PCI DSS: who is in scope in Senegal in 2026?
PCI DSS (Payment Card Industry Data Security Standard) is the security standard imposed by Visa, Mastercard, American Express, Discover and JCB on every actor that stores, processes or transmits cardholder data. In Senegal in 2026, this includes:
- E-commerce merchants accepting Visa/Mastercard (CIBA, GIM-UEMOA, Stripe, PayDunya, CinetPay).
- Multi-vendor marketplaces (local Jumia, diaspora sites).
- B2B SaaS billing by card.
- Banks, PSPs, fintechs.
Important nuance: Wave Business and Orange Money as such are not subject to PCI DSS (they are mobile money e-wallets, no Visa/MC card data flows through the merchant). But as soon as you accept cards alongside Wave/OM (typical for diaspora-oriented e-commerce), PCI DSS applies to the card portion of your flow.
This article answers 4 concrete questions: (1) which PCI DSS level applies, (2) which SAQ to fill, (3) how to shrink scope with Stripe/PayDunya, (4) what it really costs.
H2: The 4 PCI DSS levels
PCI DSS classifies merchants in 4 levels based on annual card transaction volume:
| Level | Annual card volume | Obligations |
|---|---|---|
| Level 1 | > 6M tx/year | Annual QSA audit + quarterly ASV scan |
| Level 2 | 1M to 6M tx/year | Annual SAQ + quarterly ASV scan |
| Level 3 | 20K to 1M tx/year (e-commerce) | Annual SAQ + quarterly ASV scan |
| Level 4 | < 20K tx/year | Annual SAQ (recommended, sometimes optional per acquirer) |
Senegal reality 2026: 95-98% of local e-commerce sit at Level 4 (low card volume because Wave/OM dominate). A few marketplaces and diaspora actors cross into Level 3. No Level 1 known locally to date.
H2: Picking the right SAQ (Self-Assessment Questionnaire)
The SAQ is an annual self-assessment questionnaire to fill and retain. 9 variants exist, the choice depends on your architecture:
| SAQ | Use case | # of questions |
|---|---|---|
| SAQ A | 100% outsourced e-commerce (iframe or redirect Stripe Checkout, PayDunya Hosted Pay Page) | 22 |
| SAQ A-EP | E-commerce with partial JS on the payment page (Stripe Elements, PayDunya inline) | 191 |
| SAQ B | Dial-up printer terminals (analog POS) | 41 |
| SAQ B-IP | Standalone IP terminals | 82 |
| SAQ C-VT | Virtual terminal only | 79 |
| SAQ C | Internet-connected POS, network segmentation | 160 |
| SAQ D — Merchant | Everything else, or card data storage | 329 |
| SAQ P2PE | Certified P2PE solution | 33 |
For a typical Senegalese e-commerce: SAQ A if you redirect to Stripe Checkout / PayDunya Hosted Page. SAQ A-EP if you use Stripe Elements / Wave Card Hosted Fields. Critical difference: SAQ A is 22 questions, SAQ A-EP is 191 — the scope gap is huge.
H2: Shrinking scope via tokenization
Tokenization (replacing the card number with an opaque token managed by the PSP) is the most effective strategy to stay on SAQ A and avoid SAQ D.
Architectures that maintain SAQ A:
- 100% redirect to PSP-hosted payment page (Stripe Checkout, PayDunya Hosted Pay Page, CinetPay Checkout).
- iframe hosted by the PSP (the iframe DOM is served by the PSP, not by you).
- Mobile tunnel (apps that open the native PSP app).
Architectures that push to SAQ A-EP:
- Stripe Elements (JS fields embedded on your page) — your server serves the JS that collects the PAN.
- PayDunya inline (JS integration on your page) — same.
- iframe on a subdomain you control.
Architectures that push to SAQ D (avoid at all costs):
- HTML form that POSTs the PAN to your server, even just to proxy-pass to the PSP. Bad idea.
