|
• store American Express cardholder data only to facilitate transactions for your
<br />acceptance of American Express cards;
<br />• comply with the current version of the PCI DSS, no later than the effective date for
<br />implementing that version; and
<br />• use, when deploying new or replacement PIN entry devices or payment
<br />applications (or both), only those that are PCI -approved.
<br />You must protect all charge records and credit records retained in accordance with
<br />these data security provisions.
<br />You must use these records only for purposes of your acceptance of American
<br />Express cards and you must safeguard the records accordingly.
<br />Data incidents
<br />If you discover a data incident, you must:
<br />• notify us immediately and in no case later than 24 hours after such discovery;
<br />• conduct a thorough forensic investigation of each data incident; this must be
<br />conducted by a PCI forensic investigator (PFI) if the data incident involves 10,000
<br />or more unique card numbers (or otherwise at our request);
<br />• promptly provide to us all compromised card numbers and the forensic
<br />investigation report of the data incident;
<br />• work with us to rectify any issues arising from the data incident, including
<br />consulting with us about your communications to card members affected by the
<br />data incident and providing (and obtaining any waivers necessary to provide) to us
<br />all relevant information to verify your ability to prevent future data incidents; and
<br />• at our request, provide validation by a qualified security assessor (QSA) that the
<br />deficiencies have been remediated.
<br />Forensic investigation reports must:
<br />• include forensic reviews, reports on compliance, and all other information related
<br />to the data incident;
<br />• identify the cause of the data incident;
<br />• confirm whether or not you were in compliance with the PCI DSS at the time of the
<br />data incident: and
<br />• verify your ability to prevent future data incidents by providing a plan for
<br />remediating all PCI DSS deficiencies.
<br />American Express has the right to disclose information about any data incident to
<br />card members, issuers, other participants on the American Express network, and
<br />the general public as required by applicable law, by judicial, administrative, or
<br />regulatory order, decree, subpoena, request, or other process; in order to mitigate
<br />the risk of fraud or other harm; or otherwise to the extent appropriate to operate the
<br />American Express network.
<br />Periodic validation of your systems
<br />You must take steps to validate under PCI DSS annually and quarterly the status of
<br />your equipment, systems and networks (and their components) on which cardholder
<br />data and sensitive authentication data are stored, processed or transmitted.
<br />Step 1 - Enroll in a compliance program
<br />You must submit applicable periodic validation documentation to us. Please contact
<br />us for more information regarding data security compliance requirements.
<br />Step 2 - Determine merchant level and validation requirements
<br />Most merchant levels are based on the volume of transactions submitted by
<br />establishments. You will fall into one of the merchant levels specified in the following
<br />table:
<br />Merchant Definition Validation
<br />Level
<br />documentation
<br />Requirement
<br />1
<br />2.5 million transactions or
<br />more per year, or any
<br />merchant that American
<br />Express otherwise deems
<br />a level 1 merchant
<br />Annual on-site security
<br />assessment report and
<br />quarterly network scan
<br />Mandatory
<br />2
<br />50,000 to 2.5 million
<br />transactions per year
<br />Annual self-assessment
<br />questionnaire (SAQ) and
<br />quarterly network scan
<br />Mandatory
<br />3
<br />Less than 50,000
<br />transactions per year
<br />Annual SAQ and quarterly
<br />network scan
<br />Strongly
<br />recommended
<br />3- Less than 50,000
<br />. transactions per year and
<br />designated a level 3
<br />merchant by American
<br />Express
<br />Annual SAQ and quarterly
<br />network scan
<br />Mandatory
<br />- As designated by American Express.
<br />American Express may require certain level 3 merchants to enroll in American
<br />Express' compliance program. Such merchants must enroll no later than ninety (90)
<br />days following receipt of such notice from us. All other level 3 merchants need not
<br />submit validation documentation, but must comply with all other provisions of these
<br />data security provisions.
<br />The validation documentation which you must send to us is as follows:
<br />Annual onsite security
<br />Annual self-assessment
<br />Quarterly network scans
<br />This is a detailed onsite
<br />examination of your
<br />equipment, systems, and
<br />networks (and their
<br />components) where
<br />cardholder data or
<br />sensitive authentication
<br />data (or both) are stored,
<br />processed, or
<br />transmitted.
