DISC Program Merchant EMV PCI Validation Waiver Program
- Merchant is not storing Sensitive Authentication Data (i.e., full contents of magnetic stripe, CVV2, CID or PIN data) on any system subsequent to transaction authorization.
- At least 75% of Merchant’s transactions originated from Chip Card Terminals* enabled to accept Chip Card Transactions (including, without limitation, Discover® D-PAS transactions).
*Chip Card Terminals must have current, valid EMV approval and Discover D- PAS Certification.
- Merchant has documented and annually tests a Data Security Breach incident response program in accordance with the Payment Card Industry Data Security Standard requirements.
- Merchant has not been involved in a Data Security Breach in the past 12 months.
Discover may, in some cases, be able to validate a Discover Merchant’s compliance with the aforementioned waiver requirements. In such cases, Discover will proactively certify a Merchant’s compliance with the Merchant EMV PCI Waiver, and will communicate a Merchant’s exemption via email, phone call or other communication channel.
Unless formally specified and approved by Discover, an Attestation of Compliance must be submitted annually. The due date to report your compliance to Discover is one year from the date of achieving compliance in the current year unless Discover has, in writing, agreed on another date. Extensions can be requested by completing the Discover Merchant Extension Request Form and the PCI Prioritized Approach Form, available in the PCI SSC Document Library
On-site assessments may only be performed by a PCI-Qualified Security Assessor (QSA) or the Merchant’s ISA. No other third party is authorized to perform a PCI assessment for your organization.
External network vulnerability scans must be performed by a PCI-Approved Scanning Vendor (ASV).