All Service Providers are required to adhere to the American Express Data Security Operating Policy , including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.
Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please view the ‘Merchant Levels’ tab above to determine which level your business falls under.
Depending on your particular requirements, you may be asked to provide any of the following:
Annual Onsite Security Assessment Validation Documentation – The Annual Onsite Security Assessment is a detailed onsite examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed or transmitted.
Annual Self Assessment Questionnaire Validation Documentation – The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire (“SAQ”) that allows self-examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed, or transmitted. It must be performed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The AOC section of the SAQ must be submitted annually to American Express. To fulfill validation obligations under this policy, the AOC section of the SAQ must certify your compliance with all requirements of the PCI DSS and include full copies of the SAQ on request.
Quarterly Network Scan Validation Documentation – The Quarterly Network Scan is a process that remotely tests your internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor (“ASV”). You must complete and submit the ASV Scan Report Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan quarterly to American Express.
Annual EMV Attestation Validation Documentation – You must complete the Annual EMV Attestation (“AEA”) process by submitting the AEA form annually to American Express. The AEA form must certify that you have 50,000 American Express Card Transactions or more per year, of which total Transactions at least 75% are made by the Cardmember with the physical Card present at a Point of Sale System compliant with EMV Specifications and capable of processing contact and contactless American Express Chip Cards.
Step 2. Once you have completed your requirements, you should send your validation documentation by one of these methods:
Secure Portal: Validation Documentation may be uploaded via Trustwave’s secure portal. Please contact Trustwave at 000-800-100-4058 or via email at AmericanExpressCompliance@trustwave.com for instructions in using this portal.
Secure Fax: Validation Documentation may be faxed to: +1 (312) 276-4019. Please include your name, DBA (Doing Business As) name, the name of your data security contact, your address and phone number, and, for merchants only, your 10-digit American Express merchant number.
Mail: Validation Documentation may be copied in an encrypted format on a compact disc. Place in an envelope marked “Mandatory” and mail to:
American Express - DSOP Compliance Program
70 West Madison, Suite 1050
Chicago, IL 60602 USA
E-mail the encryption key required to decrypt the Validation Documentation along with your name, DBA (Doing Business As), the name of your data security contact, your address and phone number and, for merchants only, your 10-digit American Express merchant number, to Trustwave at AmericanExpressCompliance@trustwave.com.
Non-Compliance Fees and Termination of Card Acceptance Agreement
Merchants risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.