Determining Your Validation and Reporting Requirements
Once you have determined your Discover® Merchant Level, the table below details the corresponding validation and reporting requirements. Additionally, Discover has implemented a Merchant EMV PCI Validation Waiver program by which Discover Merchants are able to obtain an exemption from providing PCI Compliance documentation to the Discover Information Security & Compliance (DISC) team.
Reporting requirements for compliant Merchants:
Level
Validation
Reporting*
Level
1
Validation
On-site assessment using the PCI DSS requirements and Security Assessment Procedures
Quarterly external network vulnerability scans
Reporting*
Attestation of Compliance (AOC) from Report on Compliance (ROC)
Submission of scan results not required
Level
2
Validation
Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly external network vulnerability scans
Reporting*
Attestation of Compliance (AOC) from SAQ
Submission of scan results not required
Level
3
Validation
- Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
- Quarterly external network vulnerability scans
Reporting*
- Attestation of Compliance (AOC) from SAQ upon a request from Discover
- Submission of scan results not required
*While not required, Discover may, at its discretion, require partners to submit a complete Report on Compliance (ROC), Self-Assessment Questionnaire (SAQ) and/or Scan results as deemed necessary.
Discover encourages the use of PCI Small Merchant materials for reporting and talk to your Acquirers for instructions on how to complete and submit a Data Security Essentials evaluation.
Data Security Essentials Resources for Small Merchants
DISC Program Merchant EMV PCI Validation Waiver Program
Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the DISC Program Merchant EMV PCI Validation Waiver Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover (Acquired Merchants) should consult with their direct Acquirer to determine their candidacy for this program.
Waiver criteria:
Once received, a DISC team member will review the Waiver and respond accordingly with an acceptance or with further questions.
Proactive validation
Discover may, in some cases, be able to validate a Discover Merchant’s compliance with the aforementioned waiver requirements. In such cases, Discover will proactively certify a Merchant’s compliance with the Merchant EMV PCI Waiver, and will communicate a Merchant’s exemption via email, phone call or other communication channel.
Please note that all Merchants (including those determined to be exempt from sending documentation) are required to maintain compliance with the PCI DSS at all times. In the event of a Data Security Breach, the Merchant may be responsible for fraud losses and damages. Discover maintains the right to require full PCI DSS compliance validation in the event that a Merchant experiences a Data Security Breach or presents a security risk to Discover.
Compliance Summary
Unless formally specified and approved by Discover, an Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and the PCI Prioritized Approach Form, available in the PCI SSC Document Library
Please send all forms to DISCCompliance@discover.com
Reporting requirements for non-compliant Discover Merchants:
Level
Reporting
Level
1/2
Reporting
- Signed copy of the request letter
- Completed prioritized approach
- Copy of the scan results and an update on the status on a quarterly basis
Level
3
Reporting
- Signed copy of the request letter
- Completed prioritized approach for PCI DSS worksheet or Action Plan for Non-Compliant Status section of the Attestation of Compliance
Submission of an action plan or the prioritized approach to Discover shall not be deemed a waiver by Discover of its rights under any applicable agreement or operating regulations. Depending on the Merchant Level, Discover will require periodic updates on the progress made toward achieving PCI compliance.
Important notes
On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the Merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.
External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).
Discover reserves the right to request and receive a copy of a Merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.
Contact our Data Security team
To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.