As a merchant, it is important to understand how you are defined in the MasterCard SDP Program. This level of understanding will help define the validation procedures that you are required to complete.
The matrix below identifies the 4 Merchant Levels in the MasterCard SDP Program, how they are defined, the required validation procedures by Merchant Level and the associated compliance dates.
MasterCard announced new SDP Program revisions in the June 16, 2009 Global Security Bulletin. To help answer your questions regarding these changes, MasterCard has made the following FAQs available.
SDP Program Revisions FAQ
| Merchant Definition |
Criteria |
Onsite Assessment |
Self Assessment |
Network Security Scan |
Deadline |
| Level 1 |
- Any merchant that has suffered a hack or an attack that resulted in an account data compromise
- Any merchant having greater than six million total combined MasterCard and Maestro transactions annually
- Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
|
Required Annually1 |
Not Required |
Required Quarterly3 |
30 June 20052 |
| Level 2 |
- Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
|
Required Annually1 |
Required Annually Until 31 December 2010 |
Required Quarterly3 |
31 December 2010 |
| Level 3 |
- Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually
|
Not Required |
Required Annually |
Required Quarterly3 |
30 June 2005 |
| Level 44 |
|
Not Required |
Required Annually |
Required Quarterly3 |
Consult Acquirer |
1All Level 1 and Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) and must validate compliance by 31 December 2010.
2All Level 1 merchants that have engaged an internal auditor before 15 June 2009 must validate compliance with the PCI DSS via an annual onsite assessment conducted by a PCI SSC certified QSA by 31 December 2010.
3To fulfill the network scanning
requirement, all merchants must conduct scans on a quarterly basis
using a PCI SSC Approved Scanning Vendor
4Level 4 Merchants are required to
comply with the PCI Data Security Standard. Level 4 Merchants should
consult their acquirer to determine if compliance validation is also
required.
