American Express - Merchant Compliance Requirements

Start of menu

My Account
You are under MyAccount Primary Tab
Card AccountExpand / Collapse
Business AccountsExpand / Collapse
Other AccountsExpand / Collapse
- International Money Transfers for Card Members
Cards
You are under New Cards Primary Tab
Personal CardsExpand / Collapse
Small Business CardsExpand / Collapse
Corporate CardsExpand / Collapse
Gift CardsExpand / Collapse
- View Gift Cards
Travel
You are under Travel Primary Tab
Online TravelExpand / Collapse
Travel ResourcesExpand / Collapse
Business TravelExpand / Collapse
Travel MoneyExpand / Collapse
Insurance
You are under Insurance Primary Tab
All InsuranceExpand / Collapse
- Insurance Homepage
Insure my travelsExpand / Collapse
Insure my pet and possessionsExpand / Collapse
- Pet Insurance
- Gadget Insurance
Insure meExpand / Collapse
Rewards
You are under Rewards Primary Tab
Membership RewardsExpand / Collapse
Other Reward ProgrammesExpand / Collapse
OffersExpand / Collapse
- Cardmember offers
- Refer friends. Get rewarded.
InvitesExpand / Collapse
- Entertainment
Business
You are under Business Primary Tab.
MerchantsExpand / Collapse
CorporationsExpand / Collapse
Small Business CardsExpand / Collapse
Global NetworkExpandir / Colapsar

GET STARTED...

	Data Security Home
	Merchant Information
	Service Provider Information
	PCI Security Requirements
	Frequently Asked Questions
	Watch Data Security Video

Data Security
Standard

Merchant
Levels

Compliance
Requirements

In Case Of
A Breach

Compliance Requirements for Merchants
All Merchants are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.

Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine which level your business falls under.
Depending on your particular requirements, you may be asked to provide one or more of the following:

Annual Onsite Security Audit Validation Documentation
The Annual Onsite Security Audit is a detailed onsite examination of a Merchant's equipment, systems and networks (and their components) where Cardmember information is processed, stored, or transmitted

Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that tests a Merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. This test is performed remotely and must be undertaken by a third party security assessor acceptable to American Express

Annual Self ssessment Questionnaire
The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). For more information on the Self-Assessment Questionnaire, please visit the PCI SSC website at www.pcisecuritystandards.org/tech/saq.htm

Step 2 Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.

American Express Payments Europe, S.L..
GNO Data Security Unit
PO Box 54886
London, SW1W 0YW
United Kingdom

Non-Compliance Fees and Termination of Card Acceptance Agreement
Merchants risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.