In August 2025, Nigeria’s Data Protection Commission issued compliance notices to 1,368 companies across banking, insurance, pensions, and gaming, with a 21-day deadline to prove compliance. The month before, Multichoice Nigeria had been fined ₦766.2 million for failing to obtain user consent and illegally transferring personal data outside the country.
Payment gateways sit at the centre of all of this. They process personal data. They handle financial transactions. They issue invoices that must now be tax-validated. And they operate under a CBN licensing framework that most businesses using them have never read.
This guide covers every compliance requirement that applies to payment gateways in Nigeria in 2026: what each one is, what it requires, the penalties for getting it wrong, and exactly what to verify before you sign up with any provider.
Why Payment Gateway Compliance in Nigeria Has Changed Significantly
Nigeria’s payment regulatory environment has tightened materially across four separate frameworks in the last three years.
The CBN has enforced its Payment Solution Service Provider (PSSP) licensing framework with greater rigor. The Nigeria Data Protection Act (NDPA) came into force in 2023, and its implementing General Application and Implementation Directive (GAID) became effective in September 2025, replacing the older NDPR framework entirely. The NRS e-invoicing mandate began rolling out in 2025. And AML/KYC enforcement has intensified as Nigeria’s transaction volumes have scaled to over ₦285 trillion per quarter.
Using a payment gateway that is non-compliant in any one of these areas does not just create risk for the gateway provider. It creates direct risk for your business: regulatory penalties, inability to claim input VAT, data breach liability, and potential investigation for facilitating unlicensed financial services.
1. CBN Licensing: The Non-Negotiable Foundation
The Central Bank of Nigeria regulates all payment service providers through its Payment Service Provider licensing framework, established via the 2020 PSP Circular. Any company providing payment gateway services in Nigeria must hold the appropriate CBN licence for their service category.
The PSSP Licence (Payment Solution Service Provider) is the licence category that covers payment gateways specifically. A PSSP licence authorises the licensee to provide and operate payment processing gateways and portals, solution and application development, and merchant service aggregation and collections services.
Key requirements for a PSSP licence include:
- Minimum paid-up share capital of ₦250 million
- PCI-DSS certification
- A documented disaster recovery plan
- Risk management frameworks
- Agreements with licensed banks or merchants
- CBN-approved cybersecurity infrastructure
Why this matters for your business: A payment gateway operating without the appropriate CBN licence is illegal. Without this CBN-issued licence, a fintech cannot legally process its first transaction. If you use an unlicensed gateway, your transactions may be frozen or reversed by the CBN, your business may face investigation for facilitating unlicensed financial services, and you have no regulatory recourse if the provider mishandles your funds or shuts down.
Your check: Ask your payment gateway provider for their specific CBN licence number and category. Verify it against the CBN’s published register of licensed payment service providers. “We are regulated” is not sufficient. Request the licence number.
2. PCI-DSS: The Global Standard Every Nigerian Payment Gateway Must Meet
PCI-DSS (Payment Card Industry Data Security Standard) is the global security framework governing how organizations handle cardholder data. CBN licensing conditions for payment gateways in Nigeria specifically require PCI-DSS certification as a prerequisite, alongside disaster recovery plans and risk frameworks.
The 12 core PCI-DSS requirements span six areas: secure network architecture, cardholder data protection, vulnerability management, access controls, network monitoring, and information security policies.
What this means for your business depends on your integration type:
Hosted gateway (customer redirected to a payment page): The gateway provider carries most of the PCI-DSS burden. Your compliance scope is significantly reduced.
API-integrated gateway: Your application is in scope because it handles payment initiation. Tokenisation reduces scope, but your systems must still meet the relevant PCI-DSS requirements.
Self-hosted gateway: Your systems are fully in scope. This is the highest compliance burden and is appropriate only for large enterprises with dedicated security resources.
For most Nigerian businesses, a hosted or API-integrated gateway with tokenisation is the correct choice to minimise PCI-DSS exposure while maintaining payment flexibility.
Your check: Ask your payment gateway provider for their PCI-DSS certification level. Level 1 is the highest and covers providers processing over 6 million card transactions annually. Confirm how tokenisation is implemented and what your residual compliance obligations are for your specific integration type.
3. NDPA and GAID: Nigeria’s Data Protection Framework Is Now Being Enforced
The Nigeria Data Protection Act (NDPA), signed into law in June 2023, governs how personal and transactional data is collected, stored, processed, and shared in Nigeria. In March 2025, the NDPC issued the General Application and Implementation Directive (GAID), which became effective September 19, 2025, replacing the previous NDPR 2019 as the authoritative framework for implementing the NDPA.
This is no longer theoretical. In August 2025, the NDPC issued compliance notices to 1,368 organizations across banking, insurance, pensions, and gaming, demanding proof of compliance within 21 days. Enforcement is active and sector-wide.
NDPA penalties for major data controllers: Up to ₦10 million or 2% of annual gross revenue from the preceding financial year, whichever is greater.
Key NDPA obligations relevant to payment gateway use:
Lawful basis for data processing. You must have a lawful basis for collecting and processing payment data. For payment gateways, contractual necessity (processing a payment the customer agreed to) is typically sufficient.
Data minimisation. Only collect payment data necessary for the transaction. A gateway that collects and retains excessive customer data beyond what is needed creates NDPA exposure for your business as the data controller.
Data storage and security. Payment data must be stored securely and for no longer than necessary. Your gateway provider must have documented data retention policies aligned with NDPA requirements.
Cross-border data transfers. If your gateway routes payment data through servers outside Nigeria, this constitutes a cross-border transfer under NDPA, subject to additional safeguards. Multichoice’s ₦766.2 million fine specifically included penalties for illegally transferring personal data outside the country, demonstrating that this provision is actively enforced.