<br />YOU MUST:
<br />— ensure that the annual
<br />onsite security
<br />assessment is
<br />performed by (i) a QSA,
<br />or (ii) you and certified
<br />by your chief executive
<br />officer, chief financial
<br />officer, chief information
<br />security officer or
<br />principal;
<br />— submit the AOC section
<br />of the SAQ annually to
<br />us, and include copies
<br />of the full SAQ upon
<br />request; and
<br />— ensure that the AOC
<br />certifies compliance
<br />with all requirements of
<br />the PCI DSS.
<br />This is a process using
<br />the PCI DSS self-
<br />assessment
<br />questionnaire (SAQ) that
<br />allows self-examination
<br />of your equipment,
<br />systems, and networks
<br />(and their components)
<br />where cardholder data or
<br />sensitive authentication
<br />data (or both) are stored,
<br />processed, or
<br />transmitted.
<br />YOU MUST:
<br />—ensure that the SAQ is
<br />performed by you and
<br />certified by your chief
<br />executive officer, chief
<br />financial officer, chief
<br />information security
<br />officer or principal;
<br />— submit the AOC section
<br />of the SAQ annually to
<br />us, and include copies
<br />of the full SAQ upon
<br />request; and
<br />— ensure that the AOC of
<br />the SAQ certifies
<br />compliance with all
<br />requirements of the PCI
<br />DSS.
<br />The quarterly network
<br />scan is a process that
<br />remotely tests your
<br />internet-connected
<br />computer networks and
<br />web servers for potential
<br />weaknesses and
<br />vulnerabilities.
<br />YOU MUST:
<br />— ensure that the
<br />quarterly network scan
<br />is performed by an
<br />approved scanning
<br />vendor (ASV);
<br />— complete and submit
<br />the ASV scan report
<br />attestation of scan
<br />compliance (AOSC) or
<br />executive summary of
<br />findings of the scan
<br />(and copies of the full
<br />scan, on request)
<br />quarterly to us;
<br />— ensure that the AOSC
<br />or executive summary
<br />certifies that (i) the
<br />results satisfy the PCI
<br />DSS scanning
<br />procedures, (ii) no high
<br />risk issues are
<br />identified, and (iii) the
<br />scan is passing or
<br />compliant.
<br />Step 3 - Send the validation documentation to Participant
<br />Compliance and validation are completed at your expense. By submitting validation
<br />documentation to us, you represent and warrant to us that you are authorized to
<br />disclose the information contained in it and are providing the validation
<br />documentation without violating any other party's rights.
<br />Merchants not compliant with PCI DSS
<br />If you are not compliant with the PCI DSS, then you must:
<br />• complete and submit an AOC including "Part 4. Action Plan for Non -Compliant
<br />Status" to us;
<br />• designate a remediation date, not to exceed twelve (12) months following the date
<br />of the AOC, for achieving compliance; and
<br />• provide us with periodic updates of your progress toward remediation under the
<br />"Action Plan for Non -Compliant Status."
<br />Non -validation fees and termination of right to accept cards
<br />We have the right to impose non -validation fees on you and terminate your right to
<br />accept cards if you do not fulfill these requirements or fails to provide the mandatory
<br />validation documentation to us by the applicable deadline.
<br />We will notify you separately of the applicable deadline for each annual and
<br />quarterly reporting period. If we do not receive your mandatory validation
<br />documentation, then we have the right to terminate your right to accept cards and to
<br />impose non -validation fees on you.
<br />Periodic validation of level EMV merchants
<br />Your merchant level may be classified as EMV if you submit 50,000 (or more)
<br />American Express card transactions per year, of which at least 75% are made by
<br />the card member with the physical card present at a point of sale system compliant
<br />with EMV specifications and capable of processing contact and contactless
<br />transactions on a chip -enabled device.
<br />If you are classified as merchant level EMV, you may submit the annual EMV
<br />attestation (AEA) instead of other validation documentation, in which case you must
<br />submit the AEA annually to us. Even if you fall into merchant level 1 or 2, if you are
<br />classified as merchant level EMV, you only need to submit the AEA, and not the
<br />other merchant level 1 and 2 validation documentation.
<br />The AEA involves a process using PCI DSS requirements that allows self-
<br />examination of your equipment, systems, and networks (and their components)
<br />where cardholder data or sensitive authentication data (or both) are stored,
<br />processed or transmitted.
<br />The AEA must:
<br />• be performed by you;
<br />• be certified by your chief executive officer, chief financial officer, chief information
<br />security officer, or principal; and
<br />• certify that you meet the requirements for merchant level EMV.
<br />117
<br />
|