WIXLIB

The Enhanced Reduction (75% to 100%) shall bedetermined based on the lesser of the percentage ofTransactions using Chip Enabled Devices ANDMerchant locations using another Risk-MitigatingTechnology. The examples below illustrate thecalculation of the indemnity reduction.To qualify as a Risk-Mitigating Technology, youmust demonstrate effective utilization of thetechnology in accordance with its design andintended purpose. For example, deploying ChipEnabled Devices and processing Chip Cards asMagnetic Stripe or Key Entered transactions, is NOTan effective use of this technology.The % of locations that use a Risk-MitigatingTechnology is determined by PFI investigationThe reduction in the indemnity obligation does notapply to any non-compliance fees payable in relationto the Data Incident Ex.1234RiskMitigatingTechnologiesin use80% ofTransactionson ChipEnabledDevices0% locationsuse otherRiskMitigatingTechnology80% ofTransactionson ChipEnabledDevices77% locationsuse otherRiskMitigatingTechnology93% ofTransactionson ChipEnabledDevices100%locations useother RiskMitigatingTechnology40% ofTransactionson ChipEnabledDevices90%locations useother nReduction Eligible?ReductionNo50%: StandardReduction (Lessthan 75% use ofRisk-MitigatingTechnology doesnot qualify forEnhancedReduction)1Yes77%: EnhancedReduction (basedon 77% use ofRisk-MitigatingTechnology)YesNo1A Data Incident involving 10,000 American Express Card Accounts, at a rate of 5 per account number (10,000 x 5 50,000) may be eligible for a reductionof 50%, reducing the Indemnity Obligations from 50,000 to 25,000, excludingany non-compliance fees.SECTION 4 – IMPORTANT! PERIODIC VALIDATION OFYOUR SYSTEMSYou must take the following steps to validate under PCIDSS annually and quarterly as described below, thestatus of your and your Franchisees' equipment, systemsand/or networks (and their components) on whichCardholder Data or Sensitive Authentication Data arestored, processed or transmitted.There are four steps required to complete validation:Step 1 – Enroll in American Express’s ComplianceProgram under this PolicyStep 2 – Determine your Level and ValidationRequirementsStep 3 – Determine the Validation Documentation thatyou must send to American ExpressStep 4 – Send the Validation Documentation toAmerican Express93%: EnhancedReduction (basedon 93% ofTransactions onChip EnabledDevices)50%: StandardReduction (Lessthan 75% ofTransactions onChip EnabledDevices does notqualify forEnhancedReduction)Page 3AMERICANEXPRESS.COM/DATASECURITYStep 1 – Enroll in American Express’s ComplianceProgram under this PolicyLevel 1 Merchants, Level 2 Merchants, Level 3, and Level4 Merchants whom American Express has notified, andall Service Providers, as described below, must enroll inAmerican Express’s compliance program under thispolicy by providing the full name, e-mail address,telephone number, and physical mailing address of anindividual who will serve as their general data securitycontact. You must submit this information to Trustwave,which administers the program on behalf of AmericanExpress, by one of the methods listed in Step 4 below.You must notify Trustwave if this information changes,providing updated information where applicable.American Express may require, in our sole discretion,certain Level 3 and Level 4 Merchants to enroll inAmerican Express’s compliance program under thispolicy by sending them written notice. The Merchantmust enroll no later than 90 days following receipt of thenotice.American Express may verify the results of your PCIValidation process by up to, and including, engaging, atAmerican Express’s expense, a Qualified SecurityAssessor (QSA) of our choice.Step 2 – Determine your Level and ValidationRequirementsThere are four Levels for Merchants and two Levels forService Providers. Most levels are based on your volumeof American Express Card Transactions. For Merchants,DSOP India July 2019

this is the volume submitted by their establishments thatroll-up to the highest American Express Merchantaccount level.* You will fall into one of the Levelsspecified in the Merchant and Service Provider tablesbelow.Buyer Initiated Payments (BIP) transactions are notincluded in the volume of American Express CardTransactions to determine Merchant Level and validationrequirements*In the case of Franchisors, this includes volume from their Franchiseeestablishments. Franchisors who mandate that their Franchisees use a specifiedPoint of Sale (POS) System or Service Provider also must provide validationdocumentation for the affected Franchisees.Merchant RequirementsMerchants (not Service Providers) have four possibleclassifications regarding their level and validationrequirements. After determining the Merchant level fromthe list below, see the Merchant Table to determinevalidation documentation requirements.Level 1 Merchant – 2.5 million American Express CardTransactions or more per year; or any Merchant thatAmerican Express otherwise deems a Level 1.Level 2 Merchant – 50,000 to 2.5 million AmericanExpress Card Transactions per year.Level 3 Merchant – 10,000 to 50,000 American ExpressCard Transactions per yearLevel 4 Merchant – Less than 10,000 American ExpressCard Transactions per year.Security Technology Enhancement ProgramMerchants that are compliant with PCI DSS may alsoqualify for American Express’s Security TechnologyEnhancement Program (STEP) if they deploy certain,additional, security technologies throughout their Cardprocessing environments. STEP applies only if themerchant has not experienced a Data Incident in theprevious 12 months and if 75% of all merchant CardTransactions are performed using:Merchant tableLevel(definedabove)123*4*Mandatory ValidationDocumentationAnnual Onsite SecurityAssessment ReportAnnual Self-AssessmentQuestionnaire (or)Quarterly Network Scan(only as required atAmerican Express’discretion)Annual Self-AssessmentQuestionnaireQuarterly Network Scan(only as required atAmerican Express’discretion)Annual Self-AssessmentQuestionnaireQuarterly Network ScanOptional ValidationDocumentationMerchants who have aQSA fill out a Report onCompliance are notrequired to submitquarterly scans (butmay choose to)Onsite SecurityAssessment ReportAnnual SelfAssessmentQuestionnaire or ROCAnnual SelfAssessmentQuestionnaire or ROC*For the avoidance of doubt, Level 3 and Level 4 Merchants need not submitValidation Documentation unless required at American Express’ discretion, butnevertheless must comply with, and are subject to liability under all otherprovisions of this Data Security Operating Policy.Service Provider RequirementsService Providers (not Merchants) have two possibleclassifications regarding their level and validationrequirements. After determining the Service Providerlevel from the list below, see the Service Provider Tableto determine validation documentation requirements.Level 1 Service Provider – 2.5 million American ExpressCard Transactions or more per year; or any ServiceProvider that American Express otherwise deems a Level1.Level 2 Service Provider– less than 2.5 million AmericanExpress Card Transactions per year; or any ServiceProvider not deemed Level 1 by American Express.Service Providers are not eligibleTechnology Enhancement Program.forSecurity EMV – on an active Chip-Enabled Device having avalid and current EMVCo (www.emvco.com)approval/certification and capable of processingAEIPS compliant Chip Card Transactions. (U.S.Merchants must include Contactless) Point to Point Encryption (P2PE) – communicated tothe Merchant’s processor using a PCI-SSCapproved or QSA-approved Point to PointEncryption ement Program have reduced PCI ValidationDocumentation requirements, as further described inStep 3 below.Page 4AMERICANEXPRESS.COM/DATASECURITYDSOP India July 2019

Service Provider tableLevel(definedabove)12Validation Documentation(defined in Step 3 below)Annual Onsite Security AssessmentReportQuarterly Network ScanAnnual Self-AssessmentQuestionnaireQuarterly Network ScanRequirementMandatoryMandatoryIt is recommended that Service Providers also comply with the PCI DesignatedEntities Supplemental ValidationStep 3 – Determine the Validation Documentationthat you must send to American ExpressThe following documents are required for different levelsof Merchant and Service Provider as listed in theMerchant Table and Service Provider Table above.Annual Onsite Security Assessment – The Annual OnsiteSecurity Assessment is a detailed onsite examination ofyour equipment, systems, and networks (and theircomponents) where Cardholder Data or SensitiveAuthentication Data (or both) are stored, processed ortransmitted. It must be performed by a QSA oryou and certified by your chief executive officer,chief financial officer, chief information securityofficer, or principal and submitted annually toAmerican Express on the applicable Attestation ofCompliance (AOC).The AOC must certify compliance with all requirementsof the PCI DSS and, upon request, include copies of thefull report on compliance (Level 1 Merchants and Level 1Service Providers)Annual Self-Assessment Questionnaire – The AnnualSelf-Assessment is a process using the PCI DSS SelfAssessment Questionnaire (SAQ) that allows selfexamination of your equipment, systems, and networks(and their components) where Cardholder Data orSensitive Authentication Data (or both) are stored,processed, or transmitted. It must be performed by youand certified by your chief executive officer, chieffinancial officer, chief information security officer, orprincipal. The AOC section of the SAQ must be submittedannually to American Express. The AOC section of theSAQ must certify your compliance with all requirementsof the PCI DSS and include full copies of the SAQ onrequest (Level 2 and Level 3 Merchants; Level 2 ServiceProviders).Quarterly Network Scan – The Quarterly Network Scan isa process that remotely tests your Internet-connectedcomputer networks and web servers for potentialPage 5AMERICANEXPRESS.COM/DATASECURITYweaknesses and vulnerabilities. It must be performed byan Approved Scanning Vendor (ASV). You mustcomplete and submit the ASV Scan Report Attestation ofScan Compliance (AOSC) or the executive summary offindings of the scan (and copies of the full scan, onrequest), quarterly to American Express. The AOSC orexecutive summary must certify that the results satisfythe PCI DSS scanning procedures, that no high riskissues are identified, and that the scan is passing orcompliant (all Merchants except Level 