without your knowledge. PayID scam figures primarily involve authorised push payment fraud, where the victim willingly sends money to a scammer posing as a legitimate recipient. These are different threat models. You cannot have your PayID “stolen” and used without your knowledge the way a card number can be compromised, but you can be tricked into sending a PayID payment to someone who is not who they claim to be.
In the gambling context, the distinction matters. A card deposit to an unlicensed offshore casino carries the risk that the operator stores your card details insecurely, leading to unauthorised charges months later. A PayID deposit to the same operator carries no equivalent risk — the operator never receives credentials that can be reused. The risk with PayID at a dodgy casino is different: you send money willingly, the operator does not return it, and because the payment is irrevocable, your bank cannot reverse it. The fraud is social, not technical.
Australia’s payments market is projected to reach US$2.29 trillion by 2030, and the share handled by real-time payment rails like the NPP is growing steadily. As PayID transaction volumes increase, fraud numbers will rise in absolute terms — that is inevitable with scale. The meaningful metric is the fraud rate relative to transaction volume, and on that measure, PayID remains orders of magnitude safer than cards. For gambling transactions specifically, the absence of credential-based fraud risk makes PayID the most secure deposit and withdrawal method available to Australian players.
Real Risks When Using PayID at Casinos
A client contacted me last year after depositing A$2,000 via PayID into what turned out to be an unlicensed casino operating from Curaçao. The site looked professional, the games ran smoothly, and the deposit settled instantly through the NPP. Three weeks later, the site vanished. No withdrawal was processed, no support email was answered, and because the PayID payment was irrevocable, the bank could not help recover the funds. This is the real risk of PayID in online gambling — not a flaw in the payment technology, but the permanence of a payment sent to the wrong place.
The first and most significant risk is depositing at unlicensed operators. ACMA has blocked 1,708 illegal gambling websites as of May 2026, and over 230 illegal services have voluntarily exited the Australian market under regulatory pressure. These numbers illustrate the scale of the problem: hundreds of operators target Australian players without holding valid licences, and PayID’s speed and simplicity make it as easy to deposit at an illegitimate site as at a legitimate one. The NPP does not distinguish between a licensed operator and a scam — it processes the payment either way.
The second risk is social engineering. Scammers posing as casino support agents contact players via email or social media, claiming that a withdrawal requires a “verification deposit” to a specific PayID. The player, eager to access their winnings, sends money to a scammer’s PayID instead of the casino’s. The confirmation screen shows a name, but the player may not recognise that the name does not match the casino’s registered business name — especially if the scammer uses a similar-sounding alias. Legitimate casinos never ask for additional deposits to process withdrawals. Any such request is a scam, full stop.
The third risk is more subtle: the irrevocability that protects casinos from chargebacks also removes a layer of player protection. With credit card deposits, a player who is genuinely defrauded by an operator — winnings withheld without cause, account frozen without explanation — can initiate a chargeback through the card issuer. No equivalent mechanism exists for PayID. If an operator refuses to honour a legitimate withdrawal, the player’s recourse is limited to filing a complaint with the operator’s licensing authority and, if necessary, pursuing legal action. The payment system itself offers no dispute resolution.
The fourth risk involves data privacy. When you register a PayID with your phone number or email address and use it to deposit at a casino, the operator now has that identifier linked to your gambling activity. Most legitimate operators handle this data under Australian Privacy Principles, but offshore operators may not. If an unlicensed casino’s database is compromised, your PayID identifier — your phone number or email — is exposed along with your gambling transaction history. This is a privacy risk that does not exist with bank transfers using BSB and account numbers, which are harder to link to other personal information.
A fifth risk is worth mentioning because I see it regularly in my consulting work: the false sense of security that PayID’s technical robustness can create. Players who understand that PayID is cryptographically secure and fraud-resistant sometimes extend that trust to the entire transaction — including the operator on the other end. The payment method is secure. The casino accepting the payment may not be. These are separate trust domains, and conflating them is how technically sophisticated players end up losing money at illegitimate sites. The Crown Resorts case — where a major, licensed operator was fined A$450 million for systematic AML failures — demonstrates that even well-known brands can have serious compliance gaps. Regulatory standing matters, but it is not a guarantee of operational integrity.
A Practical Safety Checklist for PayID Gamblers
After years of fielding questions from players who lost money to avoidable mistakes, I started compiling a pre-deposit checklist. It is not glamorous, and it will not make you feel like a high roller, but it has saved the people I work with from real financial harm.
Verify the operator’s licence before your first deposit. Australian-licensed operators display their licence details on-site and can be cross-referenced with the relevant state or territory regulator. For operators licensed in other jurisdictions — Malta, Gibraltar, the Isle of Man — verify the licence directly on the regulator’s public register. If you cannot find the operator on any regulatory register, do not deposit. The fact that a site accepts PayID does not mean it is legitimate. Amanda Rishworth, Australia’s Minister for Social Services, has championed reforms aimed at preventing harm from online wagering, and part of that effort involves tightening the net around unlicensed operators — but the net still has holes, and the first line of defence is your own due diligence.
Use a dedicated email address as your PayID for gambling transactions. Do not use your primary phone number. This limits your exposure if the operator’s database is compromised and keeps your gambling activity separate from your primary communication channels. Most banks allow you to register multiple PayIDs and switch between them, so the setup takes minutes.
Check the PayID confirmation screen every time. When you initiate a deposit, the NPP displays the registered name of the recipient before you confirm the payment. Read it. Does it match the operator’s registered business name? Is it a company name or an individual’s name? Legitimate casino operators process payments through registered business entities, not personal accounts. If the confirmation screen shows “Dave Smith” when you are trying to deposit at a casino, cancel the transaction immediately.
Set deposit limits through your bank, not just through the casino. Most Australian banks offer PayID transaction limits that you can adjust through their mobile app. Setting a daily outgoing limit — say, A$500 — means that even if you are compromised by a social engineering attack, the maximum loss is capped by your bank’s controls rather than the scammer’s ambition. This is a blunt instrument, but it works.
Never send a “verification deposit” to unlock a withdrawal. This is the single most common PayID-related scam in the gambling space, and it works because players are emotionally invested in accessing their winnings. No legitimate operator requires an additional deposit to process a withdrawal. If anyone — via email, live chat, social media, or phone — tells you otherwise, they are attempting to steal your money.
Keep records of every PayID transaction. Screenshot the confirmation screen, note the date and time, and save any correspondence with the operator about deposits and withdrawals. If you need to file a complaint with a regulator or pursue a dispute, contemporaneous records are substantially more effective than reconstructing events from memory weeks later.
