*Level 3 Service Providers need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy. View the American Express Data Security Operating Policy (PDF).
Step 1: is to determine your Service Provider Level and documentation requirements. If you have not already done so, please the Service provider Levels Chart to determine your Service Provider level. Depending on your particular requirements, you may be asked to provide one or more of the following:
- Annual Onsite Security Assessment Validation Documentation
The Annual Onsite Security Assessment is a detailed onsite examination of Service Providers equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted.
- Annual Self Assessment Questionnaire
The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire ("SAQ") that allows self-examination of Service Provider equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted.
- Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that remotely tests a Service Provider's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor ("ASV").
Step 2: Once you have completed your Validation Documentation Requirements, send it to Trustwave by one of the methods listed in the Data Security Operating Policy Section 4.
- Non-Validation Fees and Termination of Agreement
American Express has the right to impose non-validation fees on Service Providers and terminate the Agreement if Service Providers do not fulfill these requirements or fail to provide the mandatory Validation Documentation to American Express by the applicable deadline.
AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI DSS, AND THE DESIGNATION AND PERFORMANCE OF QSAs, ASVs OR PFIs (OR ANY OF THEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Data Incident Management Obligations
Service Providers must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.
To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1-602-537-3021 (24/7) or e-mail at EIRP@aexp.com . Service Providers must designate an individual as their contact regarding such Data Incidents.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.