CATEGORY | CRITERIA | REQUIREMENTS |
---|---|---|
Level 1 |
|
|
Level 2 |
|
|
Level 3 |
|
|
Level 4 |
|
|
All merchants that store, process or transmit cardholder data must be PCI compliant, unless otherwise exempt. Mastercard recommends that merchants contact their acquiring bank and with assistance from the bank, merchants can then complete the following steps:
Merchants are required to submit their PCI validation documents to their acquiring bank, who oversees compliance and, when required, reports the status to Mastercard.
CATEGORY | CRITERIA | REQUIREMENTS |
---|---|---|
Level 1 |
|
|
Level 2 |
|
|
Level 3 |
|
|
Level 4 |
|
|
Any service provider that stores, transmits, or processes cardholder data must comply with all applicable PCI Data Security Standards. Mastercard recommends that each Level 1 and Level 2 service provider also demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.
CATEGORY | CRITERIA | REQUIREMENTS |
---|---|---|
Level 1 |
|
|
Level 2 |
|
Acquirers are responsible for building and maintaining a PCI compliance program. Here are some steps to follow while actively engaging merchants:
Mastercard does not require that Level 3 and Level 4 merchants validate PCI compliance. However, an acquirer must validate to Mastercard that they have a risk management program in place to identify and manage payment security risk within their Level 3 and Level 4 merchant portfolios.
MERCHANT LEVELS:
1. Level 1 merchants must undergo an annual PCI DSS assessment resulting in the completion of a ROC conducted by a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA). ↩
2. Level 2 merchants completing SAQ A, SAQ A-EP or SAQ D must additionally engage a PCI SSC-approved QSA or PCI SSC-certified ISA for compliance validation. Level 2 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA or PCI SSC-certified ISA to complete a ROC instead of performing an SAQ. ↩
3. Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA to complete a ROC instead of performing an SAQ. ↩
4. Level 4 merchants are required to comply with the PCI DSS, although validation of compliance to Mastercard is not required, except as required by applicable law or regulation. ↩
SERVICE PROVIDER LEVELS:
5. Level 1 service providers must validate compliance with the PCI DSS annually, and each 3-DSSP must validate compliance with the PCI 3DS Core Security Standard every two years by undergoing a PCI assessment resulting in the completion of a ROC conducted by an appropriate PCI SSC-approved QSA. ↩
6. As an alternative to validating compliance with the PCI DSS AOC, a qualifying Level 2 DSE may submit a PCI PIN Security Requirements AOC from a PCI SSC approved Qualified PIN Assessor (QPA) every two years. ↩
7. As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard. ↩