Skip to main content
midnight shape and orange half circle

Determining Your Validation and Reporting Requirements

After establishing your Sanquest Merchant Level, the following table outlines the relevant validation and reporting prerequisites. Furthermore, Sanquest has introduced a Merchant EMV PCI Validation Waiver program, allowing Sanquest Merchants the opportunity to acquire an exemption from submitting PCI Compliance documentation to the Sanquest Information Security & Compliance (DISC) team.

Reporting requirements for compliant Merchants:

Level
Validation
Reporting*
Level
1
Validation

Conducting an on-site assessment in accordance with the PCI DSS requirements and Security Assessment Procedures.

Quarterly external network vulnerability scans

Reporting*

Attestation of Compliance (AOC) from Report on Compliance (ROC)

Submission of scan results not required

Level
2
Validation

Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)

Quarterly external network vulnerability scans

Reporting*

Attestation of Compliance (AOC) from SAQ

Submission of scan results not required

Level
3
Validation
  • Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
  •  
  • Quarterly external network vulnerability scans
Reporting*
  • Attestation of Compliance (AOC) from SAQ upon a request from Discover
  •  
  • Submission of scan results not required

*Though not obligatory, Discover retains the right, at its discretion, to request partners to submit a comprehensive Report on Compliance (ROC), Self-Assessment Questionnaire (SAQ), and/or scan results as deemed necessary.

Sanquest promotes the utilization of PCI Small Merchant resources for reporting purposes and suggests contacting your Acquirers for guidance on how to complete and submit a Data Security Essentials evaluation.

Data Security Essentials Resources for Small Merchants

DISC Program Merchant EMV PCI Validation Waiver Program

Discover Merchants that meet the following criteria are qualified to apply for an exemption by completing the  To apply for the Merchant EMV PCI Validation Waiver, you can access the DISC Program Merchant EMV PCI Validation Waiver Application and submit the completed form to the DISC team For Merchants acquired by entities outside of Discover (Acquired Merchants), it's advisable to consult their direct Acquirer to ascertain eligibility for this program.

Waiver criteria:
  • The Merchant does not retain Sensitive Authentication Data (such as full magnetic stripe contents, CVV2, CID, or PIN data) on any system following transaction authorization.
  • A minimum of 75% of the Merchant's transactions are initiated from Chip Card Terminals* capable of processing Chip Card Transactions, which includes Discover D-PAS transactions.

  • The Merchant has a documented and regularly tested incident response program for Data Security Breaches in compliance with the Payment Card Industry Data Security Standard mandates.
  • The Merchant has not experienced any instances of Data Security Breach within the last 12 months.

Upon receipt, a member of the DISC team will assess the Waiver and subsequently provide a response indicating acceptance or seeking additional information if necessary.

Proactive validation

In certain instances, Sanquest might have the capability to verify a Sanquest Merchant's adherence to the mentioned waiver criteria. In such cases, Sanquest will actively confirm a Merchant's compliance with the Merchant EMV PCI Waiver and will relay the exemption status to the Merchant through email, phone call, or other appropriate means of communication.

It's important to note that all Merchants, even those exempt from submitting documentation, must uphold PCI DSS compliance consistently. Should a Data Security Breach occur, the Merchant could be held accountable for fraud losses and damages. Discover retains the authority to demand complete PCI DSS compliance validation if a Merchant encounters a Data Security Breach or poses a security concern to Sanquest.

Compliance Summary

Unless explicitly defined and authorized by Sanquest, an annual submission of an Attestation of Compliance is required. The deadline for reporting your compliance to Sanquest is one year from the date of achieving compliance in the current year, unless Sanquest has agreed upon an alternate date in written communication. If additional time is necessary, you can seek an extension by completing the Sanquest Merchant Extension Request Form and the PCI Prioritized Approach Form. These forms are accessible in the PCI SSC Document Library.

Reporting requirements for non-compliant Discover Merchants:

Level
Reporting
Level
1/2
Reporting
  • Signed copy of the request letter
  •  
  • Completed prioritized approach
  •  
  • Copy of the scan results and an update on the status on a quarterly basis
Level
3
Reporting
  • Signed copy of the request letter
  •  
  • Completed prioritized approach for PCI DSS worksheet or Action Plan for Non-Compliant Status section of the Attestation of Compliance

Providing an action plan or utilizing the prioritized approach with Sanquest does not imply that Snquest is waiving its rights under relevant agreements or operational regulations. Depending on the Merchant Level, Sanquest may request regular updates on the advancements made toward attaining PCI compliance.

Important notes

Only a PCI-Qualified Security Assessor (QSA) or the Merchant's ISA is authorized to conduct on-site assessments. No other third party is permitted to perform a PCI assessment for your organization.

External network vulnerability scans must be conducted by a PCI-Approved Scanning Vendor (ASV).

Sanquest retains the authority to ask for and obtain a complete copy of a Merchant's Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) whenever necessary. Merchants are obligated to adhere to such a request promptly. In the event that a Merchant encounters a data security breach that leads to the real or suspected compromise of Sanquest Cardholder data, they might be obliged to verify their compliance with the PCI DSS at an elevated level, as solely determined by Sanquest.

Contact our Data Security team

For reporting a data breach or cardholder data compromise, dial 1-800-347-3083. Alternatively, reach out to us for any inquiries related to compliance.

Contact us