EcoVent Africa Limited does not store, process, or transmit cardholder data. PCI DSS v4.0 is therefore not currently applicable to VPAY Genesis. This statement documents that scope-out explicitly — converting "no evidence" to "documented N/A," and stating the forward-state plan for the future moment when payment-card integration is added.
The Payment Card Industry Data Security Standard v4.0 (PCI DSS v4.0) applies to any organisation that stores, processes, or transmits cardholder data. As of 27 May 2026, EcoVent Africa Limited and its operating platform VPAY Genesis:
The auditor's 27 May 2026 report rated PCI DSS 2/5 with the note: "Limited payment processing evidence; no PCI compliance attestation found." The correct status is N/A by design; this statement converts the absence of an attestation into a documented exclusion, which is the standard PCI scoping outcome for a non-card business.
A Cardholder Data Environment, as defined by the PCI Security Standards Council, is "the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data, as well as any connected-to or security-impacting systems." For EcoVent Africa Limited, the CDE is:
The empty set.
Because no system in the EcoVent Africa stack falls within the PCI definition of "stores, processes, or transmits cardholder data," no system is in scope for PCI DSS v4.0. Network segmentation, vulnerability scanning under Approved Scanning Vendor (ASV) regime, and Self-Assessment Questionnaire (SAQ) completion are accordingly not required at this time.
Adjacent regulatory frameworks (the Ghana Data Protection Act 2012, EU GDPR, AML/CFT under the Bank of Ghana's GANRAP framework) do govern the personal data the company collects (name, email, employer, role, country when submitted via diligence and waitlist forms). Those are addressed under Privacy Policy, Information Security Policy, and AML/CFT Summary.
The following surfaces are explicitly excluded from PCI scope, with the rationale stated:
This list is exhaustive at the date of publication. Any future system addition that touches cardholder data will trigger an immediate scope re-assessment and is governed by the forward-state plan in §4.
EcoVent Africa's medium-term product roadmap includes consumer-facing "Save in Gold" and "Borrow" functionality. When fiat-to-$SOV conversion is offered to retail users in jurisdictions where card-funded purchases are expected, PCI DSS v4.0 will become applicable. The forward-state plan below is committed in advance.
The privacy-first architecture and minimal off-chain footprint already established by VPAY Genesis substantially reduce the surface area that PCI compliance will need to cover. The auditor noted the same: "The privacy-first architecture provides a strong starting point for PCI compliance when the time comes."
This scope statement is a self-assessment by EcoVent Africa Limited as of 27 May 2026. It is intentionally transparent so that any reader — institutional investor, regulator, prospective partner, internal auditor — can independently verify the claim by inspecting:
A formal third-party PCI scoping engagement is queued for Phase 3 of the 24-month institutional maturation programme (12–24 months), to be triggered ahead of any card-payment launch. The audit firm and the precise scoping methodology will be selected to align with the eventual SOC 2 Type II and ISO 27001 audit programmes for assessment efficiency.
Version 1.0 · Effective 27 May 2026 · Next scheduled review: 27 August 2026 or immediately upon any payment-system change, whichever sooner.
Compliance and scope questions: cco@ecoventafrica.com (Chief Compliance Officer)
Founder direct: Ano@ecoventafrica.com
Security disclosures: security@ecoventafrica.com
Version 1.0 · Effective 27 May 2026
Yɛn Sika, yɛn ankasa nkonim.
Our gold · our own victory
Return to home →