Skip to Content

What third-party processors and data storage entities need to know

Find out more about your role in PCI compliance

 

How to determine service provider level and validation requirements

All third-party processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 Service Providers based on annual Mastercard transaction volume.

 

Mastercard requires all service providers to be PCI-compliant

  • Based on level, review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.

  • Once compliant, submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to Mastercard.

  • If not yet compliant, the PCI Action Plan for Service Providers should be completed and submitted to Mastercard.

Please note: Mastercard will only list those Service Providers that also are registered and approved as a Member Service Provider (MSP) with the Mastercard Registration Program (MRP) and those that also have successfully completed an annual onsite assessment.

 

Site Data Protection Service Provider Levels

 
Category Criteria Requirements
Level 1
  • All Third Party Processors (TPPs)
  • All Data Storage Entities (DSEs) with more than 300,000 total combined Mastercard and Maestro transactions annually
  • Annual Onsite Assessment conducted by a QSA1
  • Quarterly Network Scan conducted by an ASV2
Level 2
  • All DSEs with 300,000 or less total combined Mastercard and Maestro annual transactions annually
  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV2

 

1. All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA.
2. Quarterly network scans must be conducted by a PCI SSC ASV.



 

 

How to register as a service provider 

Mastercard requires all principal member bank(s) or financial institution(s) to submit a service provider registration on behalf of themselves and their affiliates via the MRP database (not required if the principal member is only providing services to themselves or their affiliates). Should a service provider have a direct relationship with one or more banks, they should contact each bank to submit a registration on their behalf. 

 

Requesting Access to the Business Administration Tool

  1. Contact customer_support@mastercard.com
  2. Request access to the Business Administration (BA) Tool. 
  3. Customer support will grant access to the BA Tool via Mastercard Connect™, our secure portal. 

 

Registration Process

  1. Login to Mastercard Connect and select “Business Administration Tool.”
  2. Navigate to Business Administration/Register & Provision a Company.
  3. Request to Provision a Company.  
  4. Click to Provision & Manage Your Service Provider. 
  5. Click on “Create new registration” if entity is not found as already registered.
  6. Add Service Provider name and address. 
  7. Click on “Next” and complete contact details.  
  8. Enter Principal (bank) and Primary (SP) contact information. 
  9. Select Program Services in “Services” and “Store” detail sections (select the services the SP will be providing to customer). 
  10. Do not click on “save as draft” at any time during the submission process. 
  11. Select “Data” and choose ICA number specific to the registration and Program (this must be done for each service selected).  
  12. Click “Next”. 
  13. Click “Accept” in the “Customer Certification” section. 
  14. The registration submission process should now be complete and an SPR registration number will be assigned. 
  15. The registration will show a status of “Pending-Approval.”  

Note: The customer bank must provide the SPR number so the registration can be reviewed for approval. Once the registration has been submitted, we will review and finalize the approval if all required information has been provided. The approval timeframe is approximately five to seven business days. 

Please note the registration process is separate to the submission of PCI Compliance documentation and must be completed by a member bank prior to the service provider registration being approved. All PCI Compliance documents must be submitted to Mastercard

To be listed as a Compliant Service Provider, service providers need to be both registered and approved as a MSP and must have successfully completed an annual onsite assessment conducted by a PCI SSC certified QSA. 

If you have questions, please contact the Service Provider team at member_service_provider@mastercard.com.