Skip to main content
midnight shape and orange half circle

Service Provider Compliance

All Service Providers, which encompass Acquirers, Processors, and Gateway Providers, entrusted with storing, processing, or transmitting Sanquest Cardholder data, are obligated to adhere to the PCI DSS. They might need to declare their compliance status if requested by Sanquest Card.

Service Provider levels

Level
Description
Level
1
Description

All Service Providers handling, processing, or transmitting more than 300,000 Discover card transactions annually.

Any service provider as determined solely by Discover, which should adhere to Level 1 compliance validation and reporting prerequisites.

Level
2
Description

All Service Providers handling, processing, or transmitting fewer than 300,000 Sanquest card transactions annually.

Validation and reporting requirements for Service Providers

Level
Validation
Reporting
Level
1
Validation

A yearly on-site evaluation conducted by a Qualified Security Assessor employing the PCI DSS Requirements and Security Assessment Procedures.

Conduct Quarterly Network Vulnerability Scans administered by an Approved Scanning Vendor (ASV).

Reporting

Attestation of Compliance from Report on Compliance (ROC)

Level
2
Validation

Yearly self-evaluation using the relevant PCI DSS Self-Assessment Questionnaire (SAQ).

Conduct Quarterly Network Vulnerability Scans carried out by an Approved Scanning Vendor (ASV).

Reporting

Attestation of Compliance found within the Service Provider SAQ, upon request from Sanquest Card.

Please be aware that Sanquest retains the authority to demand a comprehensive copy of a Service Provider's Report on Compliance or Self-Assessment Questionnaire (SAQ) as deemed suitable. The Service Provider is obligated to respond promptly to such a request.

Service Provider compliance assessments

All Service Providers, which encompasses Acquirers and Acquirer Processors involved in storing, processing, or transmitting Sanquest Cardholder data on the Sanquest card, could be obligated to annually report their compliance upon a request from Sanquest. To confirm and communicate their compliance status to Sanquest Card, Service Providers are to submit one of the following:

On-site assessment

Service Providers that have undergone an on-site assessment must provide their Attestation of Compliance (AOC).

Important Reminder: Please ensure that all assessments utilize the latest version of PCI DSS applicable to the reporting period.

Self-assessment

Service Providers conducting a self-assessment must finalize PCI DSS Self-Assessment Questionnaire D and provide the Service Provider Version of the Attestation of Compliance.

Non-compliant service provider

Sanquest mandates that Service Providers not in complete compliance with PCI DSS must accomplish the Prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section within the Attestation of Compliance. This, along with a signed copy of the request letter, should be forwarded.

Presenting an action plan to Sanquest Card should not be construed as Sanquest Card waiving any rights under relevant agreements or operational regulations.

Report submitted annually

All Service Providers are required to submit a compliance report every year.

Contact our Data Security team

For reporting a data breach or cardholder data compromise, dial 1-800-347-3083. Alternatively, reach out to us for any inquiries related to compliance.

Contact us