Log In
Service Provider Compliance
All Service Providers, including Acquirers, Processors, Payment Enablers, and Gateway Providers who store, process, or transmit Discover® Network Cardholder data, are required to comply with the PCI DSS.
Service Provider levels
Level
Description
Level
1
Description
All Service Providers that store, process and/or transmit over 300,000 Discover Network card transactions per year.
Any Service Provider that Discover Network, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements.
Level
2
Description
Service Providers that store, process and/or transmit less than 300,000 Discover Network card transactions per year.
Validation and reporting requirements for Service Providers
Level
Validation
Reporting
Level
1
Validation
Annual on-site assessment using the PCI DSS Requirements and PCI DSS Security Assessment Procedures performed by a Qualified Security Assessor
Quarterly external network vulnerability scans performed by an Approved Scanning Vendor (ASV)
Reporting
Attestation of Compliance (AOC) from Report on Compliance (ROC)
Level
2
Validation
Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
Quarterly external network vulnerability scans performed by an Approved Scanning Vendor (ASV)
Reporting
Attestation of Compliance (AOC) located in the Service Provider SAQ upon a request from Discover Network
Note: Discover Network reserves the right to request a copy of a Service Provider’s PCI DSS Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at its discretion. The Service Provider must comply with the request promptly.
Service Provider compliance assessments
All Service Providers, including Acquirers, Processors, Payment Enablers, and Gateway Providers that store, process, or transmit Discover Network Cardholder data on Discover Network, may be required to report their compliance annually upon a request from Discover Network. To validate and report their compliance status to Discover Network, Service Providers submit one of the following:
On-site assessment
Service Providers that completed an on-site assessment are required to submit their PCI DSS Attestation of Compliance (AOC).
Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.
Self-assessment
Service Providers performing a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D for Service Providers Attestation of Compliance (AOC).
Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.
Report submitted annually
All Service Providers are required to submit a PCI compliance report every year.
Contact our Data Security team
To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.