Data Security is a top priority for Discover. To that end, Discover is committed to supporting the Payment Card Industry Data Security Standard (“PCI DSS”) as the security requirement for entities that process, store or transmit cardholder data on the Discover network. As a service provider to Discover Merchants, we require that your organization complies with the PCI Data Security Standard at all times.

All service providers that process, store or transmit cardholder data on the Discover network are required to report their compliance status to Discover Network on an annual basis. In order to validate and report their compliance status to Discover Network, service providers must complete and submit one of the following:

On-site assessment

Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).

Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹

Self-Assessment

Service Providers that completed an on-site assessment using PCI DSS v1.1 are required to submit the Executive Summary from their Report on Compliance (ROC). Please note: all assessments that commence after January 1, 2009 must use PCI DSS v1.2.

Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance. Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.¹

All compliance reports must be submitted by December 31 for the current year* to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015


• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Note: please send an email to DISCCompliance@discover.com to receive a PGP public key or set up a secure email connection.

¹ Submission of an action plan to Discover Network shall not be deemed a waiver by Discover Network of its rights under any applicable agreement or operating regulations. Discover reserves the right to request a full copy of a service provider’s Report on Compliance or Self Assessment Questionnaire (SAQ) at any time and the service provider must comply with such a request promptly.

*Example: Service providers must submit their 2009 compliance status by December 31, 2009. The report must have been completed for the calendar year of 2009.

In addition to requiring compliance to the PCI Data Security Standard, Discover supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that service providers and their agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

For more information regarding PA-DSS, please visit the PCI SSC website.

Data Security is a top priority for Discover. To that end, Discover works with acquirers to administer the DISC program and help secure the payment card transaction process. As part of our ongoing security initiatives, Discover Network has developed specific data security requirements for acquirers.

Acquirer’s Compliance
All acquirers that process, store or transmit cardholder data on the Discover network are required to report their compliance status to Discover Network, as a service provider, on an annual basis. Please refer to the Compliance Validation and Reporting Requirements for Service Providers for information on how to validate and report your compliance to Discover Network as a service provider.

Acquirer’s Merchant Portfolio Compliance
Acquirers are required to submit a report of their merchant portfolio’s compliance to Discover Network twice per year in accordance with the calendar below. It is the responsibility of the acquirer to ensure that its merchants are following the appropriate Discover requirements for validating and reporting their compliance status. Please refer to the Merchant Level table (under the Merchant button – PCI DSS Compliance Validation and Reporting Requirements bullet), for required validation and reporting requirements. Discover requests that acquirers use the DISC Acquirer Portfolio Compliance Status Submission form when submitting their merchant portfolio compliance status. To obtain a copy of the DISC Acquirer Portfolio Compliance Status Submission Form, required for validation and reporting the status of compliance of your merchants, please click here.

Please consult the calendar below for compliance reporting deadlines.

Acquirer Compliance Reporting Calendar

DISC Acquirer Portfolio Compliance Status Submission Form must be submitted no later than:

June 30

December 31

Note: Submitted semi-annually

In addition to requiring compliance to the PCI Data Security Standard, Discover supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that acquirers ensure their merchants, service providers and agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

For more information regarding PA-DSS, please visit the PCI SSC website.

Data Security Compliance Requirements
In order to help protect the integrity of cardholder data, Discover requires ALL merchants that process, store or transmit cardholder data on the Discover network to comply with the Payment Card Industry Data Security Standard (“PCI DSS”) at all times. In addition, merchants may also be required to validate and report their compliance directly to Discover Network or to their acquirer.

All merchants that process Discover Cardholder data are required to comply with the PCI DSS at all times. Prior to beginning the compliance assessment process, it is important for merchants to understand how they are defined under the DISC program. The information below will help merchants identify what Merchant Level they fall under and the compliance validation and reporting requirements that correspond to that merchant level. Lastly, it is important to understand whether you have a contractual relationship with Discover (“Discover Merchants”) or if you have a contract with a Discover Acquirer (“Acquired Merchants”). This factor will help you understand where and how you are required to submit your compliance report.

