Discover® Information Security & Compliance (DISC)
DISC overview
Data security is a top priority for Discover®. The Discover Information Security & Compliance (DISC) program was developed to implement and maintain efficient data security requirements and procedures for its partners, and to promote the adoption of secure transaction processing of cardholder data on the Discover® Global Network.
As a founding member, Discover works with other payments participants on an ongoing basis as part of the Payment Card Industry Security Standards Council, LLC (PCI SSC). The PCI SSC was created to develop and evolve the Payment Card Industry (PCI) security standards focused on protecting cardholder data throughout the payment transaction lifecycle. Discover is committed to the protection of payment card data, and thus the DISC program is aligned with the PCI security standards to help safeguard this data and limit data compromises.
To that end, any Merchants that accept Discover Global Network and Acquirers that process Discover transactions, as well their acquired merchants, if they store, process, or transmit Discover Cardholder data on the Discover network must comply with the Payment Card Industry Data Security Standard (PCI DSS) at all times.
DISC for Merchants
In addition to requiring compliance to the PCI Data Security Standard, Discover requires that each new implementation of payment applications by Merchants and their Agents is compliant with the Payment Card Industry Secure Software Standard. To learn more, please visit the PCI SSC website.
Moreover, Merchants accepting PIN entry on POS terminals must comply with Payment Card Industry PIN Security Requirements. To view the current PCI PIN standard, please visit the PCI SSC website.
Software-Based PIN Entry on COTS (SPoC) Solutions enable EMV contact and contactless transactions with PIN entry on the merchant's consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP). Discover strongly recommends all SPoC solutions be PCI certified (PCI Software-Based PIN Entry on COTS) and listed on the PCI SSC website.
Contactless Payments on COTS (CPoC) Solutions enable Merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device (e.g., smartphone or tablet) with near-field communication (NFC). Discover strongly recommends all CPoC solutions be PCI certified (PCI Contactless Payments on COTS) and listed on the PCI SSC website.
DISC for Acquirers & Service Providers
There are separate compliance requirements for Acquirers and Service Providers. In addition to requiring compliance to the PCI Data Security Standard, Discover supports the PCI Secure Software Standard and strongly recommends that Acquirers ensure their Merchants, Service Providers and Agents use payment systems that have been validated as compliant with this standard.
For more information regarding PCI Secure Software Standard, please visit the PCI SSC website.
Moreover, Acquirers and their Agents who store, process, transfer or otherwise handle PIN numbers as part of a credit or debit card authorization process must comply with Payment Card Industry PIN Security Requirements. To view the current PCI PIN standard, please visit the PCI SSC website.
Software-Based PIN Entry on COTS (SPoC) Solutions enable EMV contact and contactless transactions with PIN entry on the Merchant's consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP). Discover strongly recommends all SPoC solutions be PCI certified (PCI Software-Based PIN Entry on COTS) and listed on the PCI SSC website.
Contactless Payments on COTS (CPoC) Solutions enable Merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device (e.g., smartphone or tablet) with near-field communication (NFC). Discover strongly recommends all CPoC solutions be PCI certified (PCI Contactless Payments on COTS) and listed on the PCI SSC website.
Issuers utilizing Card Production Vendors
Discover Global Network Issuers may only use vendors approved by DISC (“Approved Vendor*”) to provide them with goods and services related to the production of Cards. Such goods and services provided to the Issuer include, but are not limited to, Card manufacturing, personalization, and fulfillment in accordance with current security procedures and card specifications.
* Note: Effective October 13, 2023, the “Approved Vendor” list will be retired, and Issuers will be able to choose their own Card Production Vendors to provide them with goods and services related to the production of Cards, as long as such vendors are compliant with PCI Card Production standards.
Contact our Data Security team
To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.