Skip to Main Content
(Press Enter)
2021 Corporate Responsibility Report Downloads

Cybersecurity,
Information Security
and Data Privacy

Protecting business, employee, and customer information is a top priority at Discover. Identity fraud cost U. S. consumers $5.9 billion in losses in 2021, with reports of identity theft more than doubling since 20191. We continue to help protect our customers against identity theft and fraud, continuing to expand our suite of services to help protect a broader group of consumers combat identity theft and fraud.

Discover provides free monitoring for millions of cardmembers. Once activated, we'll monitor thousands of Dark Web sites for their Social Security Number and monitor their Experian® credit report every day and alert them when a new account shows up or if anyone pulls their credit.2

We also offer Identity Theft Protection, a fee-based service that monitors participating customers’ personal information online and at three major U.S. credit bureaus, alerts customers when suspicious activity is detected, and provides access to specialists to resolve issues. This affordable and comprehensive protection product works hard, offering benefits such as:

  • Credit balance, limit and utilization alerts.
  • Identity verification alerts.
  • Monitoring for up to 10 children.
  • Monthly three-bureau credit activity summaries.

Cybersecurity

Cybersecurity supports Discover in becoming the leading digital bank and payments partner by protecting employee and customer data. The Cybersecurity strategy is designed to guide the company in safeguarding the confidentiality, integrity, and availability of information assets. The Company recognizes the National Institute of Standards and Technology (“NIST”) definition of Information Security as being the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

$0 Fraud
Liability Discover's $0 Fraud Liability Guarantee means
you're never responsible for unauthorized
purchases on your Discover card account.

*An “unauthorized purchase” is a purchase where you have not given access to your card information to another person or a merchant for one-time or repeated charges. Please use reasonable care to protect your card and do not share it with employees, relatives, or friends. Learn more at Discover.com/fraudFAQ.

Discover Freeze it®

If customers are concerned that they misplaced their card, Discover Freeze it® allows them to freeze their accounts in seconds from the Discover mobile app or online. The service acts like an on/off switch. While cards are frozen, purchases, cash advances, and balance transfers will be stopped.

*When you freeze your account, Discover will not authorize new purchases, cash advances or balance transfers. However, some activity will continue, including merchant-indicated recurring bill payment, as well as returns, credits, dispute adjustments, delayed authorizations (such as some transit purchases), payments, Discover protection product fees, other account fees, interest, rewards redemptions and certain other exempted transactions.

Discover has the following three strategic cybersecurity priorities that guide our activities and support ongoing management of cybersecurity risks in alignment with our regulatory requirements and business objectives. They include:

Cybersecurity Strategic Priorities

Integrate Cybersecurity Across Discover

  • Embed cybersecurity into business technology, third party vendors, and corporate functions.
  • Improve cybersecurity hygiene in day-to-day operations.

Improve Cybersecurity Capabilities

  • Improve and implement leading and emerging industry cybersecurity practices.
  • Adapt to the changing cybersecurity threat landscape.
  • Prioritize cybersecurity investments for business processes and services.
  • Maintain/mature operational resiliency.

Develop and Retain a Highly Skilled Cybersecurity Workforce

  • Drive ongoing advancement of cybersecurity resource skillsets and responsibilities.
  • Enhance cybersecurity awareness for all Discover employees.

Continuously Improving Our Cybersecurity Protections

Every day there are new cybersecurity breaches. With the growing digital economy, we appreciate the need for systems and processes that can give us the protection and agility needed to run our business safely and securely. We make investments that help protect our environment in four different ways:

  • Protecting technology and data from outside intruders.
  • Protecting technology and data from insider threats.
  • Protecting data at rest and in transit.
  • Providing platforms to create transparency about the threat-level of the technological ecosystem of an enterprise.

Third-Party Assessments

Discover maintains dedicated information security risk functions to manage third-party information security risks. Our Business Technology Cybersecurity team conducts assessments of third parties to properly identify information security risk within third-party engagements. Discover is committed to a strong third-party information security risk management culture and oversight that ensures appropriate information security risk management is present within third-party engagements.

Information Security

Data and information is what drives our business. Therefore, Discover implements a robust governance framework, capabilities and controls to protect Discover and our customer’s information assets.

Policies and Standards

Our information security policies and standards provide a framework for the security of information assets and computer resources. They help ensure that security is maintained in a manner consistent with applicable laws and regulations such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. Customer data confidentiality is also maintained via adherence to industry best practices and standards. Additionally, we help safeguard personal information through a wide range of technological, administrative, organizational and physical security measures.

