Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and PCI Prioritized Approach Form.
Please send all forms to Disccompliance@discover.com
On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.View a list of QSAs
External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).View a list of ASVs
Discover reserves the right to request and receive a copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.Back to compliance resources