What service providers need to know about PCI compliance

Find out more about your role in PCI compliance

How to determine service provider level and validation requirements

Service Providers are categorized as Level 1 or Level 2 Service Providers based on Service Provider category and annual Mastercard transaction volume.

Mastercard requires all service providers to be PCI-compliant

  • Based on level, review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
  • Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest passing scan to Mastercard.
  • If not yet compliant, the PCI DSS Action Plan for Service Providers or if applicable, the PCI 3DS Core Action Plan for Service Providers should be completed and submitted to Mastercard.

To be on the Mastercard SDP Compliant Registered Service Provider List, Mastercard will only list those Service Providers that are registered with the Mastercard Service Provider Registration Team and have also successfully completed an annual onsite assessment.

Site Data Protection Service Provider Levels

Category Criteria Requirements
Level 1
  • All Third Party Processors (TPPs)
  • All Staged Digital Wallet Operators (SDWOs)
  • All Digital Activity Service Providers (DASPs)
  • All Token Service Providers (TSPs)
  • All 3-D Secure Service Providers (3-DSSPs)
  • All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually
  • Annual Onsite Assessment conducted by an appropriate PCI SSC approved QSA1
  • Quarterly Network Scan conducted by an ASV2
Level 2
  • All DSEs and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually
  • All Terminal Servicers (TSs)
  • Annual Self-Assessment3
  • Quarterly Network Scan conducted by an ASV2
  1. All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
  2. Quarterly network scans must be conducted by a PCI SSC ASV.
  3. As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard

Mastercard recommends that each Level 1 and Level 2 Service Provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.

The Mastercard SDP Compliant Registered Service Provider List