About your compliance requirements
All Merchants are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.
Step 1 is to determine your Merchant Level and documentation requirements. View the ‘What’s your level?’ tab above for this information. Depending on your level you may be asked to provide one or more of the following:
1. Annual Onsite Security Assessment Validation Documentation
The Annual Onsite Security Assessment is a detailed onsite examination of a Merchant's technical and operational systems, equipment and networks (and their components) where Cardmember information is processed, stored, or transmitted. The assessment may be performed by a Qualified Security Assessor(QSA) or the Merchant, provided it is certified by the Chief Executive Officer, Chief Financial Officer, or principal of the Merchant. A list of assessors can be found at
The assessor completes a Report of Compliance (ROC), which provides details of the environment assessed, and the results of the assessment. The ROC contains an Attestation of Compliance (AOC) form, which the Merchant or QSA completes.American Express accepts either the AOC or executive summary of the ROC as suitable validation documentation.
2. Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that tests a Merchant's Internet-facing infrastructure, such as web servers and network devices for potential weaknesses and vulnerabilities. This test is performed remotely and must be performed by an Approved Scanning Vendor (“ASV”). A list of ASVs can be found at
American Express accepts either the executive summary of a passing vulnerability scan, or the Attestation of Scan Compliance (AOSC) for the vulnerability scan.
Step 2 Once you have completed your validation documentation requirements please upload your documents to Trustwave using our secure portal. For instructions on how to access and use this portal you may contact Trustwave at +800 9000 11401 or via email at email@example.com.
Non-Validation Fees and Termination of Card Acceptance Agreement
Please note that Merchants risk incurring fees for non-validation of PCI DSS compliance status and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy