Discover® Information Security & Compliance (DISC)

DISC overview

Data security is a top priority for Discover®. The Discover Information Security & Compliance (DISC) program was developed to implement and maintain efficient data security requirements and procedures for its partners, and to promote the adoption of secure transaction processing of cardholder data on the Discover® Global Network.

As a founding member, Discover works with other payments participants on an ongoing basis as part of the Payment Card Industry Security Standards Council, LLC (PCI SSC). The PCI SSC was created to develop and evolve the Payment Card Industry (PCI) security standards focused on protecting cardholder data throughout the payment transaction lifecycle. Discover is committed to the protection of payment card data, and thus the DISC program is aligned with the PCI security standards to help safeguard this data and limit data compromises.

To that end, any Merchants that accept Discover Global Network and Acquirers that process Discover transactions, as well their acquired merchants, Service Providers, and Agents, if they store, process, or transmit Discover Cardholder data on the Discover network  must comply with the Payment Card Industry Data Security Standard (PCI DSS) at all times.

DISC for Merchants

In addition to requiring compliance with the PCI Data Security Standard, Discover requires that each new implementation of payment applications by Merchants and their Agents is compliant with the Payment Card Industry Secure Software Standard. To learn more, please visit the  PCI SSC website.

Moreover, Merchants accepting PIN entry on POS terminals must comply with Payment Card Industry PIN Security Requirements. To view the current PCI PIN standard, please visit the  PCI SSC website.

Mobile Payments on COTS (MPoC), Contactless Payments on COTS (CPoC), and Software-based PIN Entry on COTS (SPoC) Standards provide security requirements for mobile applications to accept payments on a commercial off-the-shelf (COTS) mobile device (e.g., smartphone or tablet). Discover requires contactless mobile solutions to be compliant with applicable MPoC, CPoC, and SPoC standards in accordance with D-PAS and D-PAS Connect certification requirements.

For more information on MPoC, please visit the  PCI SSC website.

DISC for Acquirers & Service Providers

There are separate compliance requirements for Acquirers and Service Providers. In addition to requiring compliance to the PCI Data Security Standard, Discover supports the PCI Secure Software Standard and strongly recommends that Acquirers ensure their Merchants, Service Providers and Agents use payment systems that have been validated as compliant with this standard.

For more information regarding PCI Data Security Standard or the PCI Secure Software Standard, please visit the  PCI SSC website.

Moreover, Acquirers and their Agents who store, process, transfer or otherwise handle PIN numbers as part of a credit or debit card authorization process must comply with Payment Card Industry PIN Security Requirements. To view the current PCI PIN standard, please visit the  PCI SSC website.

Mobile Payments on COTS (MPoC), Contactless Payments on COTS (CPoC), and Software-based PIN Entry on COTS (SPoC) Standards provide security requirements for mobile applications to accept payments on a commercial off-the-shelf (COTS) mobile device (e.g., smartphone or tablet). Discover requires contactless mobile solutions to be compliant with applicable MPoC, CPoC, and SPoC standards in accordance with D-PAS and D-PAS Connect certification requirements.

For more information on MPoC, please visit the  PCI SSC website.

Issuers utilizing Card Production Vendors

Discover Global Network Issuers may only use vendors approved by DISC (“Approved Vendor*”) to provide them with goods and services related to the production of Cards. Such goods and services provided to the Issuer include, but are not limited to, Card manufacturing, personalization, and fulfillment in accordance with current security procedures and card specifications.

Issuers are allowed to choose their own Card Production Vendors to provide them with goods and services related to the production of Cards, as long as such vendors are compliant with PCI Card Production standards.