Data Protection Officer. Under the GAID, organisations processing significant volumes of personal data must appoint a Data Protection Officer and register with the NDPC.
Your check: Request your payment gateway provider’s NDPA compliance documentation and their data processing agreement. Confirm where payment data is stored, whether it is transferred outside Nigeria, and how long it is retained. Ask whether they are registered with the NDPC as a data controller or processor of major importance
4. AML and KYC: Transaction Monitoring Is a Legal Requirement
Anti-money laundering controls and Know Your Customer verification are mandatory for payment service providers in Nigeria under the Money Laundering (Prevention and Prohibition) Act and CBN guidelines.
What this requires in practice:
KYC on account opening. Your payment gateway provider must verify your identity and business details before activating your account. This is a regulatory requirement, not optional onboarding friction.
Transaction monitoring. Gateways must monitor transactions for patterns consistent with money laundering or terrorist financing and file Suspicious Transaction Reports with the Nigerian Financial Intelligence Unit (NFIU).
Transaction thresholds. Certain transaction values trigger enhanced due diligence. Your gateway may require additional documentation for high-value transactions or unusual patterns, and may place temporary holds on your account pending verification.
Your check: Ask your gateway provider for their documented AML and KYC procedures. Understand the transaction thresholds that may trigger enhanced scrutiny or holds, particularly if your business regularly processes high-value B2B transactions.
5. NRS E-Invoicing: The Newest and Most Directly Revenue-Relevant Compliance Layer
From 2025 onward, Nigerian businesses must issue and receive invoices validated through the NRS Merchant Buyer Solution (MBS) platform. This is a payment compliance requirement, not merely a tax filing obligation: invoices without a valid NRS Invoice Reference Number (IRN) cannot be used to recover input VAT.
For payment gateway users, the commercial impact is direct. If your gateway is collecting payments against invoices that have not been NRS-validated, your business is losing the right to recover VAT on every one of those transactions. At 7.5% VAT on significant procurement volumes, this is a material and ongoing cost.
A payment gateway with native NRS e-invoicing integration generates validated invoices and collects payments against them in a single workflow. No separate invoicing system. No separate compliance process.
The NRS rollout timeline:
| Phase | Taxpayer Category | Go-Live | Enforcement |
|---|---|---|---|
| Phase 1 | Above ₦5 billion turnover | November 2025 | Active now |
| Phase 2 | ₦1 billion to ₦5 billion | July 1, 2026 | Early 2027 |
| Phase 3 | Below ₦1 billion | July 1, 2027 | 2028 |
Your check: Does your payment gateway hold both the NRS Systems Integrator (SI) and Access Point Provider (APP) licences? Does it generate NRS-validated invoices natively, or do you need a separate system? Read the full NRS e-invoicing compliance guide here.
Duplo’s collections infrastructure eliminates manual reconciliation entirely: from the moment a client pays to the moment your accounts receivable ledger reflects it.
Payment Gateway Compliance Checklist for Nigerian Businesses
Before signing up with any Nigerian payment gateway, verify the following:
| Requirement | What to Ask |
|---|---|
| CBN PSSP Licence | Request the licence number and verify against the CBN register |
| PCI-DSS Certification | Ask for the certification level (Level 1 preferred) |
| NDPA Compliance | Request the data processing agreement and confirm data storage location |
| NDPC Registration | Confirm they are registered as a data controller or processor |
| AML/KYC Procedures | Ask for documented procedures and transaction threshold policies |
| NRS SI and APP Licences | Confirm both are held for full e-invoicing compliance |
| Disaster Recovery Plan | Confirm existence as part of CBN licensing requirement |
Frequently Asked Questions: Payment Gateway Compliance Nigeria
Is PCI-DSS compliance mandatory for Nigerian businesses using payment gateways? PCI-DSS is mandatory for any business that handles cardholder data. If you use a hosted gateway that redirects customers to a payment page, your compliance scope is significantly reduced. If you use an API integration, your systems are in scope. The CBN also mandates PCI-DSS as a condition of the PSSP licence, meaning your gateway provider must hold it regardless.
What happens if I use an unlicensed payment gateway in Nigeria? The CBN may freeze or reverse transactions processed through unlicensed providers. Your business may be investigated and penalised for facilitating unlicensed financial services. There is no regulatory recourse if an unlicensed provider mishandles your funds or exits the market.
Does NDPA apply to payment data stored outside Nigeria? Yes. Cross-border data transfers are subject to additional NDPA requirements. Multichoice Nigeria’s ₦766.2 million fine included penalties specifically for unauthorised transfer of personal data outside the country. Verify where your gateway stores payment data before signing up.
What is the GAID and how does it affect payment compliance in Nigeria? The General Application and Implementation Directive (GAID) was issued in March 2025 and became effective September 19, 2025. It replaced the older NDPR 2019 as the authoritative framework for implementing the NDPA. Any compliance programme built on the NDPR framework alone is now outdated and needs to be reviewed against the GAID.
How Duplo Meets Every Nigerian Payment Gateway Compliance Requirement
Duplo holds a valid CBN PSSP license, is PCI-DSS certified, implements NDPA and GAID-aligned data handling practices, is registered with the NDPC, and holds both the NRS Systems Integrator and Access Point Provider licenses. Businesses using Duplo for payment collections have a single platform that meets every major Nigerian payment compliance requirement in 2026.
No separate compliance processes. No compliance gaps between your payment gateway and your invoicing system. No missing licences.
👉 Build your payment operations on a fully compliant foundation. Sign up here to get started with Duplo.
