Performing a PCI DSS Compliance Assessment

Merchant compliance assessments

Performing a PCI DSS compliance assessment, or validating compliance, is the process of evaluating an organization's security policies, and procedures against each applicable control in the standard. This includes, but is not limited to testing business facilities and system components as well as verifying the security of third-party Service Providers.

The first step is to determine which PCI compliance assessment is applicable to you, an on-site Assessment or a Self-Assessment.

On-site assessment

Level 1 Discover® Merchants are required to complete on-site assessments utilizing a PCI Qualified Security Assessor. The appropriate on-site assessment tool is the PCI DSS Requirements and Security Assessment Procedures, available on the PCI website.

Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Level 2 and 3 Discover Merchants are eligible to perform a PCI self-assessment. If you are required to perform an on-site assessment for another card brand, you will not have to perform an additional self-assessment for Discover.

The appropriate self-assessment tool is the PCI Self-Assessment Questionnaire (SAQ), available on the PCI website.

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Acquirer & Service Provider compliance assessments

All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network, are required to comply with the PCI DSS. They may be required to report their compliance status based on a request from Discover. Please refer to the Compliance Validation and Reporting Requirements for Service Providers. To validate and report their compliance status to Discover Network, service providers must complete and submit one of the following annually:

Compliant Service Provider & Acquirer

On-site assessment

Service Providers completing an on-site assessment are required to to utilize a PCI Qualified Security Assessor (QSA) to perform the assessments. Service Providers are required to submit their Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Service Providers performing a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D for Service Providers and submit the most current version of the Service Provider Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Non-compliant Service Provider & Acquirer

Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the Prioritized Approach Tool worksheet or the PCI “Action Plan for Non-Compliant Status” section in the PCI Attestation of Compliance (AOC).

Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.

Important notes: Discover reserves the right to request a copy of a Service Provider’s PCI DSS Report on Compliance (ROC) or PCI Self-Assessment Questionnaire (SAQ) at any time, which the Service Provider must comply with the request promptly.