Performing a PCI DSS Compliance Assessment

Merchant compliance assessments

Performing a PCI DSS compliance assessment, or validating compliance, is the process of evaluating an organization's security policies, and procedures against each applicable control in the standard. This includes, but is not limited to, testing business facilities and system components as well as verifying the security of third-party Service Providers.

The first step is to determine which PCI compliance assessment is applicable to you, an on-site assessment or a self-assessment.

On-site assessment

Level 1 Discover® Network merchants are required to complete on-site assessments utilizing a PCI Qualified Security Assessor. The appropriate on-site assessment tool is the PCI DSS Requirements and Security Assessment Procedures, available on the PCI website.

Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Network Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover Network.

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Level 2 and 3 Discover Network merchants are eligible to perform a PCI self-assessment. If you are required to perform an on-site assessment for another card brand, you will not have to perform an additional self-assessment for Discover Network.

The appropriate self-assessment tool is the PCI Self-Assessment Questionnaire (SAQ), available on the PCI website.

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Acquirer & Service Provider compliance assessments

All Service Providers, including Acquirers and Processors that store, process, or transmit Discover Network Cardholder data on Discover Network, are required to comply with the PCI DSS. They may be required to report their compliance status based on a request from Discover Network. Please refer to the Compliance Validation and Reporting Requirements for Service Providers. To validate and report their compliance status to Discover Network, Service Providers must complete and submit one of the following annually:

Compliant Service Provider & Acquirer

On-site assessment

Service Providers completing an on-site assessment are required to utilize a PCI Qualified Security Assessor (QSA) to perform the assessments. Service Providers are required to submit their Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Service Providers performing a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D (SAQ-D) for Service Providers and submit the most current version of the Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Important notes:  Discover Network reserves the right to request a copy of a Service Provider’s PCI DSS Report on Compliance (ROC) or PCI Self-Assessment Questionnaire (SAQ) at any time, which the Service Provider must comply with the request promptly.