Getting MasterCard Compliant Person Image

Getting MasterCard Compliant

The dawn of the Internet in the 1990s put a tremendous amount of information at the fingertips of the average individual. And while the information age has been a time of great opportunity, it is also fraught with peril. In less than 20 years, fraud and identity theft have become major concerns worldwide, creating a tremendous impact on the payment card industry.

A Short History of Data Protection


To combat the increasing threats posed by hackers, MasterCard joins forces with Visa to better protect the most valuable commodity of the new millennium – information. Together, the two companies create the Payment Card Industry Data Security Standards (PCI DSS).


The effectiveness of the PCI DSS has become increasingly apparent. The other major credit card companies (Discover, American Express and JBL International) join MasterCard and Visa in establishing a governing body to oversee the standards, giving birth to the PCI Security Standards Council.


MasterCard continues to value the PCI DSS as the gold standard in data security, and to that end requires all merchants who accept MasterCard to be PCI compliant. Since the creation of the PCI SSC, MasterCard has established its own internal program to support the work of the council and encourage compliance.

The PCI DSS were the first bylaws to regulate the security of sensitive information including

  • credit card numbers
  • expiration dates
  • names
  • addresses

SDP and PCI Compliance

MasterCard believes that the best way to protect against a data security breach is to protect credit card processing systems by identifying and fixing vulnerabilities in security processes and procedures. To that end, it has established the Site Data Protection (SDP) program, which requires that merchants demonstrate PCI compliance using three essential tools.

Self-Assessment Questionnaire (SAQ)

The SAQ is a practical and effective instrument for determining whether your business is PCI compliant. The SAQ will lead you step by step through a complex inquiry process to determine how well you are meeting the data security standards. If you are not in compliance, the SAQ will provide you with recommendations on how you can get compliant. Learn more about the compliance SAQ.

Onsite Risk Assessment

Also known as a compliance audit, onsite risk assessment is designed to help you examine your credit card processing systems and identify vulnerabilities to prevent data from being compromised. Because of the sensitive nature of credit card data, a compliance audit must be conducted by a qualified security assessor approved by the PCI SSC. Learn more about compliance auditing.

Compliance Scanning

One of the best ways to maintain security at the highest levels is to test it regularly.  PCI scans look for vulnerabilities in your networks, applications, databases and other systems that could leave you open to attack and potentially lead to a data security breach. Compliance scans can only be conducted by an approved scanning vendor. Learn more about compliance scanning.

4 steps to SDP compliance

To make compliance easier, MasterCard has established a simple, 4-step process for becoming SDP compliant.

1.  Identify your merchant level

PCI DSS outlines four levels of merchants, based on annual volume of payment transactions and potential risk. Learn more about the four levels of PCI Compliance.

2 . Review the compliance validation tools

Familiarize yourself with the three basic tools for compliance (listed above): the SAQ, compliance auditing and compliance scanning.

3. Engage an approved vendor

Due to the sensitive nature of credit card data, only a qualified security assessor is allowed to administer a compliance audit and, if necessary,  compliance scans must be conducted by an approved scanning vendor.

4. Register

Once you have successfully completed the compliance process and received all supporting documentation, have your merchant services provider register you with MasterCard.  You must renew your registration annually, which means you must continue to maintain compliance.

The information on this page is not intended to be a source of legal advice. Therefore, you should not rely on the information provided herein as legal advice for any purpose, and should always seek the legal advice of competent counsel in your jurisdiction.