Mastercard will mandate a risk management program for Level 3 merchants

By Alba Huerga
2 Jul 2024

The growing wave of cyber-attacks worldwide has put individuals, companies, banks and credit card companies on alert. Mastercard is the latest to tighten policies and regulations related to payments.

According to data compiled by Statista, Mastercard is the fourth largest payment processor in the world, behind VISA, Apple Pay and Alipay, and processes close to five trillion dollars in payments a year. 

In 2006, this multinational payment card services company created the Payment Card Industry Data Security Standard (PCI DSS), along with other industry players such as Visa, American Express and JBC. 

All of them founded the Payment Card Industry Security Standards Council, a global forum that brings together entities that store, transmit or process cardholder data to develop and drive the adoption of data security standards and resources for secure payments.

In the same time, MasterCard launched the Site Data Protection (SDP) Program, a proprietary program that offers certified standards, guidelines, best practices, and compliance validation tools to promote comprehensive PCI DSS compliance.

This program categorizes merchants with more than 20,000 but less than or equal to one million total combined e-commerce transactions per year (Mastercard and Maestro) as Level 3 merchants, and requires them to validate their PCI DSS compliance with Mastercard in order to comply with the SDP Program.

Thus, twice a year, on March 31 and September 30, companies and entities that work with Mastercard cardholder data are required to submit the SDP Acquirer Submission and Compliance Status Form (SDP Form) to report on the PCI DSS compliance validation status of their Level 3 merchants.

Over the past few years, Mastercard has remained steadfast in its goal to elevate the security of the payments ecosystem. That’s why it has now launched a new regulation that will affect the entire payment chain.

Mastercard will add an additional field on the semi-annual SDP form

Under the current SDP program, acquirers report individual PCI DSS validation of Level 3 merchants via the semi-annual SDP form. 

However, acquirers will now be required to assure Mastercard that they have a risk management program in place to identify and manage payment security risk within their Level 3 (e-commerce) merchants.

To comply with this new regulation, acquirers will need to add an additional data field – Yes or No – to the SDP form. This will allow them to certify that they have such a risk program in place for their Level 3 merchant portfolio. 

Acquirers must complete the new data field on the SDP form by September 30, 2024, before the reporting deadline.

What are the minimum requirements for the level 3 commercial risk management program?

Mastercard has provided customers with a brief guide outlining the minimum requirements for acquirers wishing to implement a Level 3 merchant risk management program by September 30, 2024. 

Among the minimums outlined by the bankcard provider are the following items:

Communicate PCI DSS requirements

In order to implement a risk management program, acquirers need to periodically communicate PCI DSS compliance requirements to their Level 3 merchants. This formal communication can be done through emails, letters, brochures, newsletters, contracts, account statements, etc.


PCI DSS in Payment Applications or Software 

Payment applications or payment software used by Level 3 merchants must be PCI compliant.

Level 3 merchants using payment applications or payment software provided by third parties must validate that each is listed on the PCI SSC website, indicating that they follow the PCI Payment Application Data Security Standard (PA-DSS) or PCI Secure Software Standard, as applicable.


PCI DSS for Service Providers

Acquirers must ensure that their Level 3 merchants use only PCI DSS compliant service providers. 

It is critical to remember that Mastercard’s list of registered PCI DSS compliant service providers is updated monthly. It only includes providers that have registered with Mastercard, and have successfully passed a PCI assessment conducted by a Qualified Security Assessor (QSA) and approved by the PCI Security Standards Council (SSC).

Despite these requirements, the brief guide reminds that if an organization already has a risk management program that meets Mastercard’s requirements, it is not necessary to modify the content of its current program.

Undoubtedly, this new regulation will force both acquirers and Level 3 merchants to activate and speed in terms of cybersecurity and PCI DSS compliance. In the coming months, acquiring entities or banks will begin to ask these merchants for their compliance status through the submission of the corresponding AOC / SAQ.

In these cases, the best way for these small businesses to professionalize their threat identification and management systems and comply with PCI-DSS is to partner with a specialized cybersecurity company.

Are you a Level 3 retailer and have never heard of this certification? Contact us at [email protected]  to activate your compliance mode and certify your banks for PCI-DSS compliance.

Comments are closed.