Site Data Protection and PCI


How to Determine Service Provider Level and Validation Requirements

  • MasterCard requires all Service Providers to be PCI Compliant. All Third Party Processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 Service Providers based on annual MasterCard transaction volume.
  • Based on level, please review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
  • Once compliant, please submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to MasterCard at
  • Please note: As of October 1, 2010, MasterCard will only list those Service Providers that also are registered and approved as a MSP with the MasterCard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.
  • Click Here to Learn How to Register as a Service Provider

SDP Service Provider Levels

Category Criteria Requirements
Level 1
  • All Third Party Processors (TPPs)
  • All Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually
  • Annual Onsite Assessment conducted by a QSA1
  • Quarterly Network Scan conducted by an ASV2
Level 2
  • All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually
  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV2
  1. All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA
  2. Quarterly network scans must be conducted by a PCI SSC ASV.

PCI Education

Also of Interest