|
• store American Express cardholder data only to facilitate transactions for your
<br />acceptance of American Express cards;
<br />• comply with the current version of the PCI DSS, no later than the effective date for
<br />implementing that version: and
<br />• use, when deploying new or replacement PIN entry devices or payment
<br />applications (or both). only those that are PCI -approved
<br />You must protect all charge records and credit records retained in accordance with
<br />these data security provisions
<br />You must use these records only for purposes of your acceptance of American
<br />Express cards and you must safeguard the records accordingly
<br />Data incidents
<br />If you discover a data incident you must
<br />• notify us immediately and in no case later than 24 hours after such discovery,
<br />• conduct a thorough forensic investigation of each data incident, this must be
<br />conducted by a PCI forensic investigator (PFI) if the data incident involves 10,000
<br />or more unique card numbers (or otherwise at our request),
<br />• promptly provide to us all compromised card numbers and the forensic
<br />investigation report of the data incident,
<br />• work with us to rectify any issues arising from the data incident, including
<br />consulting with us about your communications to card members affected by the
<br />data incident and providing (and obtaining any waivers necessary to provide) to us
<br />all relevant information to verify your ability to prevent future data incidents, and
<br />• at our request, provide validation by a qualified security assessor (QSA) that the
<br />deficiencies have been remediated
<br />Forensic investigation reports must
<br />• include forensic reviews, reports on compliance, and all other information related
<br />to the data incident,
<br />• identify the cause of the data incident,
<br />• confirm whether or not you were in compliance with the PCI DSS at the time of the
<br />data incident and
<br />• verify your ability to prevent future data incidents by providing a plan for
<br />remediating all PCI DSS deficiencies
<br />American Express has the right to disclose information about any data incident to
<br />card members, issuers, other participants on the American Express network, and
<br />the general public as required by applicable law, by judicial, administrative, or
<br />regulatory order, decree, subpoena, request, or other process, in order to mitigate
<br />the risk of fraud or other harm, or otherwise to the extent appropriate to operate the
<br />American Express network
<br />Periodic validation of your systems
<br />You must take steps to validate under PCI DSS annually and quarterly the status of
<br />your equipment, systems and networks (and their components) on which cardholder
<br />data and sensitive authentication data are stored. processed or transmitted
<br />Step 1 - Enroll in a compliance program
<br />You must submit applicable periodic validation documentation to us Please contact
<br />us for more information regarding data security compliance requirements
<br />Step 2 - Determine merchant level and validation requirements
<br />Most merchant levels are based on the volume of transactions submitted by
<br />establishments You will fall into one of the merchant levels specified in the following
<br />table.
<br />ValidationMerchant Definition
<br />documentationLevel
<br />2.5 million transactions or Annual on-site security Mandatory
<br />more per year, or any assessment report and
<br />merchant that American quarterly network scan
<br />Express otherwise deems
<br />a level 1 merchant
<br />2 50.000 to 2 5 million Annual self-assessment Mandatory
<br />transactions per year questionnaire (SAQ) and
<br />quarterly network scan
<br />3 Less than 50,000 Annual SAQ and quarterly Strongly
<br />transactions per year network scan recommended
<br />3- Less than 50.000 Annual SAQ and quarterly Mandatory
<br />transactions per year and network scan
<br />designated a level 3
<br />merchant by American
<br />Express
<br />As designated by American Express
<br />A TRUE COPY
<br />CERTIFICATION ON LAST PAGE
<br />3 Y
<br />American Express may require certain levelJn�l�cttants (�-W ll in American
<br />Express' compliance program Such merchants must enroll no later than ninety (90)
<br />days following receipt of such notice from us. All other level 3 merchants need not
<br />submit validation documentation, but must comply with all other provisions of these
<br />data security provisions
<br />The validation documentation which you must send to us is as follows
<br />This is a detailed onsite
<br />This is a process using
<br />The quarterly network
<br />examination of your
<br />the PCI DSS self-
<br />scan is a process that
<br />equipment, systems, and
<br />assessment
<br />remotely tests your
<br />networks (and their
<br />questionnaire (SAO) that
<br />internet-connected
<br />components) where
<br />allows self-examination
<br />computer networks and
<br />cardholder data or
<br />of your equipment,
<br />web servers for potential
<br />sensitive authentication
<br />systems. and networks
<br />weaknesses and
<br />data (or both) are stored
<br />(and their components)
<br />vulnerabilities
<br />processed, or
<br />where cardholder data or
<br />YOU MUST:
<br />transmitted
<br />sensitive authentication
<br />YOU MUST:
<br />data (or both) are stored
<br />ensure that the
<br />processed or
<br />quarterly network scan
<br />-ensure that the annual
<br />transmitted
<br />is performed by an
<br />onsite security
<br />approved scanning
<br />assessment is
<br />YOU MUST:
<br />vendor (ASV),
<br />performed by (i) a QSA
<br />-ensure that the SAO is
<br />-complete and submit
<br />or (ii) you and certified
<br />performed by you and
<br />the ASV scan report
<br />by your chief executive
<br />certified by your chief
<br />attestation of scan
<br />officer, chief financial
<br />executive officer, chief
<br />compliance (AOSC) or
<br />officer, chief information
<br />financial officer, chief
<br />executive summary of
<br />security officer or
<br />information security
<br />findings of the scan
<br />principal,
<br />officer or principal.
