Merchant Levels Defined

As a merchant, it is important to understand how you are defined in the MasterCard SDP Program. This level of understanding will help define the validation procedures that you are required to complete.

The matrix below identifies the 4 Merchant Levels in the MasterCard SDP Program, how they are defined, the required validation procedures by Merchant Level and the associated compliance dates.

Merchant Definition Criteria Onsite Review Self Assessment Network Security Scan Initial Compliance Validation Date
Level 1
  • All merchants, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually
  • All merchants that experienced an account compromise
  • All merchants meeting the Level 1 criteria of a competing payment brand
  • Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements
Required Annually1 Not Required Required Quarterly2 30 June 2005
Level 2
  • All merchants with more than one million total MasterCard transactions but less than six million total transactions annually
  • All merchants meeting the Level 2 criteria of a competing payment brand
Not required Required Annually Required Quarterly2 31 December 2008
Level 3
  • All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions
  • All merchants meeting the Level 3 criteria of a competing payment brand
Not Required Required Annually Required Quarterly2 30 June 2005
Level 43
  • All other merchants
Not Required Required Annually Required Quarterly2 Consult Acquirer

1For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a Qualified Security Assessor.

2To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor.

3Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.

[an error occurred while processing this directive]