MasterCard Site Data Protection Program

Part of this is ensuring you meet the requirements of the various credit card issuers like Visa, AMEX, and Mastercard. In this article we’ll be exploring credit cards issued by Mastercard and governed by the Mastercard Site Data Protection (SDP) Program.

What is the Mastercard SDP?

Just like other card providers, a large part of Mastercard’s requirements is making sure you’re complying with all aspects of PCI DSS — A set of guidelines and regulations on taking payment, securing information, and protecting your systems. If you’re not already familiar with it, be sure to check out our article on PCI compliance.

Mastercard’s SDP program is comprised of various rules, best practices, and compliance tools to ensure compliance with PCI. Mastercard states that the program is intended to help customers, businesses, and providers protect against data breaches, enhances consumer confidence, and helps protect the integrity of the card payment ecosystem.

But what does it actually mean for you?

Once you’ve ensured that you’re meeting PCI DSS standards, you’ll need to make sure you’re compliant with Mastercard’s Site Data Protection program. In this article, we’ll break it down into easily understandable steps.

Find Out What “Level” You Are

Mastercard decides what you need to do based on the “level” it assigns to your business, called the “merchant level.” Levels run from 1 (highest) to 4 (lowest). The higher your level, the more you’ll need to do for the SDP. Mastercard levels may overlap with Visa levels, but be sure to check all the requirements. Here are the factors to help decide what level you are.

Level 1 Merchants

You are a level 1 merchant if one or more of the following are true:

• Credit card or account data you hold has been hacked, attacked, or compromised.
• You’ve processed more than six million Maestro and Mastercard transactions in the last year.
• Visa has determined you are a level 1 merchant. (Check your Visa level.)
• Mastercard assigns you the status of level 1 merchant.

Level 2 Merchants

You are a level 2 merchant if one or more of the following are true:

• You’ve processed more than one million but fewer than six million Maestro and Mastercard transactions in the last year.
• Visa has determined you are a level 2 merchant.

Level 3 Merchants

You are a level 3 merchant if one or more of the following are true:

• You’ve processed more than 20,000 but fewer than one million Maestro and Mastercard ecommerce transactions in the last year.
• Visa has determined you are a level 3 merchant.

Level 4 Merchants

If you don’t meet any of the criteria above, you’re considered a level 4 merchant.

While we’ve provided these level outlines as a guide, Mastercard has stated that deciding your merchant level can raise questions. They recommend you contact your bank and ask for assistance.

Here’s what Mastercard needs you to do, based on your merchant level. Links below the chart also provide more information on each requirement.

Qualified Security Assessor

PCI Self-Assessment
Approved Scan Vendor

Once you know what you need to do for the Mastercard Site Data Protection Program, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process. Then, after you’re verified as compliant, let your bank know and they will confirm your compliance to Mastercard.

Useful Resources and Further Information

• Complete information on PCI DSS.