<br />(and copies of the full
<br />-submit the AOC section
<br />-submit the AOC section
<br />scan, on request)
<br />of the SAO annually to
<br />of the SAO annually to
<br />quarterly to us,
<br />us, and include copies
<br />us, and include copies
<br />-ensure that the AOSC
<br />of the full SAO upon
<br />of the full SAO upon
<br />or executive summary
<br />request, and
<br />request, and
<br />certifies that (i) the
<br />-ensure that the AOC
<br />-ensure that the AOC of
<br />results satisfy the PCI
<br />certifies compliance
<br />the SAQ certifies
<br />DSS scanning
<br />with all requirements of
<br />compliance with all
<br />procedures, (ii) no high
<br />the PCI DSS
<br />requirements of the PCI
<br />risk issues are
<br />DSS
<br />identified, and (iii) the
<br />scan is passing or
<br />compliant
<br />Step 3 - Send the validation documentation to Participant
<br />Compliance and validation are completed at your expense By submitting validation
<br />documentation to us, you represent and warrant to us that you are authorized to
<br />disclose the information contained in it and are providing the validation
<br />documentation without violating any other party's rights
<br />Merchants not compliant with PCI DSS
<br />If you are not compliant with the PCI DSS, then you must
<br />• complete and submit an AOC including "Part 4 Action Plan for Non -Compliant
<br />Status' to us,
<br />• designate a remediation date, not to exceed twelve (12) months following the date
<br />of the AOC, for achieving compliance. and
<br />• provide us with periodic updates of your progress toward remediation under the
<br />-Action Plan for Non -Compliant Status "
<br />Non -validation fees and termination of right to accept cards
<br />We have the right to impose non -validation fees on you and terminate your right to
<br />accept cards if you do not fulfill these requirements or fails to provide the mandatory
<br />validation documentation to us by the applicable deadline
<br />We will notify you separately of the applicable deadline for each annual and
<br />quarterly reporting period If we do not receive your mandatory validation
<br />documentation, then we have the right to terminate your right to accept cards and to
<br />impose non -validation fees on you
<br />Periodic validation of level EMV merchants
<br />Your merchant level may be classified as EMV if you submit 50.000 (or more)
<br />American Express card transactions per year, of which at least 75% are made by
<br />the card member with the physical card present at a point of sale system compliant
<br />with EMV specifications and capable of processing contact and contactless
<br />transactions on a chip -enabled device
<br />If you are classified as merchant level EMV, you may submit the annual EMV
<br />attestation (AEA) instead of other validation documentation, in which case you must
<br />submit the AEA annually to us. Even if you fall into merchant level 1 or 2, if you are
<br />classified as merchant level EMV. you only need to submit the AEA, and not the
<br />other merchant level 1 and 2 validation documentation
<br />The AEA involves a process using PCI DSS requirements that allows self-
<br />examination of your equipment, systems, and networks (and their components)
<br />where cardholder data or sensitive authentication data (or both) are stored,
<br />processed or transmitted
<br />The AEA must
<br />• be performed by you,
<br />• be certified by your chief executive officer chief financial officer chief information
<br />security officer, or principal, and
<br />• certify that you meet the requirements for merchant level EMV.
<br />CardCo2305 19
<br />
|