Is this true?? If so this is going to be a *huge* pain! Imagine having to have your site scanned 4 times a year (and having to pay 3rd party companies for it).
Before, PCI compliance scans were only required by companies processing over 20,000 transactions per year, but this article is saying that Amex will now require scans by companies in the 1-20,000 transactions range as well - in other words, ALL their merchants :-(
As far as I know, Level 4 merchants only need to enter a registration through a Visa/MasterCard certified security assessor, which should be free of charge.
I can't imagine that Amex would now require something else and would actually require merchants to be certified and make such costs, which for small merchants can be an excessive amount.
If they do, they will loose lots of smaller merchants.
Some gateway providers, such as Valet Pay, can get you scanning services of ScanAlert for free. The reason ScanAlert offers the services for free to gateway customers is because they believe they can sell the merchant value added services such as "Hacker Safe". Check them out.