I reviewed this situation and thought about it an extensive amount. I have no ill feelings towards Dean but strongly agree with Dooglus and his opinion regarding this.

The situation reminded me a bit of Phil Ivey's edge sorting (There are a few key differences though) Read here: http://regressing.deadspin.com/how-phil-ivey-beat-or-maybe-cheated-a-casino-for-mill-1562993963

^ In this situation Ivey should be paid and Borgata should sue the card company, however Borgata has a massive legal team and endless terms & conditions.

With regards to PRC, the game was played as intended, as described in the verification section and some compensation is due. I thought about what I'd do, personally If I was in Dean's shoes I'd refund Sjess in full, if it was a massive amount though I'd probably consider some sort of partial settlement.

Given that your site is just starting off and Sjess arguably should have reported this error rather than exploit it I recommend you provide Sjess a half refund at minimum.

In the end it is mainly PRC's fault for not properly testing their website I recommend they reach out to Sjess to do some pentesting rather than punish him.

Regardless I wish you luck with the site, could someday fill J-D's shoes.