Merchant compliance assessments

Performing a PCI DSS compliafnce assessment, or validating compliance, is the process of evaluating an organization's security policies, procedures and network configurations against each applicable control in the standard. This includes, but is not limited to testing business facilities and system components as well as verifying the security of third-party Service Providers.

Once you determine that you will perform a PCI compliance assessment, the first step is to decide whether you will self-assess compliance or perform a full on-site assessment.

Self-assessment

Only Level 2 and 3 Discover® Merchants are eligible to perform a self-assessment. If you are a Level 1 Discover Merchant, you are required to perform a full on-site assessment. If you are required to perform a full on-site assessment for another card brand, you will not have to perform an additional self-assessment for Discover.

The appropriate self-assessment tool is the PCI Self-Assessment Questionnaire (SAQ), available on the PCI website.

Full on-site assessment

Level 1 Discover Merchants are required to perform full on-site assessments. The appropriate on-site assessment tool is the PCI DSS Requirements and Security Assessment Procedures, available on the PCI website.

Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.

Note: Please ensure that all new all assessments utilize the most current version of PCI DSS that is applicable within the reporting period.

Acquirer & Service Provider compliance assessments

All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network, are required to comply with the PCI DSS. They may be required to report their compliance status based on a request from Discover. Please refer to the Compliance Validation and Reporting Requirements for Service Providers. To validate and report their compliance status to Discover Network, service providers must complete and submit one of the following annually:

Compliant Service Provider & Acquirer

On-site assessment

Service Providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).

Please ensure that all assessments utilize the most current version of PCI DSS that is applicable within the reporting period.

Self-assessment

Service Providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.

Non-compliant Service Provider & Acquirer

Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the Prioritized Approach for PCI DSS worksheet or the “Action Plan for Non-Compliant Status” section of the Attestation of Compliance and send it along with a signed copy of the request letter.

Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.

Important notes: Discover reserves the right to request a full copy of a Service Provider’s Report on Compliance or Self-Assessment Questionnaire (SAQ) at any time, and the Service Provider must comply with such a request promptly.