Compliance Requirements for Merchants
All Merchants are required to adhere to the American Express Data Security Operating Policy, including complying with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.
Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine your Merchant Level.
Depending on your particular requirements, you may be asked to provide one or more of the following:
Annual Onsite Security Assessment Validation Documentation
The Annual Onsite Security Assessment is a detailed onsite examination of a Merchant’s equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted.
Annual Self Assessment Questionnaire
The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire ("SAQ") that allows self-examination of a Merchant’s equipment, systems, and networks (and their components) where Cardmember Information is stored, processed, or transmitted.
Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that remotely tests a Merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor ("ASV").
Step 2 Once you have completed your Validation Documentation Requirements, send it to Trustwave by one of the methods listed in the Data Security Operating Policy Section 4.
Non-Validation Fees and Termination of Agreement
American Express has the right to impose non-validation fees on Merchants and terminate the Agreement if Merchants do not fulfill these requirements or fail to provide the mandatory Validation Documentation to American Express by the applicable deadline.
AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI DSS, AND THE DESIGNATION AND PERFORMANCE OF QSAs, ASVs, OR PFIs (OR ANY OF THEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE.