Merchant Levels Defined

As a merchant, it is important for you to understand how the MasterCard Site Data Protection Programme classifies your business. This classification will determine the procedures that you are required to follow.

The matrix below identifies the four MasterCard Site Data Protection Merchant Levels and the required validation procedures and compliance dates for each Merchant Level.

Merchant Defnition	Criteria	On-site Review	Self-Assessment	Network Security Scan	Compliance Date
Level 1	All merchants, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually All merchants that experienced an account compromise All merchants meeting the Level 1 criteria of a competing payment brand Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements	Required Annually¹	Not Required	Required Quarterly²	30 June 2005
Level 2	All merchants with more than one million total MasterCard transactions but less than six million total transactions annually All merchants meeting the Level 2 criteria of a competing payment brand	Not required	Required Annually	Required Quarterly²	31 December 2008
Level 3	All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions All merchants meeting the Level 3 criteria of a competing payment brand	Not Required	Required Annually	Required Quarterly²	30 June 2005
Level 4³	All other merchants	Not Required	Required Annually	Required Quarterly²	Consult Acquirer

¹ For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a Qualified Security Assessor.

² To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor.

³ Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.