The verdict in three sentences
The PCI-DSS standard governs card data security, and the good news for an African merchant is that he does not have to face its heavy version if he never touches card numbers. By using a hosted checkout (redirect or iframe) at Stripe or an aggregator, you stay in SAQ-A, the simplest level, with zero audit cost and responsibility delegated to the provider. The absolute rule: never store, transmit or process a card number on your servers.
PCI levels and the right positioning
PCI-DSS defines merchant levels by volume and self-assessment questionnaires (SAQ) by how you handle the card. Here is the essence (2026 orders of magnitude).
| SAQ type | How you handle the card | Effort | Audit cost |
|---|---|---|---|
| SAQ-A | Redirect / hosted iframe (Stripe) | Minimal | 0 FCFA |
| SAQ-A-EP | Merchant page + third-party script | Medium | Moderate |
| SAQ-D (merchant) | You touch / store the card | Very high | High (QSA audit) |
| Merchant level 4 | < 20,000 transactions/year | — | SAQ-A suffices |
| Merchant level 1 | > 6M transactions/year | — | Mandatory annual audit |
Strategic message: aim for SAQ-A. It is the only level with no costly audit and no obligation to encrypt and audit a card infrastructure. It all rests on a simple principle — the card never passes through your code.
Checklist to stay in SAQ-A
Here are the practices that keep you in the lightest scope, and the pitfalls that push you into costly SAQ-D.
| Practice | Effect | Do / avoid |
|---|---|---|
| Hosted checkout (Stripe Checkout redirect) | Stays SAQ-A | Do |
| Iframe / Elements hosted by the provider | Stays SAQ-A | Do |
| Tokenization (card becomes a token) | No card data with you | Do |
| Card entry in YOUR form | Pushes to SAQ-D | Avoid at all costs |
| Storing the card number in a database | Forbidden / SAQ-D | Avoid at all costs |
| Sending a card number by email/WhatsApp | Serious breach | Avoid at all costs |
| HTTPS / TLS across the whole site | Prerequisite | Do |
Tokenization is your best friend: the provider replaces the card number with a token unusable outside its system. You handle recurring payments and refunds without ever seeing a single piece of sensitive data.
Mini case study
Kofi runs an online store in Abidjan, ~3,000 card transactions/year: he falls under merchant level 4. Tempted to code his own card form "for control", he would have dropped into SAQ-D, with a QSA audit and infrastructure compliance on the order of several million FCFA per year, plus the risk of penalties.
Instead, he uses Stripe Checkout in redirect mode: he stays in SAQ-A, fills a simple questionnaire, and his audit cost is zero. Direct annual saving: the entire avoided audit cost, potentially several million FCFA, for a faster integration to set up.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
FAQ
Does a small African merchant really need to care about PCI-DSS?
Yes, as soon as he accepts cards, but the whole point is to stay in SAQ-A by delegating the card to the provider. As long as you never touch a card number, your compliance burden is minimal and audit-free.
What is the difference between SAQ-A and SAQ-D?
SAQ-A applies when payment is fully hosted by the provider (redirect/iframe): minimal effort, free audit. SAQ-D applies if you touch or store the card: QSA audit and costs on the order of several million FCFA per year.
Does tokenization make me compliant?
Tokenization helps strongly because the sensitive data never resides with you: the provider returns a token. Combined with a hosted checkout, it keeps you in SAQ-A for recurring payments and refunds.
Who is responsible in case of a card data breach?
If you are in SAQ-A via hosted checkout, the technical responsibility for card storage is delegated to Stripe or the aggregator. If you stored cards yourself, you would bear the penalties, which can reach very high amounts under the Visa/Mastercard schemes.
Does Stripe handle PCI compliance for me?
Largely yes, for the card layer: with Stripe Checkout or Elements, Stripe assumes the sensitive scope and provides the attestation. You remain responsible for your own site (HTTPS, access, no card storage), but most of the PCI burden is carried by the provider.
Let's talk about your project. We integrate hosted checkout and tokenization to keep you in SAQ-A, with no audit and no risk. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
