PCI Compliance

Service Provider Compliance

Back to compliance resources

All service providers, including acquirers, processors and gateway providers who store, process or transmit Discover Cardholder data, are required to annually report their compliance status to Discover.

Service Provider Levels

LEVEL
DESCRIPTION
LEVEL
1
DESCRIPTION
  • All service providers that store, process, and/or transmit over 300,000 Discover card transactions per year.
  • Any service provider that Discover, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements.
LEVEL
2
DESCRIPTION
  • All service providers that store, process, and/or transmit less than 300,000 Discover card transactions per year.

Validation and Reporting Requirements for Service Providers

LEVEL
VALIDATION
REPORTING
LEVEL
1
VALIDATION
  • Annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures performed by a Qualified Security Assessor
  • Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)
REPORTING

Attestation of Compliance from Report on Compliance (ROC)

LEVEL
2
VALIDATION
  • Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ)
  • Complete Quarterly Network Vulnerability Scans performed by an ASV
REPORTING

Attestation of Compliance located in the Service Provider SAQ

Note: Discover reserves the right to request a full copy of a service provider’s Report on Compliance or Self-Assessment Questionnaire (SAQ) at its discretion. The service provider must comply with such a request promptly.

Service Provider Compliance Assessments

All service providers that store, process, or transmit Discover Cardholder data on the Discover network, are required to report their compliance. To validate and report their compliance status to Discover Network, service providers must annually complete and submit one of the following:

On-Site Assessment—Service providers that completed an on-site assessment are required to submit their Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-Assessment—Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.

Non-Compliant Service Provider

Discover requires service providers that are not fully compliant with the PCI DSS to complete the prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance and send it along with a signed copy of the request letter.

Submission of an action plan to Discover Network shall not be deemed a waiver by Discover Network of its rights under any applicable agreement or operating regulations.

Report Submitted Annually

All service providers are required to submit a compliance report every year.

Back to compliance resources

Contact Our Data Security Team

To report a data compromise or cardholder breach, call 1-800-347-3083. Or contact us for any compliance-related questions.
Contact Us