2020-112 - Laserfiche WebLink

Home Browse Search

• store American Express cardholder data only to facilitate transactions for your acceptance of American Express cards; • comply with the current version of the PCI DSS, no later than the effective date for implementing that version; and • use, when deploying new or replacement PIN entry devices or payment applications (or both), only those that are PCI -approved. You must protect all charge records and credit records retained in accordance with these data security provisions. You must use these records only for purposes of your acceptance of American Express cards and you must safeguard the records accordingly. Data incidents If you discover a data incident, you must: • notify us immediately and in no case later than 24 hours after such discovery; • conduct a thorough forensic investigation of each data incident; this must be conducted by a PCI forensic investigator (PFI) if the data incident involves 10,000 or more unique card numbers (or otherwise at our request); • promptly provide to us all compromised card numbers and the forensic investigation report of the data incident; • work with us to rectify any issues arising from the data incident, including consulting with us about your communications to card members affected by the data incident and providing (and obtaining any waivers necessary to provide) to us all relevant information to verify your ability to prevent future data incidents; and • at our request, provide validation by a qualified security assessor (QSA) that the deficiencies have been remediated. Forensic investigation reports must: • include forensic reviews, reports on compliance, and all other information related to the data incident; • identify the cause of the data incident; • confirm whether or not you were in compliance with the PCI DSS at the time of the data incident: and • verify your ability to prevent future data incidents by providing a plan for remediating all PCI DSS deficiencies. American Express has the right to disclose information about any data incident to card members, issuers, other participants on the American Express network, and the general public as required by applicable law, by judicial, administrative, or regulatory order, decree, subpoena, request, or other process; in order to mitigate the risk of fraud or other harm; or otherwise to the extent appropriate to operate the American Express network. Periodic validation of your systems You must take steps to validate under PCI DSS annually and quarterly the status of your equipment, systems and networks (and their components) on which cardholder data and sensitive authentication data are stored, processed or transmitted. Step 3 - Send the validation documentation to Participant Step 1 - Enroll in a compliance program Compliance and validation are completed at your expense. By submitting validation You must submit applicable periodic validation documentation to us. Please contact documentation to us, you represent and warrant to us that you are authorized to us for more information regarding data security compliance requirements. disclose the information contained in it and are providing the validation Step 2 - Determine merchant level and validation requirements documentation without violating any other party's rights. Most merchant levels are based on the volume of transactions submitted by Merchants not compliant with PCI DSS establishments. You will fall into one of the merchant levels specified in the following If you are not compliant with the PCI DSS, then you must: table: • complete and submit an AOC including "Part 4. Action Plan for Non -Compliant Merchant Definition Validation Requirement Status" to us; Level documentation • designate a remediation date, not to exceed twelve (12) months following the date of the AOC, for achieving compliance; and 1 2.5 million transactions or Annual on-site security Mandatory • provide us with periodic updates of your progress toward remediation under the more per year; or any assessment report and "Action Plan for Non -Compliant Status." merchant that American quarterly network scan Non -validation fees and termination of right to accept cards We have the right to impose non -validation fees on you and terminate your right to Express el 1 merchant accept cards if you do not fulfill these requirements or fails to provide the mandatory a level 1 merchant validation documentation to us by the applicable deadline. We will notify you separately of the applicable deadline for each annual and quarterly reporting period. If we do not receive your mandatory validation documentation, then we have the right to terminate your right to accept cards and to impose non -validation fees on you. Periodic validation of level EMV merchants Your merchant level may be classified as EMV if you submit 50,000 (or more) American Express card transactions per year, of which at least 75% are made by the card member with the physical card present at a point of sale system compliant with EMV specifications and capable of processing contact and contactless transactions on a chip -enabled device. If you are classified as merchant level EMV, you may submit the annual EMV attestation (AEA) instead of other validation documentation, in which case you must submit the AEA annually to us. Even if you fall into merchant level 1 or 2, if you are classified as merchant level EMV, you only need to submit the AEA, and not the other merchant level 1 and 2 validation documentation. The AEA involves a process using PCI DSS requirements that allows self- examination of your equipment, systems, and networks (and their components) where cardholder data or sensitive authentication data (or both) are stored, processed or transmitted. The AEA must: • be performed by you; • be certified by your chief executive officer, chief financial officer, chief information security officer, or principal; and • certify that you meet the requirements for merchant level EMV. 2 50,000 to 2.5 million Annual self-assessment Mandatory transactions per year questionnaire (SAQ) and quarterly network scan 3 Less than 50,000 Annual SAQ and quarterly Strongly transactions per year network scan recommended 3- Less than 50,000 Annual SAQ and quarterly Mandatory transactions per year and network scan designated a level 3 merchant by American Express - As designated by American Express. uaral,otsu5 19 A TRUE COPY C'ERTIFICATION ON LAST PAGE American Express may require certain leve'3Smerch'anT, ToRenroll in American Express' compliance program. Such merchants must enroll no later than ninety (90) days following receipt of such notice from us. All other level 3 merchants need not submit validation documentation, but must comply with all other provisions of these data security provisions. The validation documentation which you must send to us is as follows: Annual onsite security Annual self-assessment Quarterly network scans This is a detailed onsite This is a process using The quarterly network .examination of your the PCI DSS self- scan is a process that equipment, systems, and assessment remotely tests your networks (and their questionnaire (SAO) that internet-connected components) where allows self-examination computer networks and cardholder data or of your equipment, web servers for potential sensitive authentication systems, and networks weaknesses and data (or both) are stored, (and their components) vulnerabilities. processed, or transmitted. where cardholder data or YOU MUST: YOU MUST: sensitive authentication data (or both) are stored, —ensure that the —ensure that the annual processed, or transmitted. quarterly network scan is performed by an onsite security approved scanning assessment is YOU MUST: vendor (ASV); performed by (i) a QSA, —ensure that the SAO is —complete and submit or (ii) you and certified performed by you and the ASV scan report by your chief executive certified by your chief attestation of scan officer, chief financial executive officer, chief compliance (AOSC) or officer, chief information financial officer, chief executive summary of security officer or information security findings of the scan principal; officer or principal; (and copies of the full —submit the AOC section —submit the AOC section scan, on request) of the SAO annually to of the SAO annually to quarterly to us; us, and include copies us, and include copies —ensure that the AOSC of the full SAO upon of the full SAO upon or executive summary request; and request; and certifies that (i) the —ensure that the AOC —ensure that the AOC of results satisfy the PCI certifies compliance the SAO certifies DSS scanning with all requirements of compliance with all procedures, (ii) no high the PCI DSS. requirements of the PCI risk issues are DSS. identified, and (iii) the scan is passing or compliant. 2 50,000 to 2.5 million Annual self-assessment Mandatory transactions per year questionnaire (SAQ) and quarterly network scan 3 Less than 50,000 Annual SAQ and quarterly Strongly transactions per year network scan recommended 3- Less than 50,000 Annual SAQ and quarterly Mandatory transactions per year and network scan designated a level 3 merchant by American Express - As designated by American Express. uaral,otsu5 19