MasterCard Site Data Protection (SDP) Program

10.5 MasterCard Site Data Protection (SDP) Program

The MasterCard Site Data Protection (SDP) Program is designed to encourage members, merchants, Third Party Processors (TPPs), and Data Storage Entities (DSEs) to protect against account data compromises. SDP facilitates the identification and correction of vulnerabilities in security processes, procedures, and Web site configurations. For the purposes of the SDP Program, TPPs and DSEs are collectively referred to as “Service Providers” in this chapter.

Acquirers must implement the MasterCard SDP Program by ensuring that their merchants and Service Providers are compliant with the Payment Card

Industry Data Security Standard in accordance with the implementation schedule defined in section 10.5.5. Going forward, the Payment Card Industry Data Security Standard will be a component of SDP; the Payment Card

Industry Data Security Standard sets forth security standards that MasterCard hopes will be adopted as industry standards across the payment brands. A member that complies with the SDP Program requirements may qualify for a reduction, partial or total, of certain costs or assessments if the member, a merchant, or a Service Provider is the source of an account data compromise. Refer to section 10.2.3 of this manual for requirements on the use of wireless local area network (LAN) technology by members, merchants, and Service Providers.

Definition Data Storage—The temporary or permanent retention of MasterCard account data in any form (including logs) for subsequent processing, retrieval, or other use.

MasterCard has sole discretion to interpret and enforce the SDP Program Standards.

Definition Data Storage Entity (DSE)—An entity other than a member, merchant, or MSP that stores, transmits, or processes MasterCard account data for or on behalf of a member, merchant, or MSP. Examples of DSEs include, but are not limited to, Web hosting companies, payment gateways, terminal drivers, and processors.

10.5 MasterCard Site Data Protection (SDP) Program

10.5.1 Payment Card Industry (PCI) Data Security Standard

The Payment Card Industry Data Security Standard establishes data security requirements. Compliance with the Payment Card Industry Data Security Standard required for all issuers, acquirers, merchants, Service Providers, and any other person or entity a member permits, directly or indirectly, to store, transmit, or process account data. MasterCard requires validation of

compliance only for those entities specified in the SDP Program implementation schedule in section 10.5.5.

The PCI Data Security Standard and other SDP Program manuals are available in the Member Publications product of MasterCard OnLine®_{, as well as on the} MasterCard SDP Program Web site at https://sdp.mastercardintl.com.

10.5.2 Compliance Validation Tools

As defined in the implementation schedule in section 10.5.5, merchants and Service Providers must validate their compliance with the Payment Card Industry Data Security Standard by using the following tools:

• On-site Reviews—The onsite review evaluates merchant or Service Provider compliance with the Payment Card Industry Data Security

Standard. Onsite reviews are an annual requirement for Level 1 merchants and for Level 1 and 2 Service Providers. Merchants may use an internal auditor or independent assessor recognized by MasterCard as acceptable. Service Providers must use an acceptable third-party assessor as defined on the SDP Program Web site. Onsite reviews must be conducted in

accordance with the Payment Card Industry Security Audit Procedures manual.

• The Payment Card Industry (PCI) Self-assessment Questionnaire—The PCI Self-assessment Questionnaire is available at no charge on the MasterCard SDP Program Web site. To be compliant, each Level 2, 3, and 4 merchant, and each Level 3 Service Provider must generate acceptable ratings on an annual basis.

• Network Security Scan—The network security scan evaluates the security measures in place at a Web site. To fulfill the network scanning

requirement, all Level 1 to 3 merchants all Service Providers as required by the implementation schedule must conduct scans on a quarterly basis using a vendor listed on the SDP Program Web site. To be compliant, scanning must be conducted in accordance with the guidelines contained in the Payment Card Industry Security Scanning Proceduresmanual.

10.5 MasterCard Site Data Protection (SDP) Program

10.5.3 Vendor Compliance Testing

As part of the MasterCard SDP Program, MasterCard provides a vendor

compliance testing process for vendors that provide network scanning services. Technical requirements for network scanning vendors are provided in the Payment Card Industry Security Scanning Procedures. For more information about this service, acquirers should visit the MasterCard SDP Program Web site at https://sdp.mastercardintl.com.

At this Web site, MasterCard will also post a listing of all acceptable onsite assessors for the purposes of meeting the onsite review requirement.

10.5.4 Acquirer Compliance Requirements

To ensure compliance with the MasterCard SDP Program, an acquirer must:

• For each Level 1, Level 2, and Level 3 merchant, submit a quarterly status report via an e-mail message to [email protected] using the form provided on the SDP Program Web site. The report must include:

− The name and primary address of the merchant

− The name and phone number of the primary contact for the merchant

− The merchant identification number of the merchant

− The name of each Service Provider that stores MasterCard account data on the merchant’s behalf

− The number of transactions that the acquirer processed for the merchant during the previous 12-month period

− The merchant’s level under the implementation schedule provided in section 10.5.5 of this manual

− The names of any assessor, auditor, or vendor engaged to conduct an onsite review or network security scan as described in section 10.5.2 of this manual, and the expected completion dates of any reviews or security scans

− The date on which the merchant most recently completed the PCI Self- assessment Questionnaire

10.5 MasterCard Site Data Protection (SDP) Program

− The date on which the acquirer most recently registered the merchant as SDP compliant using the MasterCard Registration Program (MRP)2_{, as} described in 10.5.6 of this manual

• Communicate the SDP Program requirements to each Level 1, Level 2, and Level 3 merchant, and validate the merchant’s compliance with the

Payment Card Industry Data Security Standardby reviewing its PCI Self- assessment Questionnaire and the Reports on Compliance (ROC) that resulted from network security scans and onsite reviews of the merchant, if applicable.

• Communicate the SDP Program requirements to each Level 1 and Level 2 Service Provider, and ensure that merchants use only compliant Service Providers.

• Register merchants affected by the implementation schedule in accordance with the registration requirements detailed in section 10.5.6.

10.5.5 Implementation Schedule

All onsite reviews, network security scans and self-assessments must be conducted according to the guidelines in section 10.5.2. For purposes of the SDP Program, Service Providers in this section refer to TPPs and DSEs.