Merchant Levels Defined

As a merchant, it is important to understand how you are defined in the MasterCard SDP Program. This level of understanding will help define the validation procedures that you are required to complete.

The matrix below identifies the 4 Merchant Levels in the MasterCard SDP Program, how they are defined, the required validation procedures by Merchant Level and the associated compliance dates.

Merchant Definition Criteria Onsite Assessment Self Assessment Network Security Scan Deadline
Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having greater than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of a competing payment brand
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
Required Annually1 Not Required Required Quarterly3 30 June 20052
Level 2
  • Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of a competing payment brand
Required Annually1 Required Annually Until 31 December 2010 Required Quarterly3 31 December 2010
Level 3
  • Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually
  • Any merchants meeting the Level 3 criteria of a competing payment brand
Not Required Required Annually Required Quarterly3 30 June 2005
Level 44
  • All other merchants
Not Required Required Annually Required Quarterly3 Consult Acquirer

1All Level 1 and Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) and must validate compliance by 31 December 2010.

2All Level 1 merchants that have engaged an internal auditor before 15 June 2009 must validate compliance with the PCI DSS via an annual onsite assessment conducted by a PCI SSC certified QSA by 31 December 2010.

3To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using a PCI SSC Approved Scanning Vendor

4Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.