The challenge
GIM-UEMOA, Visa and Mastercard require PCI DSS compliance from any party that stores, processes or transmits card data. Version 4.0 tightens authentication, monitoring and governance — and a poorly scoped CDE turns compliance into a never-ending project.
What we deliver
CDE scoping and reduction (segmentation, tokenization)
Gap analysis against the 12 PCI DSS v4.0 requirements
Remediation plan and implementation of technical controls
Preparation of the appropriate SAQ or QSA audit support
Ongoing compliance: quarterly ASV scans, annual reviews and tests
Our method
End-to-end card-flow mapping — the real scope, not the assumed one.
Scope reduction before remediation: fewer systems in scope, less effort.
Gap remediation with your teams, requirement by requirement.
Validation: documented SAQ or QSA audit prepared without surprises.
Who it's for
Issuing and acquiring banks, card processors, fintechs, payment aggregators and e-merchants handling card data in the WAEMU zone.
Frequently asked questions
Who must comply with PCI DSS?
Any entity that stores, processes or transmits payment-card data, regardless of volume — from e-merchant to processor. Only the validation mode (SAQ or audit) varies by level.
Self-assessment (SAQ) or QSA audit: which do we need?
It depends on your transaction volume and the requirements of your acquirer or GIM-UEMOA. We determine your applicable level and the right SAQ for your architecture, or prepare the full audit.
How long does v4.0 compliance take?
From 3 months for a well-segmented outsourced scope to 12-18 months for a full processor. Upfront scope reduction is the number-one lever to shorten it.
