Site Data Protection and PCI

Advancing 
Awareness

How to Determine Service Provider Level and Validation Requirements

  • MasterCard requires all Service Providers to be PCI Compliant. All Third Party Processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 Service Providers based on annual MasterCard transaction volume.
    • Based on level, please review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
    • Once compliant, please submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to MasterCard at pcireports@mastercard.com
    • Please note: As of October 1, 2010, MasterCard will only list those Service Providers that also are registered and approved as a MSP with the MasterCard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.
    • Click Here to Learn How to Register as a Service Provider

    SDP Service Provider Levels

    Category Criteria Requirements
    Level 1
    • All Third Party Processors (TPPs)
    • All Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually
    • Annual Onsite Assessment conducted by a QSA1
    • Quarterly Network Scan conducted by an ASV2
    Level 2
    • All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually
    • Annual Self-Assessment
    • Quarterly Network Scan conducted by an ASV2
    1. All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA
    2. Quarterly network scans must be conducted by a PCI SSC ASV.



PCI Education

Also of Interest