Performing a PCI DSS Compliance Assessment
Performing a PCI DSS compliafnce assessment, or validating compliance, is the process of evaluating an organization's security policies, procedures and network configurations against each applicable control in the standard. This includes, but is not limited to testing business facilities and system components as well as verifying the security of third-party Service Providers.
Once you determine that you will perform a PCI compliance assessment, the first step is to decide whether you will self-assess compliance or perform a full on-site assessment.
Only Level 2 and 3 Discover® Merchants are eligible to perform a self-assessment. If you are a Level 1 Discover Merchant, you are required to perform a full on-site assessment. If you are required to perform a full on-site assessment for another card brand, you will not have to perform an additional self-assessment for Discover.
The appropriate self-assessment tool is the PCI Self-Assessment Questionnaire (SAQ), available on the PCI website.
Level 1 Discover Merchants are required to perform full on-site assessments. The appropriate on-site assessment tool is the PCI DSS Requirements and Security Assessment Procedures, available on the PCI website.
Note: Please ensure that all new all assessments utilize the most current version of PCI DSS that is applicable within the reporting period.
All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network, are required to comply with the PCI DSS. They may be required to report their compliance status based on a request from Discover. Please refer to the Compliance Validation and Reporting Requirements for Service Providers. To validate and report their compliance status to Discover Network, service providers must complete and submit one of the following annually:
Please ensure that all assessments utilize the most current version of PCI DSS that is applicable within the reporting period.
Service Providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
Important notes: Discover reserves the right to request a full copy of a Service Provider’s Report on Compliance or Self-Assessment Questionnaire (SAQ) at any time, and the Service Provider must comply with such a request promptly.