Skip to main content

Service Provider Compliance

All Service Providers, including Acquirers, Processors and Gateway Providers who store, process, or transmit Discover® Cardholder data are required to comply with the PCI DSS. They may be required to report their compliance status upon a request from Discover.

Service Provider levels

Level
Description
Level
Description
  • All Service Providers that store, process and/or transmit over 300,000 Discover® card transactions per year.
  • Any service provider that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements.
Level
Description
  • All Service Providers that store, process and/or transmit less than 300,000 Discover card transactions per year.

Validation and reporting requirements for Service Providers

Level
Validation
Reporting
Level
Validation
  • Annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures performed by a Qualified Security Assessor
  • Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
Reporting
  • Attestation of Compliance from Report on Compliance (ROC)
Level
Validation
  • Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
  • Complete Quarterly Network Vulnerability Scans performed by an ASV
Reporting
  • Attestation of Compliance located in the Service Provider SAQ upon a request from Discover

Note: Discover reserves the right to request a full copy of a service provider’s Report on Compliance or Self-Assessment Questionnaire (SAQ) at its discretion. The service provider must comply with such a request promptly.

Service Provider compliance assessments

All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network may be required to report their compliance annually upon a request from Discover. To validate and report their compliance status to Discover Network, service providers submit one of the following:

On-site assessment

Service Providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Service Providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.

Non-compliant service provider

Discover requires Service Providers that are not fully compliant with the PCI DSS to complete the prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance and send it along with a signed copy of the request letter.

Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.

Report submitted annually

All Service Providers are required to submit a compliance report every year.

Contact our Data Security team

To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.