Determining Your Validation and Reporting Requirements
Once you have determined your Discover® Merchant Level, the table below details the corresponding validation and reporting requirements. Additionally, Discover has implemented a Merchant EMV PCI Validation Waiver program by which Discover Merchants are able to obtain an exemption from providing PCI Compliance documentation to the Discover Information Security & Compliance (DISC) team.
*While not required, Discover may, at its discretion, require partners to submit a complete Report on Compliance (ROC), Self-Assessment Questionnaire (SAQ) and/or Scan results as deemed necessary.
Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the DISC Program Merchant EMV PCI Validation Waiver Application and sending the completed application to the DISC team at DISCCompliance@discover.com. Merchants that are acquired by an entity outside of Discover (Acquired Merchants) should consult with their direct Acquirer to determine their candidacy for this program.
Once received, a DISC team member will review the Waiver and respond accordingly with an acceptance or with further questions.
Please send all forms to DISCCompliance@discover.com
Submission of an action plan or the prioritized approach to Discover shall not be deemed a waiver by Discover of its rights under any applicable agreement or operating regulations. Depending on the Merchant Level, Discover will require periodic updates on the progress made toward achieving PCI compliance.
Discover reserves the right to request and receive a copy of a Merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time. Merchants are required to comply with such a request promptly. Any Merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance with the PCI DSS at a higher level as determined solely by Discover.