Read frequently asked questions to learn more.
How to determine service provider level and validation requirements
Service Providers are categorized as Level 1 or Level 2 Service Providers based on Service Provider category and annual Mastercard transaction volume.
Mastercard requires all service providers to be PCI-compliant
- Based on level, review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
- Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest passing scan to Mastercard.
- If not yet compliant, the PCI DSS Action Plan for Service Providers or if applicable, the PCI 3DS Core Action Plan for Service Providers should be completed and submitted to Mastercard.
To be on the Mastercard SDP Compliant Registered Service Provider List, Mastercard will only list those Service Providers that are registered with the Mastercard Service Provider Registration Team and have also successfully completed an annual onsite assessment.
Site Data Protection Service Provider Levels
- All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
- Quarterly network scans must be conducted by a PCI SSC ASV.
- As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard
Mastercard recommends that each Level 1 and Level 2 Service Provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.