Read frequently asked questions to learn more.
What service providers need to know about PCI compliance
Find out more about your role in PCI compliance
How to determine service provider level and validation requirements
Service Providers are categorized as Level 1 or Level 2 Service Providers based on Service Provider category and annual Mastercard transaction volume.
Mastercard requires all service providers to be PCI-compliant
- Based on level, review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
- Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest passing scan to Mastercard.
- If not yet compliant, the PCI DSS Action Plan for Service Providers or if applicable, the PCI 3DS Core Action Plan for Service Providers should be completed and submitted to Mastercard.
To be on the Mastercard SDP Compliant Registered Service Provider List, Mastercard will only list those Service Providers that are registered with the Mastercard Service Provider Registration Team and have also successfully completed an annual onsite assessment.
Site Data Protection Service Provider Levels
Category | Criteria | Requirements |
---|---|---|
Level 1 |
|
|
Level 2 |
|
|
- All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
- Quarterly network scans must be conducted by a PCI SSC ASV.
- As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard
Mastercard recommends that each Level 1 and Level 2 Service Provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.