MasterCard Site Data Protection (SDP) Program

10.5 MasterCard Site Data Protection (SDP) Program

The MasterCard Site Data Protection (SDP) Program is designed to encourage members, merchants, Third Party Processors (TPPs), and Data Storage Entities (DSEs) to protect themselves and all participants in the system against the threat of account data compromises. SDP facilitates the identification of vulnerabilities in security processes, procedures, and Web site configurations. Acquirers must implement the MasterCard SDP Program by ensuring that their merchants, TPPs, and associated DSEs, are compliant with the Payment Card Industry (PCI) Data Security Standard in accordance with the implementation schedule defined in section 10.5.5. Going forward, the PCI Data Security Standard will be a component of SDP; the PCI Data Security Standard sets forth security standards that MasterCard hopes will be adopted as industry standards across the payment brands.

A member that complies with the SDP Program requirements may qualify for a reduction, partial or total, of certain costs or assessments if the member, a merchant, a TPP, or a DSE is the source of an account data compromise. Refer to section 10.2.3 of this manual for requirements on the use of wireless local area network (LAN) technology by members, merchants, TPPs, and DSEs.

Definition Data Storage—The temporary or permanent retention of MasterCard account data in any form (including logs) for subsequent processing, retrieval, or other use.

MasterCard has sole discretion to interpret and enforce the SDP Program Standards.

Definition Data Storage Entity (DSE)—An entity other than a member, merchant, or MSP that stores, transmits, or processes MasterCard account data, transaction data, or both on behalf of a member, merchant, or MSP. Examples of DSEs include, but are not limited to, Web hosting companies, payment gateways, terminal drivers, software providers, and processors.

10.5 MasterCard Site Data Protection (SDP) Program

10.5.1 Payment Card Industry (PCI) Data Security Standard

The MasterCard SDP Program establishes data security requirements and best practices specified in the PCI Data Security Standard. The PCI Data Security Standard is applicable to every member and other person or entity a member permits, directly or indirectly, to access or store account data.

The PCI Data Security Standard manuals are available in the Member

Publications product of MasterCard OnLine®_{, as well as on the MasterCard SDP} Program Web site at https://sdp.mastercardintl.com.

10.5.2 Security Evaluation Tools

As defined in the implementation schedule in section 10.4.2, merchants, TPPs, and DSEs must use the following evaluation tools:

• On-site Reviews—The onsite review evaluates a merchant’s, TPP’s, or DSE’s compliance with the PCI Standard. Onsite reviews are an annual requirement for Level 1 merchants and for Level 1 and 2 service providers. Merchants may use an internal auditor or independent assessor recognized by MasterCard as acceptable. TPPs and DSEs must use an acceptable third- party assessor as defined on the SDP Program Web site.

• The Security Self-assessment—The Security Self-assessment is a

questionnaire available at no charge on the MasterCard SDP Program Web site. To be compliant, each Level 2, 3 and 4 merchant, and each Level 3 DSE must generate acceptable ratings on an annual basis.

• Network Security Scan—The network security scan evaluates the security measures in place at a Web site. To fulfill the network scanning

requirement, all Level 1 to 3 merchants, all TPPs, and all DSEs as required by the implementation schedule must conduct scans on a quarterly basis using a vendor listed on the SDP Program Web site. To be compliant, scanning must be conducted in accordance with the guidelines contained in the PCI Data Security Standard documents and the Security Scanning Requirements for Vendors manual.

10.5.3 Vendor Compliance Testing

As part of the MasterCard SDP Program, MasterCard provides a vendor

compliance testing process for vendors that provide network scanning services. Technical requirements for network scanning vendors are provided in the Payment Card Industry Security Scanning Procedures. For more information about this service, acquirers should visit the MasterCard SDP Program Web site

10.5 MasterCard Site Data Protection (SDP) Program

At this Web site, MasterCard will also post a listing of all acceptable onsite assessors for the purposes of meeting the onsite review requirement.

10.5.4 Acquirer Compliance Requirements

To ensure compliance with the MasterCard SDP Program, an acquirer must:

• Submit to the attention of the MasterCard Site Data Protection Department or e-mail to [email protected] by 31 December of the previous calendar year:

− A list of all merchants, TPPs, and DSEs that must comply with the PCI Data Security Standard during each phase of the SDP Program

mandate.

For each merchant, TPP, and DSE, acquirers must provide:

− The name and primary address of each merchant, TPP, and DSE

− The merchant identification number for each merchant

− For each merchant, the name of each TPP and DSE that stores MasterCard account data on the merchant’s behalf

− For each merchant, the number of transactions processed during the previous 12-month period

• Deploy an SDP security compliance program for all applicable merchants, TPPs, and DSEs in accordance with the implementation schedule detailed in section 10.5.5

• Ensure that merchants, TPPs, and DSEs comply with the requirements of the security evaluation tools detailed in section 10.5.2

• Register merchants, TPPs, and DSEs affected by the implementation schedule in accordance with the registration requirements detailed in

In document Information about this Replacement (Page 198-200)