Determining Validation and Reporting Requirements

Once an organization has determined its Discover Merchant Level, the table below details the corresponding validation and reporting requirements.

Level Validation Reporting
1 Full on-site assessment using the PCI DSS Requirements and Security Assessment Procedures.
Quarterly external network vulnerability scans.		 Attestation of Compliance from Report on Compliance (‘ROC”) Submission of scan results is not required.
2 Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”).
Quarterly external network vulnerability scans.		 Attestation of Compliance from SAQ. Submission of scan results is not required.
3 Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”).
Quarterly external network vulnerability scans.		 Attestation of Compliance from SAQ. Submission of scan results is not required.
4 Complete a self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”).
Quarterly external network vulnerability scans. Important note: If an organization does not have a direct acquiring relationship with Discover, its requirements as a Level 4 merchant may be different. These organizations should with their acquirer for the appropriate acquirer-determined Level 4 merchant validation and reporting requirements.		 Attestation of Compliance from SAQ (Discover Merchants only)
Submission of scan results is not required.
Important Notes:
On-site assessments may only be performed by a PCI Qualified Security Assessor (“QSA”) or the merchant’s internal auditor or information security professional. No other third-party is authorized to perform a PCI assessment for your organization. For a list of QSAs, click here.

External network vulnerability scans must be performed by a PCI Approved Scanning Vendor (“ASV”). For a list of ASVs, click here.

Discover reserves the right to request and receive a copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly.

Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level, as determined sole by Discover.
Please Note: JavaScript is not enabled in your web browser. In order to enjoy the full experience of the Discover Network website, please turn JavaScript on. If JavaScript is disabled, some of the functionality on our website will not work.