Step 1: Compliance Requirements
All merchants must comply with the Payment Card Industry Data Security Standard. Discover requires all NEW compliance assessments that commence on or after January 1, 2009 to be performed using PCI DSS v1.2. If you started your compliance assessment prior to January 1, 2009 using PCI DSS v1.1, you may continue your assessment using that version of the standard. The calendar below provides an overview of which standards may be used over the next two years.

Merchant Activity Calendar

2008	2009	2010
Up to 12/31/2008: Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2	Commencing 1/1/2009: All new assessments must use PCI DSS v1.2	Commencing 1/1/2010: All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted
	12/31/2009: Last date that PCI DSS v1.1 assessments will be accepted

Step 2: Determine Your Merchant Level and Compliance Validation Requirements

The table below outlines the Discover Merchant Levels, the corresponding compliance validation requirements and the tools that can be used to validate your compliance.

Merchant Level and Compliance Validation Requirements

Level	Description	Compliance Validation Requirements
1	All merchants processing a total of more than 6 million card transactions annually on the Discover network. Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant	Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
2	All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network. All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant	Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire ("SAQ") AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
3	All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant	Complete an annual self-assessment using the applicable PCI DSS SAQ AND Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
4	All other merchants	Validation and Reporting Requirements determined by the merchant's acquirer. Annual self-assessment using the applicable PCI DSS SAQ AND Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor are recommended

Notes:

• Any merchant that suffers a data security breach that resulted in the actual or suspected compromise of Discover Cardholder data may be required to validate their compliance at a higher level as determined by Discover Network.
• Discover reserves the right to request a full copy of a merchant’s full Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at any time and merchant must comply with such a request promptly.
• Please visit the PCI SSC Web site( www.pcisecuritystandards.org ) to download the PCI DSS Requirements and Security Assessment Procedures, the PCI DSS Self-Assessment Questionnaires and the current lists of PCI SSC Qualified Security Assessors and Approved Scanning Vendors.

Step 3: Report your Compliance Status
The information below outlines the compliance reporting requirements for each Discover Merchant Level.

Level 1 Merchants

Discover Merchants

• Merchants that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix D of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance – Merchants. Note: Discover requires merchants that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹
• Merchants that completed an on-site assessment using PCI DSS v1.1 are required to submit the Executive Summary from their Report on Compliance (ROC).

All compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Note: please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Acquired Merchants

• Merchants that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix D of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance – Merchants.
• Merchants that completed an on-site assessment using PCI DSS v1.1. are required to work with their acquirer to determine the appropriate reporting requirements.
• Please consult your acquirer for instructions on submitting compliance reports.

Level 2 and 3 Merchants

• All Level 2 and 3 Network and Acquired merchants are required to complete the applicable PCI DSS Self-Assessment Questionnaire and report their compliance using the appropriate Attestation of Compliance contained within the SAQ. Note: Discover requires merchants that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.¹

Discover Merchants

All Attestations of Compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to receive a PGP public key or set up a secure email connection.

Acquired Merchants

Please consult your acquirer for instructions on submitting your compliance reports.

Level 4 Merchants

Discover Merchants

• Discover may require that Level 4 merchants complete the applicable PCI DSS Self-Assessment Questionnaire and report their compliance using the appropriate Attestation of Compliance. Note: Discover requires merchants that are not fully compliant with the PCI DSS to also complete the Action Plan for Non-Compliant status section of the Attestation of Compliance.¹

All Attestations of Compliance reports must be submitted to Discover Network via one of the following methods:

• Hardcopy: DFS Services LLC, Discover Network - Data Security, 2500 Lake Cook Road, Riverwoods, IL 60015
• Electronic Copies may be submitted to DISCCompliance@discover.com. Please send an email to DISCCompliance@discover.com to request a PGP public key or set up a secure email connection.

Acquired Merchants

Please consult your acquirer for your compliance reporting requirements and instructions for submitting your compliance reports to your acquirer.

¹Submission of an action plan to Discover Network shall not be deemed a waiver by Discover Network of its rights under any applicable agreement or operating regulations.

In addition to requiring compliance to the PCI Data Security Standard, Discover supports the launch of the Payment Application Data Security Standard (PA-DSS) and strongly recommends that merchants and their Agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

For more information regarding PA-DSS, please visit the PCI SSC website.