Compliance Requirements for Merchants
All Merchants are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.
Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine which level your business falls under.
Depending on your particular requirements, you may be asked to provide one or more of the following:
Annual Onsite Security Audit Validation Documentation The Annual Onsite Security Audit is a detailed onsite examination of a Merchant's equipment, systems and networks (and their components) where Cardmember information is processed, stored, or transmitted
Quarterly Network Scan Validation Documentation The Quarterly Network Scan is a process that tests a Merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. This test is performed remotely and must be undertaken by a third party security assessor acceptable to American Express
Annual Self ssessment Questionnaire The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). For more information on the Self-Assessment Questionnaire, please visit the PCI SSC website at www.pcisecuritystandards.org/tech/saq.htm
Step 2 Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.
American Express Payments Europe, S.L.. GNO Data Security Unit PO Box 54886 London, SW1W 0YW United Kingdom
Non-Compliance Fees and Termination of Card Acceptance Agreement
Merchants risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.
|