How to determine service provider level and validation requirements
Service providers are categorized as Level 1 or Level 2 service providers based on service provider category and annual Mastercard® transaction volume.
Mastercard requires all service providers to be PCI compliant
- Based on level, review the service provider validation requirements and engage a PCI SSC Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
- Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC to Mastercard.
- If not yet compliant, the PCI DSS Action Plan for Service Providers or if applicable, the PCI 3DS Core Action Plan for Service Providers should be completed and submitted to Mastercard.
Site data protection service provider levels
- All Third Party Processors (TPPs)
- All Staged Digital Wallet Operators (SDWOs)
- All Digital Activity Service Providers (DASPs)
- All Token Service Providers (TSPs)
- All 3-D Secure Service Providers (3-DSSPs)
- All AML/Sanctions Service Providers
- All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually
- Annual Onsite Assessment conducted by an appropriate PCI SSC approved QSA
- All DSEs1 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually
- All Terminal Servicers (TSs)2
- As an alternative to validating compliance with the PCI DSS AOC, a qualifying Level 2 DSE may submit a PCI PIN Security Requirements AOC from a PCI SSC approved Qualified PIN Assessor (QPA)
- As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard
Mastercard recommends that each Level 1 and Level 2 Service Provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.