Skip to main content
midnight shape and orange half circle

Performing a PCI DSS Compliance Assessment

Merchant compliance assessments

Conducting an assessment for PCI DSS compliance, or confirming compliance, involves evaluating an organization's security policies, procedures, and network setups in relation to all relevant controls specified in the standard. This encompasses activities such as examining business facilities, system elements, and ensuring the security of third-party Service Providers.

After concluding that a PCI compliance assessment is needed, the primary step involves choosing between self-assessment for compliance or conducting a comprehensive on-site assessment.


Only Discover® Merchants classified as Level 2 and 3 are qualified to undertake a self-assessment. If you fall under the category of a Level 1 Discover Merchant, you are obligated to carry out a comprehensive on-site assessment. Should a full on-site assessment be mandated by another card brand, there is no necessity to conduct an additional self-assessment for Discover.

The fitting self-assessment tool to use is the PCI Self-Assessment Questionnaire (SAQ), accessible on the PCI website. the PCI website.

Full on-site assessment

Level 1 Discover Merchants must carry out comprehensive on-site evaluations. The suitable on-site evaluation resource is the PCI DSS Requirements and Security Assessment Procedures, accessible on the PCI website.

Any Merchant undergoing a data security breach leading to the confirmed or suspected compromise of Discover Cardholder data might be necessitated to confirm their compliance with the PCI DSS at an elevated level, determined solely by Discover.

Note: It is imperative to ensure that all new assessments utilize the most up-to-date version of the applicable PCI DSS during the reporting period.

Acquirer & Service Provider compliance assessments

Every Service Provider, encompassing Acquirers and Acquirer Processors, tasked with storing, processing, or transmitting Discover Cardholder data within the Discover network, are obligated to adhere to the PCI DSS guidelines. It might be essential for them to communicate their compliance status as requested by Discover. For further details, kindly consult the Compliance Validation and Reporting Requirements for Service Providers. To verify and declare their compliance status to the Discover Network, service providers must annually accomplish and submit one of the subsequent forms:

Compliant Service Provider & Acquirer

On-site assessment

Service Providers who have concluded an on-site assessment are obligated to present their Attestation of Compliance (AOC).

Kindly make certain that all assessments utilize the most up-to-date edition of the relevant PCI DSS during the reporting timeframe.


Service Providers engaged in self-assessment must fulfill the PCI DSS Self-Assessment Questionnaire D and furnish the Service Provider Version of the Attestation of Compliance.

Non-compliant Service Provider & Acquirer

For Service Providers not in full compliance with PCI DSS, Discover mandates the completion of either the "Prioritized Approach for PCI DSS" worksheet or the section titled "Action Plan for Non-Compliant Status" in the Attestation of Compliance. This, along with a signed copy of the request letter, should be submitted.

It should be noted that presenting an action plan to Discover Global Network does not imply any relinquishment of Discover Global Network's rights under any pertinent agreement or operating regulations.

Important remarks: Discover retains the prerogative to request a comprehensive copy of a Service Provider's Report on Compliance or Self-Assessment Questionnaire (SAQ) at any juncture, and the Service Provider is obligated to promptly comply with such a request.

Contact our Data Security team

For reporting a data breach or cardholder data compromise, dial 1-800-347-3083. Alternatively, reach out to us for any inquiries related to compliance.

Contact Us