Credit Card Processing, Security and PCI Compliance

Discover Information Security and Compliance Program


May 15, 2019

If you process credit cards (whether face-to-face or online) you need to be fully compliant with the guidelines and regulations for credit card security and processing. In this article we’ll be exploring the Discover Information Security and Compliance (DISC) Program.

Before we get into Discover’s specific rules, you’ll need to make sure you’re compliant with PCI DSS – This is an agreed set of requirements for everyone involved in the credit card system. You can check out our article on PCI compliance if you need more information.

Meeting PCI DSS standards is essential, as that’s what Discover and other credit card providers will ask you to prove. Once you know you’re meeting PCI DSS, you can start going through Discover’s compliance program. Here’s how.

Find Out What Merchant Level

All of Discover’s requirements are based on what’s called your “merchant level” (from 1 to 4 – 1 being the highest), with higher levels needing to do more. You can find your merchant level as follows:

You’re a level 1 merchant if:

  • You process more than 6 million transactions annually on the Discover network.
  • Another credit card provider (e.g. Amex, Visa) has decided you are a level 1 merchant.
  • You have suffered a data security breach resulting in an actual or suspected compromise of Discover cardholder data.
  • Discover decides you’re level 1.

You’re a level 2 merchant if:

  • You process between 1 million and 6 million transactions annually on the Discover network.

You’re a level 3 merchant if:

  • You process between 20,000 and 1 million transactions annually where the cardholder is not present (e.g. online transactions).

You’re a level 4 merchant if:

  • None of the above conditions for other levels apply.

Once you know your merchant level, you can find out what requirements you need to meet.

Requirements and Paperwork

The table below provides guidelines on what requirements you’ll need to meet to achieve and maintain compliance. Links under the table offer more information on the specific requirements.


Discover merchant level chart

Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor

Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.

Providing Documents to Discover

Once you’ve carried out all of the necessary steps and put your reports and compliance documents together, you’ll need to send them to Discover.

  • Electronic – Send electronic copies to If you need to setup encryption or PGP, email to request a public PGP key or a secure email connection.
  • Hardcopy – Send paper copies to:
    DFS Services LLC, Discover Network-Data Security
    2500 Lake Cook Road
    Riverwoods, IL 60015.

Useful Resources and Further Information

See also:

MasterCard SDP
American Express Data Security Operating Policy

Paul Maplesden

BY Paul Maplesden

Paul Maplesden is a freelance writer specializing in business, finance, and technology. He brings shrewd research skills to CardFellow, resulting in detailed, actionable information for business owners. Paul finds writing about money deeply interesting, and much of his work for CardFellow focuses on the intersection of payments and technology. Whether he's writing about the latest payment app or detailing the differences in popular ecommerce platforms, Paul's work helps businesses understand the myriad products and services available in the processing industry. Aside from writing, he loves Earl Grey tea, pivot tables, hats, and other fine geekery.


Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!

You might also like…

Discover Information Security and Compliance Program
Discover Information Security and Compliance Program

View all articles

Please join the conversation

Your email address will not be published.