Determining Your Validation and Reporting Requirements

Once you have determined your Discover® Network merchant level, the table below details the corresponding validation and reporting requirements. Additionally, Discover Network has implemented a merchant Security Compliance Innovation Program (SCIP) by which Discover Network merchants are able to obtain relief from providing PCI Compliance documentation to the Discover Information Security & Compliance (DISC) team.

*While not required, Discover Network may, at its discretion, require partners to submit a complete Report on Compliance (ROC), Self-Assessment Questionnaire (SAQ) and/or scan results as deemed necessary.

Security Compliance Innovation Program (SCIP)

Discover Network merchants that meet the following criteria are qualified to apply for PCI DSS reporting relief by completing the Security Compliance Innovation Program Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover Network (Acquired Merchants) should consult with their direct Acquirer to determine their candidacy for this program.

SCIP criteria:

• Merchant has documented and annually tests a Data Security Breach incident response program in accordance with the Payment Card Industry Data Security Standard (PCI-DSS) requirements; 
• Merchant has not been involved in a Data Security Breach in the past 12 months; 
• Merchant is not storing Sensitive Authentication Data (i.e., full contents of magnetic stripe, CVV2, CID or PIN data) on any system subsequent to transaction authorization; and 
• Merchant has met at least 75% of merchant’s transactions originated from using security technologies of one or more of the following criteria:  
  • Merchant’s transactions originated from Chip Card Terminals* enabled to accept Chip Card Transactions (including, without limitation, Discover D-PAS transactions). 
    • *Chip Card Terminals must have current, valid EMV approval and Discover D-PAS Certification.
  • Point-to-Point Encryption (P2PE): implemented a PCI Security Standard Council (PCI SSC) approved P2PE solution listed on the PCI SSC website or independently validated by a PCI SSC Point-to-Point Encryption Qualified Security Assessor.
  • Tokenization: All tokenization solutions must comply with EMVCo Specifications. Additionally, tokens must not be reversible to reveal unmasked Primary Account Numbers (PANs) to the merchant. 

Once received, a DISC team member will review the SCIP Application and respond accordingly with a decision regarding acceptance or with further questions.

Proactive validation

Discover Network may, in some cases, be able to validate a Discover Network merchant’s compliance with the aforementioned SCIP reporting relief requirements. In such cases, Discover Network will proactively certify a merchant’s compliance with the merchant Security Compliance Innovation Program (SCIP), and will communicate to the merchant via via email, phone call, or other communication channel.

Please note that all merchants (including those determined to be eligible for PCI DSS reporting relief) are required to maintain compliance with the PCI DSS at all times. In the event of a Data Security Breach, the merchant may be responsible for fraud losses, non-compliance fees, and damages. Discover Network maintains the right to require all completed PCI DSS compliance validation documents.

Compliance summary

Unless formally specified and approved by Discover Network, a PCI DSS Attestation of Compliance (AOC) must be submitted annually. The due date to report your PCI DSS compliance to Discover Network is one year from the date of prior compliance validation. If the participant cannot meet this date, they must contact the compliance accepting entity to determine next steps.

Please send all forms to DISCCompliance@discover.com

Important notes

On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the merchant’s PCI-ISA. No other third party is authorized to perform a PCI assessment for your organization.

View a list of QSAs

View the list of ISAs

Discover Network reserves the right to request and receive a copy of a merchant’s PCI DSS Report on Compliance (ROC) or PCI Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Network Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover Network.