All Service Providers, including Acquirers, Processors and Gateway Providers who store, process, or transmit Discover® Cardholder data are required to comply with the PCI DSS. They may be required to report their compliance status upon a request from Discover.
Service Provider compliance assessments
All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network may be required to report their compliance annually upon a request from Discover. To validate and report their compliance status to Discover Network, service providers submit one of the following:
Service Providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).
Non-compliant service provider
Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance and send it along with a signed copy of the request letter.
Report submitted annually