Log In
Determining Your Validation and Reporting Requirements
Once you have determined your Discover® Merchant Level, the table below details the corresponding validation and reporting requirements. Additionally, Discover has implemented a Merchant EMV PCI Validation Waiver program by which Discover Merchants are able to obtain an exemption from providing PCI Compliance documentation to the Discover Information Security & Compliance (DISC) team.
Reporting requirements for compliant Merchants:
Level
Validation
Reporting*
Level
1
Validation
On-site assessments are performed by a PCI Qualified Security Assessor (QSA) or the Merchant’s PCI Internal Security Assessor (PCI-ISA) using the PCI DSS requirements and Security Assessment Procedures
Quarterly external network vulnerability scan performed by an Approved Scanning Vendor (ASV)
Reporting*
Attestation of Compliance (AOC) from Report on Compliance (ROC)
Submission of scan results not required
Level
2
Validation
Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly external network vulnerability scan performed by an Approved Scanning Vendor (ASV)
Reporting*
Attestation of Compliance (AOC) from SAQ
Submission of scan results not required
Level
3
Validation
Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly external network vulnerability scan performed by an Approved Scanning Vendor (ASV)
Reporting*
- Attestation of Compliance (AOC) from SAQ upon a request from Discover
- Submission of scan results not required
*While not required, Discover may, at its discretion, require partners to submit a complete Report on Compliance (ROC), Self-Assessment Questionnaire (SAQ) and/or Scan results as deemed necessary.
DISC Program Merchant EMV PCI Validation Waiver Program
Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the DISC Program Merchant EMV PCI Validation Waiver Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover (Acquired Merchants) should consult with their direct Acquirer to determine their candidacy for this program.
Waiver criteria:
Once received, a DISC team member will review the Waiver and respond accordingly with an acceptance or with further questions.
Proactive validation
Discover may, in some cases, be able to validate a Discover Merchant’s compliance with the aforementioned waiver requirements. In such cases, Discover will proactively certify a Merchant’s compliance with the Merchant EMV PCI Waiver, and will communicate a Merchant’s exemption via email, phone call or other communication channel.
Please note that all Merchants (including those determined to be exempt from sending documentation) are required to maintain compliance with the PCI DSS at all times. In the event of a Data Security Breach, the Merchant may be responsible for fraud losses, non-compliance fees, and damages. Discover maintains the right to require all completed PCI DSS compliance validation documents in the event that a Merchant experiences a Data Security Breach or presents a security risk to Discover.
Compliance Summary
Unless formally specified and approved by Discover, a PCI DSS Attestation of Compliance (AOC) must be submitted annually. The due date to report your PCI DSS compliance to Discover is one year from the date of achieving compliance unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and the PCI Prioritized Approach Tool worksheet Form, available in the PCI SSC Document Library
Please send all forms to DISCCompliance@discover.com
Reporting requirements for non-compliant Discover Merchants:
Level
Reporting
Level
1/2
Reporting
Completed PCI Prioritized Approach Tool worksheet or "Action Plan for Non-Compliant Status" section in the PCI DSS Attestation of Compliance (AOC)
Copy of the scan results and an update on the status on a quarterly basis
Level
3
Reporting
Completed PCI Prioritized Approach Tool worksheet or "Action Plan for Non-Compliant Status" section in the PCI DSS SAQ Attestation of Compliance (AOC)
Submission of a PCI DSS "Action Plan for Non-Compliant Status" or the PCI Prioritized Approach Tool worksheet to Discover shall not be deemed a waiver by Discover of its rights under any applicable agreement or operating regulations. Depending on the Merchant Level, Discover will require periodic updates on the progress made toward achieving PCI compliance.
Important notes
On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the Merchant’s PCI-ISA. No other third party is authorized to perform a PCI assessment for your organization.
Discover reserves the right to request and receive a copy of a Merchant’s PCI DSS Report on Compliance (ROC) or PCI Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.
Contact our Data Security team
To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.