Start of menu
Close Menu

Data Security Standard

Data Security Standard for Merchants

As data compromise becomes even more sophisticated, any business that stores, processes or transmits Cardmember information knows they must take all precautions possible to protect their customers and themselves.

View the American Express Data Security Operating Policy (PDF) to learn more.

Implementing the PCI Data Security Standard through compliance with the Data Security Operating Policy (DSOP) brings a higher level of confidence to your customers and with your business.

American Express proudly sits on the PCI Security Standards Council and has been instrumental in bringing the PCI Data Security Standard to an industry-wide standard. These steps are necessary to effectively address one of the key issues facing the industry at this time - Cardmember security.

View the Payment Card Industry Data Security Standard.

In Case of a Breach

Data Incident Management Obligations

Merchants must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.

To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1-602-537-3021 (24/7) or e-mail at EIRP@aexp.com.

Merchants must designate an individual as their contact regarding such Data Incidents.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.

Merchant Levels

Merchant Levels

Most Merchant Levels are based on the Merchant's volume of American Express Card transactions submitted by their businesses that roll-up to the highest American Express Merchant Account level. Merchants fall into one of three levels specified in the table below.

Table

* Level 3 Merchants need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy. View the American Express
Data Security Operating Policy (PDF).

In Case of a Breach
Data Incident Management Obligations

Merchants must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.

To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1-602-537-3021 (24/7) or e-mail at EIRP@aexp.com.

Merchants must designate an individual as their contact regarding such Data Incidents.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.

Compliance Requirements

Compliance Requirements for Merchants

All Merchants are required to adhere to the American Express Data Security Operating Policy, including complying with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.

Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine your Merchant Level.
Depending on your particular requirements, you may be asked to provide one or more of the following:

    Annual Onsite Security Assessment Validation Documentation
    The Annual Onsite Security Assessment is a detailed onsite examination of a Merchant’s equipment,     systems, and networks (and their components) where Cardmember information is stored, processed, or     transmitted.

    Annual Self Assessment Questionnaire
    The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire ("SAQ")     that allows self-examination of a Merchant’s equipment, systems, and networks (and their components)     where Cardmember Information is stored, processed, or transmitted.

    Quarterly Network Scan Validation Documentation
    The Quarterly Network Scan is a process that remotely tests a Merchant's internet-connected computer     networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an     Approved Scanning Vendor ("ASV").

Step 2 Once you have completed your Validation Documentation Requirements, send it to Trustwave by one of the methods listed in the Data Security Operating Policy Section 4.

    Non-Validation Fees and Termination of Agreement
    American Express has the right to impose non-validation fees on Merchants and terminate the     Agreement if Merchants do not fulfill these requirements or fail to provide the mandatory Validation     Documentation to American Express by the applicable deadline.

Disclaimer
AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI DSS, AND THE DESIGNATION AND PERFORMANCE OF QSAs, ASVs, OR PFIs (OR ANY OF THEM), WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANT ABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

In Case of a Breach
Data Incident Management Obligations

Merchants must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.

To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at 1-602-537-3021 (24/7) or e-mail at EIRP@aexp.com.

Merchants must designate an individual as their contact regarding such Data Incidents.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.