1 Merchants andSecurity Technology Enhancement Program (STEP) eligible Merchants; all Service Providers).Annual Security Technology Enhancement Program(STEP) Attestation Validation Documentation – TheAmerican Express Annual STEP Qualification Attestation(“STEP Attestation”) is available only to merchants whomeet the criteria listed in Step 2 above. The STEPAttestation involves a process using PCI DSSrequirements that allows self-examination of yourequipment, systems, and networks (and theircomponents) where Cardholder Data or SensitiveAuthentication Data (or both) are stored, processed, ortransmitted. It must be performed by you and certifiedby your chief executive officer, chief financial officer,chief information security officer, or principal. You mustcomplete the process by submitting the STEPAttestation form annually to American Express. (STEPeligible Merchants only). The Annual ument is available from www.trustwave.com.Summary of Compliance – The Summary of Compliance(“SOC”) is a document by which a Franchisor or ServiceProvider may report the PCI Compliance status of itsfranchisees. The SOC template is available for downloadvia Trustwave’s secure portal.Non Compliance with PCI DSS – If you are not compliantwith the PCI DSS, then you must complete an AOCincluding “Part 4. Action Plan for Non-Compliant Status”or a Project Plan Template (available for download viaTrustwave’s secure portal) and designate a remediationdate, not to exceed six months following the date of theAOC, for achieving compliance. You must submit thisAOC with the “Action Plan for Non-Compliant Status” toAmerican Express by one of the methods listed in Step 4below. You shall provide American Express with periodicupdates of your progress toward remediation under the“Action Plan for Non-Compliant Status” (Level 1, Level 2,Level 3 and select/applicable Level 4 Merchants; AllService Providers). For the avoidance of all doubt,Merchants that are not compliant with PCI DSS are noteligible for Security Technology Enhancement Program(STEP).DSOP India July 2019

American Express shall not impose non-validation fees(described below) on you for non-compliance prior to theremediation date, but you remain liable to AmericanExpress for all indemnity obligations for a Data Incidentand are subject to all other provisions of this policy.Step 4 – Send the Validation Documentation toAmerican ExpressLevel 1 Merchants, Level 2 Merchants, Level 3Merchants, STEP-eligible Merchants, and all ServiceProviders must submit the Validation Documentationmarked “mandatory” in the tables in Step 2.You must submit your Validation Documentation toTrustwave by one of these methods:Secure Portal: Validation Documentation may gin.trustwave.com.Please contact Trustwave at 000-800-100-1177 or 1 (312) 267-3208 or via email atAmericanExpressCompliance@trustwave.com forinstructions on using this portal.Secure Fax: Validation Documentation may be faxed to: 1 (312) 276-4019. ( indicates International Direct Dial“IDD” prefix, International toll applies), Please includeyour name, DBA (Doing Business As) name, the name ofyour data security contact, your address and phonenumber, and, for Merchants only, your 10-digit AmericanExpress Merchant number.If you have general questions about the program or theprocess above, please contact Trustwave at 000-800-100-1177 or 1 (312) 267-3208 or via email e and validation are completed at yourexpense. By submitting Validation Documentation, yourepresent and warrant to American Express that you areauthorized to disclose the information contained thereinand are providing the Validation Documentation toAmerican Express without violating any other party’srights.Non-Validation Fees and Termination of AgreementAmerican Express has the right to impose non-validationfees on you and terminate the Agreement if you do notfulfill these requirements or fail to provide the mandatoryValidation Documentation to American Express by theapplicable deadline. American Express will notify youseparately of the applicable deadline for each annual andquarterly reporting period.Description(Currency USD )A non-validation feewill be assessed if theValidationDocumentation is notreceived by the firstdeadline.An additional nonvalidation fee will beassessed if theValidationDocumentation is notreceived within 30days of the firstdeadline.An additional nonvalidation fee will beassessed if theValidationDocumentation is notreceived within 60days of the l 2Merchantor Level 2ServiceProvider,STEPMerchantLevel 3Merchantonly 25,000 5,000 35,000 10,000 20 45,000 15,000If American Express does not receive your mandatoryValidation Documentation within 60 days of the firstdeadline, then American Express has the right toterminate the Agreement in accordance with its terms aswell as impose the foregoing non-validation feescumulatively on you.SECTION 5 – CONFIDENTIALITYAmerican Express shall take reasonable measures tokeep (and cause its agents and subcontractors, includingTrustwave, to keep) your reports on compliance,including the Validation Documentation in confidenceand not disclose the Validation Documentation to anythird party (other than American Express’s affiliates,agents, representatives, Service Providers, andsubcontractors) for a period of three years from the dateof receipt, except that this confidentiality obligation doesnot apply to Validation Documentation that:i.ii.iii.iv.v.Page 6Level 1Merchant orLevel 1ServiceProvideris already known to American Express prior todisclosure;is or becomes available to the public through nobreach of this paragraph by American Express;is rightfully received from a third party byAmerican Express without a duty ofconfidentiality;is independently developed by AmericanExpress; oris required to be disclosed by an order of a court,administrative agency or governmental authority,or by any law, rule or regulation, or by subpoena,DSOP India July 2019

