This week is a big one for those of us involved in PCI DSS, and all that implies. Check back on Thursday for a review of the changes in PCI DSS v2.0. I’ve completed an initial review using the embargoed version, but will double check my work based on what actually comes out on the 28th.

Prepare, by Photo Monkey

In the meantime, American Express quietly pushed a new change to their Merchant Reporting requirements over the weekend. What was previously a requirement for the EU only is now a global requirement regardless of location. Level 2 American Express merchants (as defined by processing between 50,000 and 2.5 million transactions per year) must now submit an annual SAQ and quarterly network scans performed by an ASV. Those are now mandatory requirements globally.

Level 3 American Express merchants (less than 50,000 transactions per year) are not totally in the clear ((Watch out for the pain that this link may cause you. Click at your own risk!)) as they must comply with the Data Security Operating Policy (DSOP) which requires compliance to PCI DSS, but their creation of an annual SAQ and quarterly scans is strongly recommended instead of mandatory. The change here was to call out a global change instead of what was previously EU only. Merchants that fall into this category should ensure that they do not fall under any other payment brand levels (such as a MasterCard or Visa Level 3) as opposed to just relying on one single payment brand’s reporting criteria.

This post originally appeared on

Possibly Related Posts: