Data Security is a top priority for Discover Network. To that end, Discover Network is committed to supporting the Payment Card Industry Data Security Standard (“PCI DSS”) as the security requirement for entities that process, store or transmit Discover Network cardholder data. As a service provider to Discover Network Merchants, we require that your organization complies with the PCI Data Security Standard at all times.

All service providers that process, store or transmit Discover Network cardholder data are required to report their compliance status to Discover Network on an annual basis. In order to validate and report their compliance status to Discover Network, service providers must complete and submit one of the following:

On-site assessment:

Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
Note: Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹

Service Providers that completed an on-site assessment using PCI DSS v1.1 are required to submit the DISC Attestation of Compliance form. Please note: all assessments that commence after January 1, 2009 must use PCI DSS v1.2.

Self-Assessment:

Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance. Note: Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.¹

All compliance reports must be submitted by December 31 for the current year* to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015


• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Note: please send an email to DISCCompliance@discover.com to receive a PGP public key or set up a secure email connection.

¹ Submission of an action plan to Discover Network shall not be deemed a waiver by Discover Network of its rights under any applicable agreement or operating regulations. Discover Network reserves the right to request a full copy of a merchant’s Report on Compliance (ROC) or Self Assessment Questionnaire (SAQ) at any time and the service provider must comply with such a request promptly.

*Example: Service providers must submit their 2009 compliance status by December 31, 2009. The report must have been completed for the calendar year of 2009.

In addition to requiring compliance to the PCI Data Security Standard, Discover Network supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that service providers and their agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

For more information regarding PA-DSS, please visit the PCI SSC website.

Data Security is a top priority for Discover Network. To that end, Discover Network works with acquirers to administer the DISC program and help secure the payment card transaction process. As part of our ongoing security initiatives, Discover Network has developed specific data security requirements for acquirers.

Acquirer’s Compliance:
All acquirers that process, store or transmit Discover Network cardholder data are required to report their compliance status to Discover Network, as a service provider, on an annual basis. Please refer to the Compliance Validation and Reporting Requirements for Service Providers for information on how to validate and report your compliance to Discover Network as a service provider.

Acquirer’s Merchant Portfolio Compliance:
Acquirers are required to submit a report of their merchant portfolio’s compliance to Discover Network twice per year in accordance with the calendar below. It is the responsibility of the acquirer to ensure that its merchants are following the appropriate Discover Network requirements for validating and reporting their compliance status. Please refer to the Merchant Level table (under the Merchant button – PCI DSS Compliance Validation and Reporting Requirements bullet), for required validation and reporting requirements. Discover Network requests that acquirers use the DISC Acquirer Portfolio Compliance Status Submission form when submitting their merchant portfolio compliance status. To obtain a copy of the DISC Acquirer Portfolio Compliance Status Submission Form, required for validation and reporting the status of compliance of your merchants, please click here.

Please consult the calendar below for compliance reporting deadlines.

Acquirer Compliance Reporting Calendar

DISC Acquirer Portfolio Compliance Status Submission Form must be submitted no later than:

June 30

December 31

Note: Submitted semi-annually

In addition to requiring compliance to the PCI Data Security Standard, Discover Network supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that acquirers ensure their merchants, service providers and agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

For more information regarding PA-DSS, please visit the PCI SSC website.

Data Security Compliance Requirements:
In order to help protect the integrity of cardholder data, Discover Network requires ALL merchants that process, store or transmit Discover Network Cardholder data to comply with the Payment Card Industry Data Security Standard (“PCI DSS”) at all times. In addition, merchants may also be required to validate and report their compliance directly to Discover Network or to their acquirer.

All merchants that process Discover Network Cardholder data are required to comply with the PCI DSS at all times. Prior to beginning the compliance assessment process, it is important for merchants to understand how they are defined under the DISC program. The information below will help merchants identify what Merchant Level they fall under and the compliance validation and reporting requirements that correspond to that merchant level. Lastly, it is important to understand whether you have a contractual relationship with Discover Network (“Network Merchants”) or if you have a contract with a Discover Network Acquirer (“Acquired Merchants”). This factor will help you understand where and how you are required to submit your compliance report.

Step 1: Compliance Requirements
All merchants must comply with the Payment Card Industry Data Security Standard. Discover Network requires all NEW compliance assessments that commence on or after January 1, 2009 to be performed using PCI DSS v1.2. If you started your compliance assessment prior to January 1, 2009 using PCI DSS v1.1, you may continue your assessment using that version of the standard. The calendar below provides an overview of which standards may be used over the next two years.

