Data Security is a top priority for Discover Network. To that end, Discover Network is committed to supporting the PCI DSS as the single data security standard for the payment card industry. As part of our ongoing security initiatives, Discover Network - together with the other major payment card brands - adopted the Payment Card Industry Data Security Standard (“PCI DSS”) as the security requirement for Discover Network service providers. Service providers are third party organizations that process, store or transmit Discover Network cardholder data on behalf of Discover Network merchants, acquirers, or other parties. Service providers include, but are not limited to, Third Party Processors and Payment Service Providers. Discover Network requires all service providers that process, store or transmit Discover Network cardholder data to comply with the PCI DSS.

Service providers that process, store or transmit Discover Network cardholder data are required to comply with the PCI DSS at all times. When validating compliance to the PCI DSS, service providers may contract with a Qualified Security Assessor (QSA) to perform their compliance assessments or perform a self-assessment. All self-assessments must be performed using the applicable PCI DSS Payment Card Industry Self-Assessment Questionnaire and must be certified by an authorized officer of the service provider. The PCI SSC website contains the following useful information when validating compliance to the PCI DSS:

• PCI DSS
• PCI DSS Security Audit Procedures
• PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
• List of Approved Scanning Vendors (ASV)
• List of Qualified Security Assessors (QSA)

Discover Network may require service providers to report their compliance status on an annual basis, or upon request from Discover Network. Service providers that performed a self-assessment may report their compliance status by submitting the applicable SAQ Attestation of Compliance to Discover Network. Service providers that contracted with a QSA may report their compliance status using the DISC Attestation of Compliance form. This two page form allows service providers to communicate their compliance status to Discover Network by completing the form and having an authorized officer of the company sign the completed document. Instructions for submitting this information to Discover Network are included within the form.

Here are a few tips to assist you with your compliance efforts:

• Verify that you are not storing sensitive authentication data. Storage of sensitive authentication data is never permitted.
• Verify that your Point of Sale systems are not storing sensitive authentication data and are protecting cardholder data according to the PCI DSS.
• Take the necessary steps to protect cardholder data according to the PCI DSS.
• Know your business partners – verify that your service providers are protecting cardholder data in accordance with the PCI DSS.
• Please keep in mind that completing quarterly external vulnerability scans is only one of the PCI DSS requirements. Discover Network service providers are responsible for complying with all the PCI DSS requirements.

In the event that you become aware of a suspected or actual data security breach of Discover Network cardholder data you must follow the procedures in the applicable Discover Network agreement or operating regulations, including the following:

• Notify Discover Network immediately by calling (800) 347-3083.
• Work with Discover Network and investigators to conduct a thorough assessment of the data security breach.
• Provide Discover Network with any and all information and follow all instructions of Discover Network representatives regarding the data security breach.

In order to protect the integrity of cardholder data, Discover Network has implemented the Payment Card Industry Data Security Standard (“PCI DSS”) as the security requirements for Discover Network Merchants. Discover Network requires all merchants that process, store or transmit Discover Network Cardholder data to comply with the PCI DSS. In addition, merchants may also be required to validate their compliance directly to Discover Network or to their Acquirer.

Discover Network Merchants are required to comply with the PCI DSS at all times. When validating compliance to the PCI DSS, merchants may contract with a Qualified Security Assessor (QSA) to perform their compliance assessments or perform a self-assessment. All self-assessments must be performed using the applicable PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ) and must be certified by an authorized officer of the merchant. The PCI SSC website contains the following useful information when validating compliance to the PCI DSS:

• PCI DSS
• PCI DSS Security Audit Procedures
• PCI DSS Payment Card Industry Self-Assessment Questionnaire
• List of Approved Scanning Vendors (ASV)
• List of Qualified Security Assessors (QSA)

Discover Network may require merchants to report their compliance status on an annual basis, or upon request from Discover Network. Merchants that performed a self-assessment may report their compliance status by submitting the applicable SAQ Attestation of Compliance to Discover Network. Merchants that contracted with a QSA may report their compliance status using the DISC Attestation of Compliance form. This two page form allows merchants to communicate their compliance status to Discover Network by completing the form and having an authorized officer of the company sign the completed document. Instructions for submitting this information to Discover Network are included within the form.

Here are a few tips to assist you with your compliance efforts:

• Verify that you are not storing sensitive authentication data. Storage of sensitive authentication data is never permitted.
• Verify that your Point of Sale systems are not storing sensitive authentication data and are protecting cardholder data according to the PCI DSS.
• Take the necessary steps to protect cardholder data according to the PCI DSS.
• Know your business partners – verify that your service providers are protecting cardholder data in accordance with the PCI DSS.
• Please keep in mind that completing quarterly external vulnerability scans is only one of the PCI DSS requirements. Discover Network Merchants are responsible for complying with all the PCI DSS requirements.

In the event that you become aware of a suspected or actual data security breach of Discover Network cardholder data you must follow the procedures in the applicable Discover Network agreement or operating regulations, including the following:

• Notify Discover Network immediately by calling (800) 347-3083.
• Work with Discover Network and investigators to conduct a thorough assessment of the data security breach.
• Provide Discover Network with any and all information and follow all instructions of Discover Network representatives regarding the data security breach.