MasterCard’s Site Data Protection (SDP) Program

MasterCard’s Site Data Protection (SDP) Program is designed to ensure that payment processors, merchants and third party service providers take adequate measures to protect against account data compromises. It is the responsibility of processing banks to ensure that their merchants implement the SDP program. Implementation is achieved through compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Merchants and service providers must validate their compliance with PCI DSS by using the following tools:

• On-site reviews. On-site reviews are an annual requirement for Level 1 merchants and for Level 1* and 2* Service Providers. Merchants can use an internal auditor or independent assessor recognized by MasterCard as acceptable. Service providers must use an acceptable third-party assessor. Both Visa and MasterCard have published lists with authorized third-party assessors.
• The Payment Card Industry (PCI) Self-Assessment Questionnaire. The PCI Self-Assessment Questionnaire is available on PCI Security Standards Council’s website. To be compliant, each Level 2*, 3*, and 4* merchant, and each Level 3* service provider must generate acceptable ratings on an annual basis.
• Network security scan. The network security scan evaluates the security measures in place at a website. To fulfill the network scanning requirement, all Level 1* to 3* merchants and all service providers must conduct scans on a quarterly basis using an authorized vendor.

  * Merchant level definitions for PCI certification.
  

  Merchant Level	Definition
  Level 1	Level 1 are merchants processing over 6million Visa or MasterCard transactions per year.
  Level 2	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 3	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 4	Level 4 are all merchants not included in Levels 1, 2 or 3.

As part of the SDP Program, processing banks send quarterly reports for each Level 1, Level 2, and Level 3 merchant to MasterCard, which include the following information:

• The name and primary address of the merchant.
• The name and phone number of the primary contact for the merchant.
• The merchant’s identification number with the processor.
• The name of each service provider that stores card account data on the merchant’s behalf.
• The number of transactions that the processing bank processed for the merchant during the previous 12-month period.
• The merchant’s level under the implementation schedule.
• The names of any assessor, auditor, or vendor engaged to conduct an on-site review or network security scan, and the expected completion dates of any reviews or security scans.
• The date on which the merchant most recently completed the PCI Self-Assessment Questionnaire.
• The date on which the processor most recently registered the merchant as SDP compliant.

Processors are required to communicate all SDP Program requirements to each Level 1, Level 2, and Level 3 merchant.

Beginning July 1, 2012, a new Payment Application Data Security Standard (PA DSS) Program will take effect to specifically address common vulnerabilities that have been identified as main causes in credit card data breaches. PA DSS updates the standards for vendors of third party payment applications and the Credit Card Associations will enforce compliance, so make sure your service providers have passed the tests.

Image credit: Flickr / Asthma Helper, aekwonweirdo.