Merchant compliance assessments
Performing a PCI DSS compliance assessment, or validating compliance, is the process of evaluating an organization's security policies, procedures and network configurations against each applicable control in the standard. This includes but is not limited to testing business facilities and system components as well as verifying the security of third-party Service Providers.
Only Level 2 and 3 Discover® Merchants are eligible to perform a self-assessment. If you are a Level 1 Discover Merchant, you are required to perform a full on-site assessment. If you are required to perform a full on-site assessment for another card brand, you will not have to perform an additional self-assessment for Discover.
Full on-site assessment
Level 1 Discover Merchants are required to perform full on-site assessments. The appropriate on-site assessment tool is the PCI DSS Requirements and Security Assessment Procedures, available on the PCI website.
Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover® Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.
Acquirer & Service Provider compliance assessments
To validate and report their compliance status to Discover Network, service providers must complete and submit one of the following annually:
Compliant Service Provider & Acquirer
Service Providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).
Non-compliant Service Provider & Acquirer
Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the Prioritized Approach for PCI DSS worksheet or the “Action Plan for Non-Compliant Status” section of the Attestation of Compliance and send it along with a signed copy of the request letter.
Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.