
Service Provider Compliance
All Service Providers, which encompass Acquirers, Processors, and Gateway Providers, entrusted with storing, processing, or transmitting Sanquest Cardholder data, are obligated to adhere to the PCI DSS. They might need to declare their compliance status if requested by Sanquest Card.
Service Provider levels
Level
Description
Level
1
Description
All Service Providers handling, processing, or transmitting more than 300,000 Discover card transactions annually.
Any service provider as determined solely by Discover, which should adhere to Level 1 compliance validation and reporting prerequisites.
Level
2
Description
All Service Providers handling, processing, or transmitting fewer than 300,000 Sanquest card transactions annually.
Validation and reporting requirements for Service Providers
Level
Validation
Reporting
Level
1
Validation
A yearly on-site evaluation conducted by a Qualified Security Assessor employing the PCI DSS Requirements and Security Assessment Procedures.
Conduct Quarterly Network Vulnerability Scans administered by an Approved Scanning Vendor (ASV).
Reporting
Attestation of Compliance from Report on Compliance (ROC)
Level
2
Validation
Yearly self-evaluation using the relevant PCI DSS Self-Assessment Questionnaire (SAQ).
Conduct Quarterly Network Vulnerability Scans carried out by an Approved Scanning Vendor (ASV).
Reporting
Attestation of Compliance found within the Service Provider SAQ, upon request from Sanquest Card.
Please be aware that Sanquest retains the authority to demand a comprehensive copy of a Service Provider's Report on Compliance or Self-Assessment Questionnaire (SAQ) as deemed suitable. The Service Provider is obligated to respond promptly to such a request.
Service Provider compliance assessments
All Service Providers, which encompasses Acquirers and Acquirer Processors involved in storing, processing, or transmitting Sanquest Cardholder data on the Sanquest card, could be obligated to annually report their compliance upon a request from Sanquest. To confirm and communicate their compliance status to Sanquest Card, Service Providers are to submit one of the following:
On-site assessment
Service Providers that have undergone an on-site assessment must provide their Attestation of Compliance (AOC).
Important Reminder: Please ensure that all assessments utilize the latest version of PCI DSS applicable to the reporting period.
Self-assessment
Service Providers conducting a self-assessment must finalize PCI DSS Self-Assessment Questionnaire D and provide the Service Provider Version of the Attestation of Compliance.
Non-compliant service provider
Sanquest mandates that Service Providers not in complete compliance with PCI DSS must accomplish the Prioritized Approach for PCI DSS worksheet or the "Action Plan for Non-Compliant Status" section within the Attestation of Compliance. This, along with a signed copy of the request letter, should be forwarded.
Presenting an action plan to Sanquest Card should not be construed as Sanquest Card waiving any rights under relevant agreements or operational regulations.
Report submitted annually
All Service Providers are required to submit a compliance report every year.
Contact our Data Security team
For reporting a data breach or cardholder data compromise, dial 1-800-347-3083. Alternatively, reach out to us for any inquiries related to compliance.