The verdict in three sentences
If you accept bank cards online in Senegal, you are subject to PCI-DSS, and almost all SMEs fall under Level 4 (fewer than 20,000 card transactions a year). The good news: by using a hosted payment page (Stripe, CinetPay, PayDunya), you inherit their compliance and your cost drops to near 0 FCFA. The bad news: a custom checkout that touches card data exposes you to an audit, quarterly scans and 400,000 to 800,000 FCFA in annual fees.
Which PCI level applies to you?
PCI-DSS classifies merchants by card transaction volume. Here is the 2026 grid applied to the Senegalese context.
| Level | Cards/year | Validation | Who's concerned |
|---|---|---|---|
| Level 1 | > 6 million | On-site QSA audit | Large banks, PSPs |
| Level 2 | 1 to 6 million | SAQ + ASV scan | Large e-merchants |
| Level 3 | 20,000 to 1 million | SAQ + ASV scan | Mid-size e-commerce |
| Level 4 | < 20,000 | SAQ self-assessment | Most SMEs |
Level 4 requires an annual self-assessment (SAQ), quarterly external scans by an approved ASV, and an absolute ban on storing card data in clear. The SAQ type depends on how you integrate payment.
Real cost by integration type
The real cost lever is checkout architecture. The more you touch card data, the more your PCI scope explodes. 2026 estimate.
| Integration | SAQ type | PCI scope | Estimated annual cost |
|---|---|---|---|
| Hosted page (redirect) | SAQ A | Minimal | ~0 to 50,000 FCFA |
| iframe / tokenised field | SAQ A-EP | Reduced | 100,000 to 200,000 FCFA |
| Custom checkout (card on you) | SAQ D | Full | 400,000 to 800,000 FCFA |
| Non-compliant card storage | Non-compliant | Penalty risk | Fines + fraud liability |
The quarterly ASV scan alone costs around 150,000 FCFA a year. On a custom checkout, add technical remediation, documentation and internal time: the total escalates fast. The hosted page removes this scope because you never see the card number.
Which PSPs reduce your scope?
| PSP | Hosted page | Card tokenisation | Reduces to SAQ A |
|---|---|---|---|
| Stripe | Yes (Checkout) | Yes | Yes |
| CinetPay | Yes | Yes | Yes |
| PayDunya | Yes | Partial | Yes |
| Wave / Orange Money | No card (mobile money) | N/A | Outside PCI scope |
Strategic tip: in Senegal, a majority share of payments go through Wave and Orange Money, which are not cards and fall outside PCI scope. Reserving cards for the diaspora via a Stripe hosted page keeps you at SAQ A.
Mini case study
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Ibrahima launches an electronics shop in Dakar. His developer suggests a "prettier" custom checkout that collects the card on his own form. Hidden cost: SAQ D, ASV scans (150,000 FCFA/year), remediation and documentation, roughly 650,000 FCFA the first year. We switch to Stripe Checkout (hosted page) for diaspora cards and Wave/OM for local. Result: scope reduced to SAQ A, compliance cost near 0 FCFA, and an equally smooth checkout. Net year-1 saving: about 650,000 FCFA.
FAQ
Am I really required to be PCI compliant in Senegal?
Yes as soon as you accept cards: compliance is required by the networks (Visa, Mastercard) via your PSP, not by a local regulator. In case of fraud on a non-compliant checkout, you carry the financial liability.
Is mobile money subject to PCI-DSS?
No. Wave, Orange Money and Free Money are not bank cards: they fall outside PCI scope. It's a strong argument to favour mobile money in Senegal and limit cards to the diaspora.
How much does a quarterly ASV scan cost?
Expect around 150,000 FCFA a year (2026 order of magnitude) for the four mandatory external scans at Level 4 if your integration touches card data. A hosted page exempts you from it.
Is a hosted payment page less attractive?
Not anymore: Stripe Checkout, CinetPay and PayDunya offer pages customisable to your colours and domain. The compliance gain (SAQ A, ~0 cost) far outweighs the small visual trade-off.
What does a merchant storing card numbers risk?
It's the most dangerous option: non-compliance, network fines, and full liability in case of a leak. Never store cards in clear; use the PSP's tokenisation.
Let's talk about your project. We design a minimal-PCI-scope checkout (SAQ A) combining Wave, Orange Money and diaspora cards. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