discoveryrequest,summons,orotheradministrative or legal process, or by any formalor informal inquiry or investigation by anygovernment agency or authority (including anyregulator,inspector,examiner,orlawenforcement agency).SECTION 6 – DISCLAIMERAMERICAN EXPRESS HEREBY DISCLAIMS ANY ANDALLREPRESENTATIONS,WARRANTIES,ANDLIABILITIES WITH RESPECT TO THIS DATA SECURITYOPERATING POLICY, THE PCI DSS, THE EMVSPECIFICATIONS AND THE DESIGNATION ANDPERFORMANCE OF QSAs, ASVs, OR PFIs (OR ANY OFTHEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OROTHERWISE, INCLUDING ANY WARRANTY OFMERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. AMERICAN EXPRESS CARD ISSUERS ARENOT THIRD PARTY BENEFICIARIES UNDER THISPOLICY.USEFUL WEB SITESAmerican Express Data tyPCI Security Standards Council, dmember means an individual or entity (i) that has enteredinto an agreement establishing a Card account with an issuer or(ii) whose name appears on the Card.Cardmember Information means information about AmericanExpress Cardmembers and Card transactions, includingnames, addresses, card account numbers, and cardidentification numbers (CIDs).Charge means a payment or purchase made on a Card.Chip means an integrated microchip embedded on a Cardcontaining Cardmember and account information.Chip Card means a Card that contains a Chip and could requirea PIN as a means of verifying the identity of the Cardmember oraccount information contained in the Chip, or both (sometimescalled a “smart card”, an “EMV Card”, or an “ICC” or“integrated circuit card” in our materials).Chip-Enabled Device means a point-of-sale device having a validand current EMVco (www.emvco.com) approval/certificationand be capable of processing AEIPS compliant Chip CardTransactions.Compromised Card Number means an American Express Cardaccount number related to a Data Incident.Covered Parties means any or all of your employees, erviceProviders, providers of your point-of-sale equipment orsystems or payment processing solutions, entities associatedwith your American Express Merchant account, and any otherparty to whom you may provide Cardmember Informationaccess in accordance with the Agreement.For purposes of this policy only, the following definitions apply:Credit means the amount of the Charge that you refund toCardmembers for purchases or payments made on the Card.American Express Card, or Card, means any card, accountaccess device, or payment device or service bearing AmericanExpress’ or an affiliate’s name, logo, trademark, service mark,trade name, or other proprietary design or designation andissued by an issuer or a card account number.Data Incident means an incident involving the compromise orsuspected compromise of American Express encryption keys,or at least one American Express Card account number inwhich there is:Attestation of Compliance, or AOC, means a declaration of thestatus of your compliance with the PCI DSS, in the formprovided by the Payment Card Industry Security StandardsCouncil, LLC.Approved Point to Point Encryption (P2PE) Solution, included onPCI SSC list of validated solutions or validated by a PCI SSCQualified Security Assessor P2PE CompanyApproved Scanning Vendor, or ASV, means an entity that hasbeen qualified by the Payment Card Industry SecurityStandards Council, LLC to validate adherence to certain PCIDSS requirements by performing vulnerability scans of internetfacing environments.Attestation of Scan Compliance, or AOSC, means a declarationof the status of your compliance with the PCI DSS based on anetwork scan, in the form provided by the Payment CardIndustry Security Standards Council, LLC.Cardholder Data has the meaning given to it in the then currentGlossary of Terms for the PCI DSS.Page 7AMERICANEXPRESS.COM/DATASECURITY unauthorized access or use of Encryption Keys,Cardholder Data or Sensitive Authentication Data (or acombination of each) that are stored, processed, ortransmitted on your equipment, systems, and/ornetworks (or the components thereof) of yours or the useof which you mandate; use of such Encryption Keys, Cardholder Data or SensitiveAuthentication Data (or a combination of each) other thanin accordance with the Agreement; and/or suspected or confirmed loss, theft, or misappropriation byany means of any media, materials, records, orinformation containing such Encryption Keys, CardholderData or Sensitive Authentication Data (a combination ofeach).Dat

You must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident. To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1 (602 ) 537 -3021 ( indicates