Skip to main content

SITE DATA PROTECTION PROGRAM AND PCI

Protecting the payments ecosystem

Two small business owners in their shop.

PCI DSS Compliance

Mastercard worked with industry partners to help create the PCI Data Security Standard (DSS), a global framework that secures account data and supports safe payment processing.

Physical lock sitting on circuit board.

SDP Program

The Site Data Protection (SDP) Program helps stakeholders achieve PCI compliance by offering clear guidelines, approved validation tools and best practices to reduce risk and enhance data security.

Close up of phone tapping payment terminal at coffee shop.

PCI 360 Resources

The Mastercard PCI 360 Education Program equips customers, merchants and service providers with the knowledge and tools needed to understand and comply with Mastercard’s SDP requirements.

Mature businessman typing on laptop in an empty boardroom.

PCI compliance validation requirements


All merchants that store, process or transmit cardholder data must be PCI compliant, unless otherwise exempt. Mastercard recommends that merchants contact their acquiring bank and with assistance from the bank, merchants can then complete the following steps:

Merchants are required to submit their PCI validation documents to their acquiring bank, who oversees compliance and, when required, reports the status to Mastercard.

Site data protection merchant levels

CATEGORYCRITERIAREQUIREMENTS
Level 1
  • Any merchant having more than six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that Mastercard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
  • Annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC)1
Level 2
  • Any merchant with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
  • Annual Self-Assessment Questionnaire (SAQ)2
Level 3
  • Any merchant with more than 20,000 combined Mastercard and Maestro e-commerce transactions annually but less than or equal to one million total combined Mastercard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
  • Annual Self-Assessment Questionnaire (SAQ)3
Level 4
  • All other merchants4
  • Annual Self-Assessment Questionnaire (SAQ)3

Any service provider that stores, transmits, or processes cardholder data must comply with all applicable PCI Data Security Standards. Mastercard recommends that each Level 1 and Level 2 service provider also demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.

Site data protection service provider levels

CATEGORYCRITERIAREQUIREMENTS
Level 1
  • All Third-Party Processors (TPPs)
  • All Staged Digital Wallet Operators (SDWOs)
  • All Digital Activity Service Providers (DASPs)
  • All Business Payment Service Providers (BPSPs)
  • All Token Service Providers (TSPs)
  • All 3-D Secure Service Providers (3-DSSPs)
  • All Installment Service Providers (ISPs)
  • All Merchant Payment Gateways (MPGs)
  • All AML/Sanctions Service Providers, Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually
  • Annual PCI assessment resulting in the completion of a Report on Compliance (ROC)5
Level 2
  • All AML/Sanctions Service Providers, DSEs6 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually
  • All Terminal Servicers (TSs)7
  • Annual Self-Assessment Questionnaire (SAQ)

Acquirers are responsible for building and maintaining a PCI compliance program. Here are some steps to follow while actively engaging merchants:

Mastercard does not require that Level 3 and Level 4 merchants validate PCI compliance. However, an acquirer must validate to Mastercard that they have a risk management program in place to identify and manage payment security risk within their Level 3 and Level 4 merchant portfolios.

The Mastercard SDP Compliant Registered Service Provider List

Mastercard logo.

MERCHANT LEVELS:

1. Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of a ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA). 

2. Level 2 merchants completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA or PCI SSC-certified ISA to complete a ROC instead of performing an SAQ. 

3. Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete a ROC instead of performing an SAQ. 

4. Level 4 merchants are required to comply with the PCI DSS, although validation of compliance to Mastercard is not required, except as required by applicable law or regulation. 

SERVICE PROVIDER LEVELS:

5. Level 1 service providers must validate compliance with the PCI DSS annually, and each 3-DSSP must validate compliance with the PCI 3DS Core Security Standard every two years by undergoing a PCI assessment resulting in the completion of a ROC conducted by an appropriate PCI SSC-approved QSA. 

6. As an alternative to validating compliance with the PCI DSS AOC, a qualifying Level 2 DSE may submit a PCI PIN Security Requirements AOC from a PCI SSC approved Qualified PIN Assessor (QPA) every two years. 

7. As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard