Service Provider Compliance
All Service Providers, including Acquirers, Processors and Gateway Providers who store, process, or transmit Discover® Cardholder data are required to comply with the PCI DSS. They may be required to report their compliance status upon a request from Discover.
Service Provider levels
Level
Description
Level
1
Description
All Service Providers that store, process and/or transmit over 300,000 Discover card transactions per year.
Any service provider that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements.
Level
2
Description
All Service Providers that store, process and/or transmit less than 300,000 Discover card transactions per year.
Validation and reporting requirements for Service Providers
Level
Validation
Reporting
Level
1
Validation
Annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures performed by a Qualified Security Assessor
Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
Reporting
Attestation of Compliance from Report on Compliance (ROC)
Level
2
Validation
Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
Complete Quarterly Network Vulnerability Scans performed by an ASV
Reporting
Attestation of Compliance located in the Service Provider SAQ upon a request from Discover
Note: Discover reserves the right to request a full copy of a Service Provider’s Report on Compliance or Self-Assessment Questionnaire (SAQ) at its discretion. The Service Provider must comply with such a request promptly.
Service Provider compliance assessments
All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network may be required to report their compliance annually upon a request from Discover. To validate and report their compliance status to Discover Network, Service Providers submit one of the following:
On-site assessment
Service Providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).
Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.
Self-assessment
Service Providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
Non-compliant service provider
Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance and send it along with a signed copy of the request letter.
Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.
Report submitted annually
All Service Providers are required to submit a compliance report every year.
Contact our Data Security team
To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.