Understanding your PCI scope
The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that stores, processes, or transmits cardholder data (CHD). For Nigerian fintechs, the cost and complexity of compliance depend entirely on how you handle the Primary Account Number (PAN).
Full Scope (Level 1 Processors)
If you build your own payment gateway and process millions of transactions directly, your entire infrastructure is in scope. You require an annual onsite audit by a QSA and quarterly network scans.
Reduced Scope (Tokenization)
If you use a third-party processor to capture the card and return a token (which you store), your scope is significantly reduced. The token cannot be reverse-engineered to reveal the PAN.
Minimal Scope (Redirects)
If you redirect the user to a third-party hosted checkout page (e.g., a Paystack standard checkout), your servers never touch the data. You only need to validate that your site isn't compromised (SAQ-A).
Key changes in PCI DSS v4.0
The industry is transitioning to v4.0, which focuses heavily on modern architectural threats, particularly those targeting web applications and APIs.
- Targeted Risk Analysis: Organizations must define the frequency of their security activities (like vulnerability scanning) based on a formal risk analysis, rather than relying on standard timelines.
- Magecart Defense: Explicit requirements to manage and secure all payment page scripts that are loaded and executed in the consumer's browser, preventing e-skimming attacks.
- Stricter Authentication: Multi-Factor Authentication (MFA) is now required for all access to the Cardholder Data Environment (CDE), not just remote access.
PCI DSS Requirement 11 mandates internal and external penetration testing.
Schedule a PCI-Compliant PentestRequirement 11: Security testing mandates
Requirement 11 is where engineering teams interact most with the standard. It mandates that you regularly test your security systems and processes.
Vulnerability scanning vs Penetration testing
PCI DSS requires both. Vulnerability scans (Requirement 11.3) must be run quarterly by an Approved Scanning Vendor (ASV). Penetration testing (Requirement 11.4) must be conducted at least annually, and after any significant infrastructure or application upgrade. The pentest must include both network-layer and application-layer assessments.
Segmentation checks
If you claim that your CDE is isolated from the rest of your corporate network (to reduce audit scope), you must prove it. The standard requires penetration testers to explicitly perform segmentation checks every six months to verify that no traffic can cross from the untrusted network into the CDE.
De-scope at all costs
The most effective PCI compliance strategy is to aggressively minimize the scope of the Cardholder Data Environment. Use tokenization, network segmentation, and third-party hosted fields. The less your infrastructure touches the PAN, the cheaper and faster your compliance process will be.
Related reading
Blog: Webhook Security for Payment Platforms
Guides: Fintech Security Checklist
Services: Penetration Testing
Frequently asked questions
{faq.q}
{faq.a}