It’s vital you have the information you need to stay compliant when you’re processing credit card payments. Part of this is ensuring you meet the requirements of the various credit card issuers like Visa, AMEX, and MasterCard. In this article we’ll be exploring credit cards issued by MasterCard and governed by the MasterCard Site Data Protection (SDP) Program.
What is the MasterCard SDP?
Just like other card providers, a large part of the MasterCard’s requirements is making sure you’re complying with all aspects of PCI DSS — A set of guidelines and regulations on taking payment, securing information, and protecting your systems. If you’re not already familiar with it, be sure to check out our article on PCI compliance.
Once you’ve checked you’re meeting PCI DSS standards, you’ll need to make sure you’re compliant with MasterCard’s Site Data Protection program. In this article, we’ll break it down into easily understandable steps.
Find Out What “Level” You Are
MasterCard decides what you need to do based on the “level” it gives to you, called “merchant level.” Levels run from 1 (highest) to 4 (lowest). The higher your level, the more you’ll need to do for the SDP. MasterCard levels may overlap with Visa levels, but be sure to check all the requirements. Here are the factors to help decide what level you are.
Level 1 Merchants
You are a level 1 merchant if one or more of the following are true:
- Credit card or account data you hold has been hacked, attacked, or compromised.
- You’ve processed more than six million Maestro and MasterCard transactions in the last year.
- Visa has determined you are a level 1 merchant. (Check your Visa level.)
- MasterCard assigns you the status of level 1 merchant.
Level 2 Merchants
You are a level 2 merchant if one or more of the following are true:
- You’ve processed more than one million but fewer than six million Maestro and MasterCard transactions in the last year.
- Visa has determined you are a level 2 merchant.
Level 3 Merchants
You are a level 3 merchant if one or more of the following are true:
- You’ve processed more than 20,000 but fewer than one million Maestro and MasterCard ecommerce transactions in the last year.
- Visa has determined you are a level 3 merchant.
Level 4 Merchants
If you don’t meet any of the criteria above, you’re considered a level 4 merchant.
While we’ve provided these level outlines as a guide, MasterCard says that deciding your merchant level can raise questions. They recommend you contact your bank and ask for assistance.
Here’s what MasterCard needs you to do, based on your merchant level. Links below the chart also provide more information on each requirement.
Qualified Security Assessor
Self-Assessment
Approved Scan Vendor
Once you know what you need to do for the MasterCard Site Data Protection Program, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process. Then, after you’re verified as compliant, let your bank know and they will confirm your compliance to MasterCard.
Useful Resources and Further Information
- Online training courses and resources on PCI DSS and MasterCard cardholder security.
- Complete information on PCI DSS