Start of menu
Close Menu
Skip to content

Service Providers are third party organizations that provide services to Merchants and other users related to the processing of American Express transactions. Service Providers include Authorized Processors, Third Party Processors, Gateway Providers, and any other providers to Merchants of Point of Sale equipment, software, or systems or other payment processing solutions or services.

Service Providers, like Merchants, must agree to the American Express Data Security Operating Policy (pdf) and comply with the Payment Card Industry Data Security Standards.
Most Service Provider Levels are based on your volume of American Express Card transactions. Service providers fall into one of three levels specified in the table below:

Service Provider Levels

*Level 3 Service Providers need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy. View the American Express Data Security Operating Policy (PDF).
All Service Providers are required to adhere to the American Express Data Security Operating Policy (pdf), including complying with the Payment Card Industry Data Security Standard.

Step 1: is to determine your Service Provider Level and documentation requirements. If you have not already done so, please the Service provider Levels Chart to determine your Service Provider level. Depending on your particular requirements, you may be asked to provide one or more of the following:
  • Annual Onsite Security Assessment Validation Documentation
    The Annual Onsite Security Assessment is a detailed onsite examination of Service Providers equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted.
  • Annual Self Assessment Questionnaire
    The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire ("SAQ") that allows self-examination of Service Provider equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted.
  • Quarterly Network Scan Validation Documentation
    The Quarterly Network Scan is a process that remotely tests a Service Provider's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor ("ASV").


Step 2: Once you have completed your Validation Documentation Requirements, send it to Trustwave by one of the methods listed in the Data Security Operating Policy Section 4.
  • Non-Validation Fees and Termination of Agreement
    American Express has the right to impose non-validation fees on Service Providers and terminate the Agreement if Service Providers do not fulfill these requirements or fail to provide the mandatory Validation Documentation to American Express by the applicable deadline.

    Disclaimer
    AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI DSS, AND THE DESIGNATION AND PERFORMANCE OF QSAs, ASVs OR PFIs (OR ANY OF THEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Data Incident Management Obligations

Service Providers must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.

To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1-602-537-3021 (24/7) or e-mail at EIRP@aexp.com . Service Providers must designate an individual as their contact regarding such Data Incidents.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.