The verdict in three sentences
If your store never sees, stores or transmits the card number (entry happens in an iframe or a PSP-hosted page), you fall under SAQ-A: a simple, free self-assessment questionnaire. Conversely, handling card data directly pushes you to a QSA audit at 3,000-15,000 EUR/year plus quarterly ASV scans. The right architecture (hosted fields / redirection) therefore shrinks your PCI scope to almost nothing.
The 4 PCI-DSS levels by volume
Your PCI level depends on the number of card transactions processed per year. Almost all African SMEs are at level 4.
| Level | Card transactions/year | Typical requirement | Indicative cost/year |
|---|---|---|---|
| Level 1 | > 6 million | On-site QSA audit + ROC | 15,000-50,000 EUR |
| Level 2 | 1 to 6 million | SAQ + sometimes audit | 5,000-15,000 EUR |
| Level 3 | 20,000 to 1 million | SAQ + ASV scans | 1,500-5,000 EUR |
| Level 4 | < 20,000 | SAQ-A (if redirection) | ~0 EUR |
A typical Senegalese SME does a few hundred to a few thousand card transactions per year: it is level 4, and if it redirects payment, it fills a free SAQ-A.
SAQ-A vs direct handling: the difference that changes everything
| Criterion | SAQ-A (redirection/iframe) | Direct handling |
|---|---|---|
| Card seen by your server | Never | Yes |
| Questionnaire | SAQ-A (~22 questions) | SAQ-D (~300+ questions) |
| External QSA audit | No | Yes |
| Quarterly ASV scans | No | Yes (~500-2,000 EUR/year) |
| Annual cost | ~0 EUR | 3,000-15,000 EUR |
| Card breach liability | On the PSP | On you |
The lesson: never touch the card number yourself. Let the PSP render the card fields in an iframe or hosted page, so the card never passes through your infrastructure.
The hosted-fields architecture that avoids full scope
The principle: the card form is rendered by the PSP, not by you. Card data goes straight from the customer's browser to the PSP, which returns a token useless to a fraudster. You store the token, never the card.
| Integration method | Card flows through you? | PCI scope | UX |
|---|---|---|---|
| PSP page redirection | No | SAQ-A | Good |
| Iframe / hosted fields | No | SAQ-A | Excellent (stays on site) |
| Tokenization + native fields | Yes (transit) | SAQ-A-EP / SAQ-D | Excellent but heavy |
| Direct API (raw card) | Yes | SAQ-D + QSA | Avoid |
For 99% of merchants, hosted fields or redirection = SAQ-A = near-free compliance.
Mini case study
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Ibrahim, founder of a high-tech shop in Dakar, processes about 4,000 card transactions/year. Initially tempted to manage everything in-house, he had received a QSA audit quote at 8,000 EUR/year plus 1,200 EUR of ASV scans. By switching to a hosted-fields integration where the card never touches his server, he moved to level 4 / SAQ-A at 0 EUR. Savings: 9,200 EUR in the first year, not counting the audit time avoided.
FAQ
Do I need PCI-DSS if I use Wave and Orange Money?
Mobile money is not subject to PCI-DSS (that is a card standard). PCI only concerns Visa/Mastercard payments. If you only accept mobile money, PCI does not apply.
Is SAQ-A really free?
The questionnaire itself is free to complete. You sign and keep it. No audit or quarterly scan is required as long as you do not touch the card.
How much does a QSA audit cost if I handle the card directly?
2026 ballpark: 3,000 to 15,000 EUR/year for the audit, plus 500 to 2,000 EUR/year of quarterly ASV scans. Hence the value of avoiding this scope.
What does tokenization bring?
It replaces the card number with a token useless outside your PSP. You can thus replay a payment (subscription) without ever storing the card, and you stay in SAQ-A.
Who is liable in case of a card data breach?
If the card never flows through you (redirection/iframe), technical liability rests with the PSP. That is the key reason never to host the card number yourself.
Let's talk about your project. We build hosted-fields checkouts that keep you in SAQ-A with near-zero PCI cost. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
