How to determine service provider level and validation requirements
All third-party processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 service providers based on annual Mastercard transaction volume.
Mastercard requires all service providers to be PCI compliant
Based on level, review the service provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to Mastercard.
Please note: Mastercard will list only those service providers that also are registered and approved as a Member Service Provider (MSP) with the Mastercard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.
All Level 1 service providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
Quarterly network scans must be conducted by a PCI SSC ASV.