MasterCard Site Data Protection Programme | Merchant Levels Defined

As a merchant, it is important for you to understand how the MasterCard Site Data Protection Programme classifies your business. This classification will determine the procedures that you are required to follow.

The matrix below identifies the four MasterCard Site Data Protection Merchant Levels and the required validation procedures and compliance dates for each Merchant Level.

Merchant Defnition	Criteria	On-site Review	Self-Assessment	Network Security Scan	Compliance Date
Level 1	All merchants, including electronic commerce merchants, with more than six million total MasterCard transactions annually All merchants having experienced an account compromise All merchants meeting or exceeding the Level 1 criteria of a competing payment brand Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements	Required Annually¹	Not Required	Required Quarterly²	30 June 2005
Level 2	All merchants with more than one million transactions annually (all channels) All merchants meeting or exceeding the Level 2 criteria of a competing payment brand	Not required	Required Annually	Required Quarterly²	30 June 2004
Level 3	All merchants with more than twenty thousand annual electronic commerce transaction All merchants meeting or exceeding the Level 3 criteria of a competing payment brand	Not Required	Required Annually	Required Quarterly²	30 June 2005
Level 4	All other merchants	Not Required	Recommended Annually	Recommended Annually	Not applicable

¹ For Level 1 merchants, the annual on-site review may be conducted by either the merchant’s internal auditor or a qualified on-site security assessor.

² To fulfil the network scanning requirement, all Level 1, 2 and 3 merchants must conduct scans on a quarterly basis using a trusted scanning vendor.

Free Scan Offer

Evaluate Your Network with a Free network Vulnerability Scan

Select vendors are offering retailers a free network vulnerability scan to become familiar with the underlying technology and processes. Scanning your site is one of the required steps toward achieving compliance with the Payment Card Industry Data Security Standards (PCI DSS). Available to businesses anywhere in the world, you can enroll automatically through the web site of one of the participating vendors below.

Why You Should Participate

MasterCard research shows that a majority of unauthorized intrusions resulting in account data compromise could be prevented through network vulnerability scans and remediation of any vulnerabilities identified. This offering will allow you to learn more about network vulnerability scanning and how it can assist in improving your network security. Contract the network scanning vendor below to arrange for your free network vulnerability scan. Offer ends December 31, 2008.

www.trustwave.com

Scanning services are provided by independent vendors. MasterCard assumes no obligation or responsibility in connection with the scanning services providing representation regarding the services and disclaims any and all warranties implied, with respect to the services provided by such vendors.