All Service Providers, including Acquirers, Processors and Gateway Providers who store, process, or transmit Discover® Cardholder data are required to comply with the PCI DSS. They may be required to report their compliance status upon a request from Discover.

Note: Discover reserves the right to request a copy of a Service Provider’s PCI DSS Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) at its discretion. The Service Provider must comply with the request promptly.

Service Provider compliance assessments

All Service Providers, including Acquirers and Acquirer Processors that store, process, or transmit Discover Cardholder data on the Discover network may be required to report their compliance annually upon a request from Discover. To validate and report their compliance status to Discover Network, Service Providers submit one of the following:

On-site assessment

Service Providers that completed an on-site assessment are required to submit their PCI DSS Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Self-assessment

Service Providers performing a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D for Service Providers Attestation of Compliance (AOC).

Note: Please ensure that all assessments use the most current version of PCI DSS that applies to the reporting period.

Non-compliant Service Provider

Discover requires Service Providers that are not compliant with the PCI DSS to complete the PCI Prioritized Approach Tool worksheet or the "Action Plan for Non-Compliant Status" section in the PCI Attestation of Compliance (AOC).

Submission of an action plan to Discover Global Network shall not be deemed a waiver by Discover Global Network of its rights under any applicable agreement or operating regulations.

Report submitted annually

All Service Providers are required to submit a PCI compliance report every year.