All Service Providers are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard. In addition, some Service Providers may be required to take additional steps to ensure data security.
Step 1 is to determine your Service Provider Level and documentation requirements. If you have not already done so, please view the ‘Service Provider Levels’ tab above to determine which level your business falls under.
Depending on your particular requirements, you may be asked to provide any of the following:
Annual Onsite Security Assessment Validation Documentation – The Annual Onsite Security Assessment is a detailed onsite examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed or transmitted.
Annual Self Assessment Questionnaire Validation Documentation – The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire (“SAQ”) that allows self-examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed, or transmitted. It must be performed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The AOC section of the SAQ must be submitted annually to American Express. To fulfill validation obligations under this policy, the AOC section of the SAQ must certify your compliance with all requirements of the PCI DSS and include full copies of the SAQ on request.
Quarterly Network Scan Validation Documentation – The Quarterly Network Scan is a process that remotely tests your internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor (“ASV”). You must complete and submit the ASV Scan Report Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan quarterly to American Express.
Once you have completed your requirements, you should send your validation documentation by one of these methods:
Secure Portal: Validation Documentation may be uploaded via Trustwave’s secure portal. Please contact Trustwave at 000-800-100-4058 or via email at AmericanExpressCompliance@trustwave.com for instructions in using this portal.
Secure Fax: Validation Documentation may be faxed to: +1 (312) 276-4019. Please include your name, DBA (Doing Business As) name, the name of your data security contact, your address and phone number, and, for merchants only, your 10-digit American Express merchant number.
Mail: Validation Documentation may be copied in an encrypted format on a compact disc. Place in an envelope marked “Mandatory” and mail to:
American Express - DSOP Compliance Program
70 West Madison, Suite 1050
Chicago, IL 60602 USA
E-mail the encryption key required to decrypt the Validation Documentation along with your name, DBA (Doing Business As), the name of your data security contact, your address and phone number and, for merchants only, your 10-digit American Express merchant number, to Trustwave at AmericanExpressCompliance@trustwave.com.
Non-Compliance Fees and Termination of Card Acceptance Agreement
Service Providers risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.