Compliance Requirements for Service Providers
All Service Providers are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard.
In addition, Service Providers must take the following steps annually or quarterly:
Annual Onsite Security Audit Validation Documentation The Annual Onsite Security Audit is a detailed onsite examination of a Service Provider's equipment, systems, and networks (and their components) where Cardmember information is processed, stored, or transmitted
Quarterly Network Scan Validation Documentation The Quarterly Network Scan is a process that tests a Service Provider's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. This test is performed remotely, and must be undertaken by a third party security assessor acceptable to American Express
Step 2 Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.
American Express Payments Europe, S.L.. GNO Data Security Unit PO Box 54886 London, SW1W 0YW United Kingdom
Non-Compliance Fees and Termination of Card Acceptance Agreement
Service Providers risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.
Disclaimer Except as otherwise specified in this policy, a Service Provider's compliance with the Data Security Operating Policy shall not in any way relieve its indemnity obligations to American Express under its agreement with American Express, nor relieve or decrease its liability in any way. Service Providers are responsible at their sole expense for providing additional data security measures that they deem necessary to protect their particular data and interests. American Express does not in any way represent or warrant that the measures contained in such agreement or this policy are sufficient or adequate to protect Service Provider's particular data and interests. AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI STANDARD, AND THE DESIGNATION AND PERFORMANCE OF THIRD PARTY SECURITY ASSESSORS, WHETHER EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|