Merchant Levels Defined

As a merchant, it is important for you to understand how the MasterCard Site Data Protection Programme classifies your business. This classification will determine the procedures that you are required to follow.

The matrix below identifies the four MasterCard Site Data Protection Merchant Levels and the required validation procedures and compliance dates for each Merchant Level.

Merchant Defnition Criteria On-site Review Self-Assessment Network Security Scan Compliance Date
Level 1
  • All merchants, including electronic commerce merchants, with more than six million total MasterCard transactions annually
  • All merchants having experienced an account compromise
  • All merchants meeting or exceeding the Level 1 criteria of a competing payment brand
  • Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements
Required Annually1 Not Required Required Quarterly2 30 June 2005
Level 2
  • All merchants with annual MasterCard e-commerce transactions between 150,000 and 6 million
  • All merchants meeting or exceeding the Level 2 criteria of a competing payment brand
Not required Required Annually Required Quarterly2 30 June 2004
Level 3
  • All merchants with annual MasterCard e-commerce transactions between 20,000 and 150,000
  • All merchants meeting or exceeding the Level 3 criteria of a competing payment brand
Not Required Required Annually Required Quarterly2 30 June 2005
Level 4
  • All other merchants
Not Required Recommended Annually Recommended Annually Not applicable
1 For Level 1 merchants, the annual on-site review may be conducted by either the merchant’s internal auditor or a qualified on-site security assessor.

2 To fulfil the network scanning requirement, all Level 1, 2 and 3 merchants must conduct scans on a quarterly basis using a trusted scanning vendor.