Skip to Content

How to determine service provider level and validation requirements

All third-party processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 service providers based on annual Mastercard transaction volume.

Mastercard requires all service providers to be PCI compliant


  • Based on level, review the service provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
  • Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to Mastercard.
Please note: Mastercard will list only those service providers that also are registered and approved as a Member Service Provider (MSP) with the Mastercard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.
  1. All Level 1 service providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
  2. Quarterly network scans must be conducted by a PCI SSC ASV.