C-VEP stands for Compliance and Validation Exemption Program (C-VEP) and is an optional program under Mastercard’s Cybersecurity Incentive Program (CSIP). This program allows eligible Level 3 and Level 4 merchants to be exempt from:

• Complying with the PCI Data Security Standard (PCI DSS)
• Annually validating PCI DSS compliance to Mastercard

Eligible merchants must meet the following criteria:

• Be classified as a Level 3 or Level 4 merchant:
  - Level 3: 20,000 to 1 million combined Mastercard and Maestro e-commerce transactions annually
  - Level 4: Fewer than 1 million card-present transactions annually and fewer than 20,000 e-commerce transactions annually
• Does not store sensitive authentication data as defined by Mastercards Security Rules & Procedures.
• Has had no account data compromise (ADC) incidents or potential incidents identified by Mastercard within the past 3 years.
• Has established and annually tests an incident response plan.
• Utilizes a suite of cybersecurity and risk management tools provided by the acquirer as defined by Mastercards Security Rules and Procedures.

• Reduced compliance burden - no annual PCI DSS validation
• Cost savings on third-party audits and compliance tools
• Encourages modern cybersecurity practices

No, C-VEP is a voluntary program under Mastercard. Merchants not participating in this program must continue to comply with Mastercard's Site Data Protection (SDP) Program.

• Level 3 or 4 classification
• Use of approved secure technology (e.g., P2PE, tokenization, validated payment terminals)
• Enrollment in an approved C-VEP program (including cybersecurity, identity protection, and fraud monitoring)
• Clean breach history

Refer to Mastercard's official C-VEP Program Overview – April 2025.
View Document