Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the DISC Program Merchant EMV PCI Validation Waiver Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover (Acquired Merchants) should consult with their direct acquirer to determine their candidacy for this program.
Once received, a DISC team member will review the Waiver and respond accordingly with an acceptance or with further questions.
Discover may, in some cases, be able to validate a Discover Merchant’s compliance with the aforementioned waiver requirements. In such cases, Discover will proactively certify a Merchant’s compliance with the Merchant EMV PCI Waiver, and will communicate a Merchant’s exemption via email, phone call, or other communication channel.
Please note that all Merchants (including those determined to be exempt from sending documentation) are required to maintain compliance with the PCI DSS at all times. In the event of a Data Security Breach, the Merchant may be responsible for fraud losses and damages. Discover maintains the right to require full PCI DSS compliance validation in the event that a Merchant experiences a Data Security Breach or presents a security risk to Discover.
Unless formally specified and approved by Discover, an Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and the PCI Prioritized Approach Form, available in the PCI SSC Document Library
Please send all forms to DISCCompliance@discover.com
On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.View a list of QSAs
External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).View a list of ASVs
Discover reserves the right to request and receive a copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.Back to compliance resources