- Storing the PAN, even encrypted, in your database.
- Server logs that would even temporarily capture a PAN.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
2026 recommendation for Senegal e-commerce: SAQ A via Stripe Checkout or PayDunya Hosted Page. You save 80-95% of the compliance burden.
H2: Real 2026 compliance costs
| Item | Level 4 / SAQ A | Level 4 / SAQ A-EP | Level 3 / SAQ D |
|---|---|---|---|
| Annual SAQ writing and signing | 0 to 250,000 FCFA (in-house) | 350,000 to 850,000 FCFA (consultant) | 1.5 to 3.5 M FCFA |
| Quarterly ASV scan (Qualys, Tenable.io) | 0 (not required) | 280,000 to 480,000 FCFA/year | 480,000 to 950,000 FCFA/year |
| Documented security policy | 180,000 FCFA | 380,000 FCFA | 850,000 FCFA |
| Team awareness training (annual) | 80,000 FCFA | 180,000 FCFA | 380,000 FCFA |
| Application pentest (recommended for A-EP, required for D) | — | 850,000 to 1.8 M FCFA | 2.5 to 5.5 M FCFA |
| Internal audit / CISO consulting | — | 480,000 FCFA/year | 1.8 to 3.5 M FCFA/year |
Annual totals:
- SAQ A: 80-330 KFCFA/year (mostly training + policy)
- SAQ A-EP: 2.1-4.0 M FCFA/year
- SAQ D: 7.5-15 M FCFA/year
For a Senegal e-commerce just starting, SAQ A is the right call: low cost, low scope, real security delegated to a PSP that is PCI DSS Level 1 certified.
H2: Common field mistakes
- Believing PCI DSS applies to Wave/OM (false, they are e-wallets).
- Thinking using Stripe = automatically compliant. False: Stripe gives you a compliant infrastructure, but YOU must sign your SAQ A and retain it.
- Temporarily storing a PAN in an application log for debugging — false: zero PAN in your logs, ever.
- Delegating the SAQ to a junior dev with no security background. False: a senior consultant for 1-2 days beats a junior for 2 weeks.
- Not renewing the SAQ every year (12-month validity).
FAQ
Does Stripe certify me automatically?
No. Stripe is PCI DSS Level 1 certified as a PSP, which lets you stay on SAQ A if you redirect correctly. But you must fill and sign your annual SAQ A. Stripe provides the Attestation of Compliance documentation to attach.
What happens in a breach if non-compliant?
Visa/Mastercard fines 5-100K USD per month, forensics fees 20-200K USD, card re-issuance fees (3-15 USD per card), loss of the right to accept cards (acquirer program exit). In Senegal, add BCEAO + CDP (Commission Données Personnelles) risk — sanctions up to 100 M FCFA per Loi 2008-12.
PayDunya, CinetPay, Wave Card: who is certified?
PayDunya and CinetPay are PCI DSS certified. Wave Business: mobile money flows don't require PCI DSS, but Wave Card (card acceptance via Wave) is certified. Always request the AOC (Attestation of Compliance) from your PSP.
How long does first-time SAQ A compliance take?
With an experienced consultant: 3-5 weeks (security policy writing + SAQ filling + team training). DIY in-house: 2-4 months (steep learning curve). Annual renewal: 3-5 days if nothing changed.
Do I need a DPO on top of the PCI lead?
PCI DSS and CDP/GDPR are distinct. PCI = card data security, CDP = personal data protection (Senegalese Loi 2008-12). In Senegal, a DPO is mandatory for large-scale processing. Recommendation: a single senior profile can cover PCI SAQ A + DPO duties for an SME.
Let's discuss your compliance
If you are launching or structuring a card-accepting e-commerce in Senegal and want to clarify the right SAQ + the architecture that minimizes your scope, we can audit your stack and deliver a turn-key SAQ A package. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