Training

Discover’s Information Security Training and Awareness Program is dedicated to promoting awareness and understanding of safe practices related to information security. The program promotes a positive, risk‑aware culture where employees feel responsible and accountable for diligent, secure handling of data; are taught to recognize and report threats; and are empowered to protect the company, themselves and their families from cyber risks.

Incident Monitoring

Discover has a robust Incident Management Framework to identify, detect, protect, respond, and recover to help properly mitigate risks incidents. The organization has multiple teams including the Security Intelligence & Incident Response Team (SIIRT) and the Security & Intelligence Operation Center (SIOC) who provide threat intelligence reporting and incident monitoring services including:

  • Governance structure and organization
  • An incident management program
  • Incident management and escalation principles
  • Requirements for testing and exercising the program
  • Risk management principles
  • External reporting guidance

Our Code of Conduct and related policies for ethical business conduct include specific guidelines about how employees should safeguard customers’ confidential information.

Data Privacy

We interact with customers in a variety of ways—from Discover websites to our mobile apps, online services and presence on social media sites—and treat their personal information with integrity and respect.

Our privacy governance structure fosters an environment in which individual business units have clear accountability for compliance with privacy laws, regulations, and our Privacy Policy.

Privacy Policies

Our Privacy Policy formalizes Discover’s commitment to protecting individuals’ personal information in accordance with applicable privacy laws, external privacy statements, and individuals’ preferences. The Privacy Policy applies to the entire life cycle of consumer and employee personal information, including its collection, use, retention, disclosure, and disposal by Discover. Additionally, the policy contains Discover’s commitment to comply with the letter and spirit of consumer privacy laws and regulations and how Discover effectively manages consumer contact risks.

Working Together to Maintain the Highest Standards of Data Privacy

Enterprise Compliance Programs team

  • Responsible for privacy compliance throughout the company; implements a framework to manage, monitor, mitigate, and report on compliance privacy risk.

Information Security Team

  • Oversight of data breach and incident management, as well as data sharing with contracted third parties.

Business Units

  • Own and proactively manage the risks to which they are exposed as a result of their activities and products, including those related to privacy.

Training

Employees are an important gatekeeper to keeping data safe. Our Consumer Marketing training provides employees further insights into the personal information we have about consumers, the value of that information, and the need to safeguard it pursuant to law, public policy, and company policy. The training course:

  • Explains why privacy is important to Discover
  • Outlines employees’ roles in identifying and protecting consumer personal information
  • Guides employees to correctly handle personal information and privacy-related situations

Our Data Protection training expands beyond personal information and provides employees with guidance regarding our duty to protect private and proprietary information in our care, both for customers and employees. The course is designed to:

  • Provide an understanding of the intersections of data privacy and information security
  • Define the employee's role in protecting private and proprietary information
  • Educate employees how to identify and handle data of varying sensitivities

Complaint Management

Discover's complaint management process provides for identification and intake of complaints and feedback, including those related to privacy. Complaints are reviewed and escalated where appropriate for prompt and appropriate response, tracking, and reporting. Additionally, trend analysis and complaint investigations are conducted to help identify potential issues and consumer experience improvement opportunities. When necessary, special investigation processes for elevated review are conducted by compliance teams, and as potential issues are identified, they flow through Discover's issue management processes.

We provide required consumer rights for European Union data subjects and California residents per the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), respectively. Additionally, customers can contact Discover to update their personal information as needed.

  1. According to FTC’s 2021 Consumer Sentinel Network Data Book
  2. Discover® Identity Alerts are offered by Discover Bank at no cost, only available online, and currently include the following services: (a) daily monitoring of your Experian® credit report and an alert when a new inquiry or account is listed on your report; (b) daily monitoring of thousands of Dark Web sites known for revealing personal information and an alert if your Social Security Number is found on such a website. This information is intended for, and only provided to, Primary credit cardmembers whose accounts are open, in good standing and have an email address on file. The Primary cardmember must agree online to receive identity alerts. Identity alert services are based on Experian® information and data which may differ from information and data at other credit bureaus. Monitoring your credit report does not impact your credit score. This benefit may change or end in the future. Discover Bank is not a credit repair organization as defined under federal or state law, including the Credit Repair Organizations Act. To see a list of Frequently Asked Questions, visit discover.com/freealerts.