As a merchant, it is important to understand how you are defined in the MasterCard SDP Program. This level of understanding will help define the compliance validation procedures that you are required to complete.
The matrix below identifies the 4 merchant levels in the MasterCard SDP Program, how they are defined, the required compliance validation procedures by Merchant Level and the associated compliance deadlines.
MasterCard announced new SDP Program changes to drive consistency and quality of Merchant QSA Training in the December 15, 2009 Global Security Bulletin. These changes are reflected in the chart below.
| Merchant Definition |
Criteria |
Onsite Assessment |
Self Assessment |
Network Security Scan |
Deadline |
| Level 1 |
- Any merchant that has suffered a hack or an attack that resulted in an account data compromise
- Any merchant having greater than six million total combined MasterCard and Maestro transactions annually
- Any merchant meeting the Level 1 criteria of Visa
- Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
|
Required Annually1 |
Not Required |
Required Quarterly3 |
30 June 20115 |
| Level 2 |
- Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
- Any merchant meeting the Level 2 criteria of Visa
|
At Merchant Discretion2 |
Required Annually 2 |
Required Quarterly3 |
30 June 2011 |
| Level 3 |
- Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually
- Any merchant meeting the Level 3 criteria of Visa
|
Not Required |
Required Annually |
Required Quarterly3 |
30 June 2005 |
| Level 44 |
|
Not Required |
Required Annually |
Required Quarterly3 |
Consult Acquirer |
1Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
2Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
3Quarterly Network Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
4 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.
5 Initial Compliance Validation Date for Level 1 merchants has passed. 30 June 2011 Deadline affects merchants that choose to conduct an annual onsite assessment using an internal auditor.
