PCI Compliance

Determining your validation and reporting requirements

Back to compliance resources

Once you have determined your Discover Merchant Level, the table below details the corresponding validation and reporting requirements.

Reporting requirements for compliant merchants:

LEVEL
VALIDATION
REPORTING
LEVEL
1
VALIDATION
  • On-site assessment using the PCI DSS requirements and Security Assessment Procedures.
  • Quarterly external network vulnerability scans.
REPORTING

Attestation of Compliance from Report on Compliance (ROC). Submission of scan results is not required.

LEVEL
2
VALIDATION
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
  • Quarterly external network vulnerability scans.
REPORTING

Attestation of Compliance from SAQ. Submission of scan results is not required.

LEVEL
3
VALIDATION
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
  • Quarterly external network vulnerability scans.
REPORTING

Attestation of Compliance from SAQ. Submission of scan results is not required.

LEVEL
4
VALIDATION
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
  • Quarterly external network vulnerability scans.

Important note: If an organization does not have a direct acquiring relationship with Discover, its requirements as a Level 4 merchant may be different. These organizations should consult with their acquirer for the appropriate acquirer-determined Level 4 merchant validation and reporting requirements.

REPORTING

Attestation of Compliance from SAQ. (Discover Merchants only.) Submission of scan results is not required.

Acquired merchants only:

Validation and reporting requirements determined by the merchant's acquirer.

Annual self-assessment using the applicable PCI-DSS SAQ

Quarterly external network vulnerability scans performed by an approved scanning vendor are recommended.

Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and PCI Prioritized Approach Form.

Please send all forms to Disccompliance@discover.com

Reporting requirements for non-compliant Discover Merchants:

LEVEL
REPORTING
LEVEL
1 or 2
REPORTING
  • Signed copy of the request letter
  • Completed prioritized approach
  • Copy of the scan results and an update on the status on a quarterly basis
LEVEL
3 or 4
REPORTING
  • Signed copy of the request letter
  • Completed prioritized approach for PCI DSS worksheet or Action Plan for Non-Compliant Status section of the Attestation of Compliance
Submission of an action plan or the prioritized approach to Discover shall not be deemed a waiver by Discover of its rights under any applicable agreement or operating regulations. Depending on the Merchant Level, Discover will require periodic updates on the progress made toward achieving PCI compliance.

Important Notes

On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.

View a list of QSAs

External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).

View a list of ASVs

Discover reserves the right to request and receive a copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.

Back to compliance resources

Contact Our Data Security Team

To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.
Contact Us