Compliance Requirements for Merchants
All merchants are required to adhere to the American Express Data Security Operating Policy, including complying with the Payment Card Industry Data Security Standard. In addition, some merchants may be required to take additional steps to ensure data security.
Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine your Merchant Level.
Depending on your particular requirements, you may be asked to provide one or more of the following:
Annual Onsite Security Assessment Validation Documentation
The Annual Onsite Security Assessment is a detailed onsite examination of Merchant equipment, systems, and networks (and their components) where Cardmember information is stored, processed, or transmitted
Annual Self Assessment Questionnaire
The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire ("SAQ") that allows self-examination of merchant equipment, systems, and networks (and their components) where Cardmember Information is stored, processed, or transmitted.
Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that remotely tests a Merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor ("ASV")
Annual EMV Attestation Validation Documentation
You must complete the Annual EMV Attestation ("AEA") process by submitting the AEA form annually to American Express. The AEA form must certify that you have 50,000 American Express Card Transactions or more per year, of which total Transactions at least 75% are made by the Cardmember with the physical Card present at a Point of Sale System compliant with EMV Specifications and capable of processing contact and contactless American Express Chip Cards.
Step 2 Once you have completed your Validation Documentation Requirements, send it to Trustwave by one of the methods listed in the Data Security Operating Policy Section 4.
Non-Validation Fees and Termination of Agreement
American Express has the right to impose non-validation fees on merchants and terminate the Agreement if merchants do not fulfill these requirements or fail to provide the mandatory Validation Documentation to American Express by the applicable deadline.
AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI DSS, AND THE DESIGNATION AND PERFORMANCE OF QSAs, ASVs, or PFIs (OR ANY OF THEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.