If you process credit cards (whether face-to-face or online) you need to be fully compliant with the guidelines and regulations for credit card security and processing. In this article we’ll be exploring the Discover Information Security and Compliance (DISC) Program.
Before we get into Discover’s specific rules, you’ll need to make sure you’re compliant with PCI DSS – This is an agreed set of requirements for everyone involved in the credit card system. You can check out our article on PCI compliance if you need more information.
Meeting PCI DSS standards is essential, as that’s what Discover and other credit card providers will ask you to prove. Once you know you’re meeting PCI DSS, you can start going through Discover’s compliance program. Here’s how.
- Find Out Your Merchant Level
- Requirements and Paperwork
- Providing Documents to Discover
- Useful Resources and Further Information
Find Out What Merchant Level
All of Discover’s requirements are based on what’s called your “merchant level” (from 1 to 4 – 1 being the highest), with higher levels needing to do more. You can find your merchant level as follows:
You’re a level 1 merchant if:
- You process more than 6 million transactions annually on the Discover network.
- Another credit card provider (e.g. Amex, Visa) has decided you are a level 1 merchant.
- You have suffered a data security breach resulting in an actual or suspected compromise of Discover cardholder data.
- Discover decides you’re level 1.
You’re a level 2 merchant if:
- You process between 1 million and 6 million transactions annually on the Discover network.
You’re a level 3 merchant if:
- You process between 20,000 and 1 million transactions annually where the cardholder is not present (e.g. online transactions).
You’re a level 4 merchant if:
- None of the above conditions for other levels apply.
Once you know your merchant level, you can find out what requirements you need to meet.
Requirements and Paperwork
The table below provides guidelines on what requirements you’ll need to meet to achieve and maintain compliance. Links under the table offer more information on the specific requirements.
Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Approved Scan Vendor
Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.
Providing Documents to Discover
Once you’ve carried out all of the necessary steps and put your reports and compliance documents together, you’ll need to send them to Discover.
- Electronic – Send electronic copies to DISCCompliance@discover.com. If you need to setup encryption or PGP, email DISCCompliance@discover.com to request a public PGP key or a secure email connection.
- Hardcopy – Send paper copies to:
DFS Services LLC, Discover Network-Data Security
2500 Lake Cook Road
Riverwoods, IL 60015.
Useful Resources and Further Information
- Discover’s DISC program site
- Performing a PCI DSS compliance assessment
- First Time PCI DSS compliance assessments
- Tools to assist with assessments
American Express Data Security Operating Policy