How to Determine Service Provider Level and Validation Requirements

• MasterCard requires all Service Providers to be PCI Compliant. All Third Party Processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 Service Providers based on annual MasterCard transaction volume
  • Based on level, please review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
  • Once compliant, please submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to MasterCard at pcireports@mastercard.com
  • Please note: As of October 1, 2010, MasterCard will only list those Service Providers that also are registered and approved as a MSP with the MasterCard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.
  • Click Here to Learn How to Register as a Service Provider

  SDP Service Provider Levels

  Category	Criteria	Requirements
  Level 1	All Third Party Processors (TPPs) All Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually	Annual Onsite Assessment conducted by a QSA1 Quarterly Network Scan conducted by an ASV2
  Level 2	All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually	Annual Self-Assessment Quarterly Network Scan conducted by an ASV2

  1. All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA
  2. Quarterly network scans must be conducted by a PCI SSC ASV.