How to determine service provider level and validation requirements
Service providers are categorized as Level 1 or Level 2 service providers based on service provider category and annual Mastercard® transaction volume.
Mastercard requires all service providers to be PCI compliant
- Based on level, review the service provider validation requirements and engage a PCI SSC Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
- Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC to Mastercard.
- If not yet compliant, the PCI DSS Action Plan for Service Providers or if applicable, the PCI 3DS Core Action Plan for Service Providers should be completed and submitted to Mastercard.
Site data protection service provider levels
Category |
Criteria |
Requirements |
---|
Level 1 |
- All Third Party Processors (TPPs)
- All Staged Digital Wallet Operators (SDWOs)
- All Digital Activity Service Providers (DASPs)
- All Token Service Providers (TSPs)
- All 3-D Secure Service Providers (3-DSSPs)
- All Installment Service Providers (ISPs)
- All Merchant Payment Gateways (MPGs)
- All AML/Sanctions Service Providers, Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually
|
- Annual PCI assessment resulting in the completion of a Report on Compliance (ROC)1
|
Level 2 |
- All AML/Sanctions Service Providers, DSEs2 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually
- All Terminal Servicers (TSs)3
|
- Annual Self-Assessment Questionnaire (SAQ)
|
Level 1 service providers must validate compliance with the PCI DSS annually, and each 3-DSSP must validate compliance with the PCI 3DS Core Security Standard every two years by undergoing a PCI assessment resulting in the completion of a ROC conducted by an appropriate PCI SSC-approved QSA. ↩
As an alternative to validating compliance with the PCI DSS AOC, a qualifying Level 2 DSE may submit a PCI PIN Security Requirements AOC from a PCI SSC approved Qualified PIN Assessor (QPA) every two years. ↩
As an alternative to validating compliance with an annual Self-Assessment, a TS, if eligible, may submit a completed Terminal Servicer QIR Participation Validation Form to Mastercard ↩
Mastercard recommends that each Level 1 and Level 2 service provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS.