PCI DSS Compliance for UAE Fintechs and Neobanks

UAE’s fintech sector — one of the most active in the GCC with 200+ fintechs operating under CBUAE, DFSA, and VARA oversight — faces a unique combination of payment security obligations. PCI DSS compliance is not optional for any fintech that processes, stores, or transmits payment card data.

Build Compliance In From Day One

The single most important decision for a UAE fintech is whether to build PCI DSS compliance into the initial architecture or retrofit it later. Retrofitting is 3-5x more expensive and significantly slower — re-architecting payment flows, migrating stored card data, and rebuilding access control models takes months.

The right architecture decision is made at design time:

Tokenize from the start. If you use a payment gateway (Checkout.com, Stripe, Adyen, Telr) as your processing layer and never handle raw PANs, your PCI DSS scope may be as narrow as SAQ A. This is achievable for most fintech payment flows — e-commerce checkout, in-app payments, recurring billing.

Card issuing via BaaS. If you’re issuing virtual or physical cards via a BaaS partner (Marqeta, Galileo, or a UAE-licensed issuer), the BaaS provider handles most PCI DSS obligations for card data at rest. Your responsibility covers your application’s access to the API and how you handle card display, PIN management, and cardholder data in your own systems.

BNPL and stored payment methods. If you store customer payment methods for future use (instalment payments, one-click checkout), you need either gateway tokenization (storing a gateway token, not a PAN) or full PCI DSS controls for the storage environment.

CBUAE Licensing and PCI DSS

The CBUAE’s Retail Payment Services and Card Schemes Regulations require licensed payment service providers to maintain information security programs aligned to international standards. For card-related services, this means PCI DSS compliance — and CBUAE examiners increasingly request PCI DSS evidence during licensing reviews and supervisory visits.

For UAE fintechs seeking CBUAE PSP licenses, we prepare the payment security documentation package that regulators expect to see: CDE scope definition, SAQ or gap analysis results, remediation roadmap, and incident response procedures for payment security events.

The DIFC Fintech Context

DIFC-based fintechs under DFSA oversight face additional Technology Risk Framework requirements on top of PCI DSS. The DFSA’s Module TRG requires documented technology risk management, annual technology risk assessments, and specific controls around access management, change management, and incident response. We map both PCI DSS and DFSA TRG requirements into a unified compliance program to avoid duplicate work.