PCI Compliance

Determining Your Validation and Reporting Requirements

Back to compliance resources

Once you have determined your Discover® Merchant Level, the table below details the corresponding validation and reporting requirements. Additionally, Discover has implemented a Merchant EMV PCI Validation Waiver program by which Discover Merchants are able to obtain an exemption from providing PCI Compliance documentation to the Discover Information Security & Compliance (DISC) team.

Reporting requirements for compliant merchants:

LEVEL
VALIDATION
REPORTING*
LEVEL
1
VALIDATION
  • On-site assessment using the PCI DSS requirements and Security Assessment Procedures
  • Quarterly external network vulnerability scans
REPORTING*
  • Attestation of Compliance (AOC) from Report on Compliance (ROC)
  • Submission of scan results Not required
LEVEL
2
VALIDATION
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
  • Quarterly external network vulnerability scans
REPORTING*
  • Attestation of Compliance (AOC) from SAQ
  • Submission of scan results Not required
LEVEL
3
VALIDATION
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
  • Quarterly external network vulnerability scans
REPORTING*
  • Attestation of Compliance (AOC) from SAQ
  • Submission of scan results Not required



DISC Program Merchant EMV PCI Validation Waiver Program

Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the DISC Program Merchant EMV PCI Validation Waiver Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover (Acquired Merchants) should consult with their direct acquirer to determine their candidacy for this program.


Waiver Criteria:
  • Merchant is not storing Sensitive Authentication Data (i.e., full contents of magnetic stripe, CVV2, CID or PIN data) on any system subsequent to transaction authorization.
  • At least 75% of Merchant’s transactions originated from Chip Card Terminals* enabled to accept Chip Card Transactions (including, without limitation, Discover D-PAS transactions)
    *Chip Card Terminals must have current, valid EMV approval and Discover D-PAS Certification.
  • Merchant has documented and annually tests a Data Security Breach incident response program in accordance with the Payment Card Industry Data Security Standard requirements.
  • Merchant has not been involved in a Data Security Breach in the past 12 months.

Once received, a DISC team member will review the Waiver and respond accordingly with an acceptance or with further questions.

Proactive Validation

Discover may, in some cases, be able to validate a Discover Merchant’s compliance with the aforementioned waiver requirements. In such cases, Discover will proactively certify a Merchant’s compliance with the Merchant EMV PCI Waiver, and will communicate a Merchant’s exemption via email, phone call, or other communication channel.

Please note that all Merchants (including those determined to be exempt from sending documentation) are required to maintain compliance with the PCI DSS at all times. In the event of a Data Security Breach, the Merchant may be responsible for fraud losses and damages. Discover maintains the right to require full PCI DSS compliance validation in the event that a Merchant experiences a Data Security Breach or presents a security risk to Discover.

Unless formally specified and approved by Discover, an Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and the PCI Prioritized Approach Form, available in the PCI SSC Document Library

Please send all forms to DISCCompliance@discover.com

Reporting requirements for non-compliant Discover Merchants:

LEVEL
REPORTING
LEVEL
1 or 2
REPORTING
  • Signed copy of the request letter
  • Completed prioritized approach
  • Copy of the scan results and an update on the status on a quarterly basis
LEVEL
3
REPORTING
  • Signed copy of the request letter
  • Completed prioritized approach for PCI DSS worksheet or Action Plan for Non-Compliant Status section of the Attestation of Compliance
Submission of an action plan or the prioritized approach to Discover shall not be deemed a waiver by Discover of its rights under any applicable agreement or operating regulations. Depending on the Merchant Level, Discover will require periodic updates on the progress made toward achieving PCI compliance.

Important Notes

On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.

View a list of QSAs

External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).

View a list of ASVs

Discover reserves the right to request and receive a copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.

Back to compliance resources

Contact Our Data Security Team

To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.
Contact Us