Merchant Activity Calendar

2008	2009	2010
Up to 12/31/2008: Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2	Commencing 1/1/2009: All new assessments must use PCI DSS v1.2	Commencing 1/1/2010: All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted
	12/31/2009: Last date that PCI DSS v1.1 assessments will be accepted

Step 2: Determine Your Merchant Level and Compliance Validation Requirements
The table below outlines the Discover Network Merchant Levels, the corresponding compliance validation requirements and the tools that can be used to validate your compliance.

Merchant Level and Compliance Validation Requirements

Level	Description	Compliance Validation Requirements	Compliance Validation Tools Available at https://www.pcisecuritystandards.org
1	All merchants processing a total of more than 6 million Discover Network card transactions per year Any merchant Discover Network, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant	Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor	PCI DSS Requirements and Security Assessment Procedures v1.2 PCI DSS v1.1 Security Assessment Procedures (for use only with assessments started prior to 1/1/09) List of PCI SSC Qualified Security Assessors List of PCI SSC Approved Scanning Vendors
2	All merchants processing a total of 1 million to 6 million Discover Network card transactions per year All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant	Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire ("SAQ") AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor	PCI DSS Self Assessment Questionnaires (note v1.1 of the SAQs may only be used for assessments started prior to 1/1/09) List of PCI SSC Approved Scanning Vendors
3	All merchants processing a total of 20,000 to 1 million Discover Network card-not-present only transactions per year All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant	Complete an annual self-assessment using the applicable PCI DSS SAQ AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor	PCI DSS Self Assessment Questionnaires (note v1.1 of the SAQs may only be used for assessments started prior to 1/1/09 List of PCI SSC Approved Scanning Vendors
4	All other merchants	Validation and Reporting Requirements determined by the merchant's acquirer. Annual self-assessment using the applicable PCI DSS SAQ AND Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor are recommended	PCI DSS Self Assessment Questionnaires (note v1.1 of the SAQs may only be used for assessments started prior to 1/1/09) List of PCI SSC Approved Scanning Vendors

Note: Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Network Cardholder data may be required to validate their compliance at a higher level as determined by Discover Network.

Discover Network reserves the right to request a full copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time and merchant must comply with such a request promptly.

Step 3: Report your Compliance Status
The information below outlines the compliance reporting requirements for each Discover Network Merchant Level.

Level 1 Merchants:

Network Merchants:

• Merchants that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix D of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance – Merchants. Note: Discover Network requires merchants that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹
• Merchants that completed an on-site assessment using PCI DSS v1.1. are required to submit the DISC Attestation of Compliance form.

All compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Note: please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Acquired Merchants

• Merchants that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix D of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance – Merchants.
• Merchants that completed an on-site assessment using PCI DSS v1.1. are required to work with their acquirer to determine the appropriate reporting requirements.
• Please consult your acquirer for instructions on submitting compliance reports.

Level 2 and 3 Merchants:

• All Level 2 and 3 Network and Acquired merchants are required to complete the applicable PCI DSS Self-Assessment Questionnaire and report their compliance using the appropriate Attestation of Compliance contained within the SAQ. Note: Discover Network requires merchants that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹

Network Merchants:

All Attestations of Compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to receive a PGP public key or set up a secure email connection.

Acquired Merchants:

Please consult your acquirer for instructions on submitting your compliance reports.

Level 4 Merchants:

Network Merchants:

• Discover Network may require that Level 4 merchants complete the applicable PCI DSS Self-Assessment Questionnaire and report their compliance using the appropriate Attestation of Compliance. Note: Discover Network requires merchants that are not fully compliant with the PCI DSS to also complete the Action Plan for Non-Compliant status section of the Attestation of Compliance.¹

All Attestations of Compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Acquired Merchants:

Please consult your acquirer for your compliance reporting requirements and instructions for submitting your compliance reports to your acquirer.

¹Submission of an action plan to Discover Network shall not be deemed a waiver by Discover Network of its rights under any applicable agreement or operating regulations.

In addition to requiring compliance to the PCI Data Security Standard, Discover Network supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that merchants and their Agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS). For more information regarding PA-DSS, please visit the PCI SSC website.