Start of menu
Close Menu

Overview

Overview

What is the Data Security Standard?

Any business that processes, stores or transmits Cardmember information should take all possible precautions to protect their customers and themselves. By implementing the PCI Data Security Standard (PCI DSS) through compliance with the Data Security Operating Policy (DSOP), you can bring a higher level of confidence to your customers and your business.

View the American Express Data Security Operating Policy (PDF). American Express, working as a member of the PCI Security Standards Council, has been instrumental in the development of the PCI Data Security Standard, which sets out how to protect account payment data. To learn more about PCI DSS visit the PCI Security Standards Council・s website and view the Payment Card Industry Data Security Standard .

In case of breach
Data Incident Management Obligations
If you believe that Cardmember information has been compromised, immediately contact your Client Manager or call our Customer Services Team on 2277-2277 .
You may also notify the American Express Enterprise Incident Response Program (EIRP) by filling out the Initial Notice Form and sending it via email to EIRP@aexp.com.

Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.
Compliance Requirements

Compliance Requirements

All Merchants are required to adhere to the American Express Data Security Operating Policy , including compliance with the Payment Card Industry Data Security Standard . In addition, some Merchants may be required to take additional steps to ensure data security.

Step 1 is to determine your Merchant Level and documentation requirements. View the .What・s your level?・ tab above for this information. Depending on your level you may be asked to provide one or more of the following:

1. Annual Onsite Security Assessment Validation Documentation

    The Annual Onsite Security Assessment is a detailed onsite examination of a Merchant's technical and     operational systems, equipment and networks (and their components) where Cardmember information is     processed, stored, or transmitted. The assessment may be performed by a Qualified Security Assessor     (QSA) or the Merchant, provided it is certified by the Chief Executive Officer, Chief Financial Officer, or     principal of the Merchant. A list of assessors can be found at
    https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php.

    The assessor completes a Report of Compliance (ROC), which provides details of the environment     assessed, and the results of the assessment. The ROC contains an Attestation of Compliance (AOC)     form,which the Merchant or QSA completes. American Express accepts either the AOC or executive     summary of the ROC as suitable validation documentation.

2. Quarterly Network Scan Validation Documentation

    The Quarterly Network Scan is a process that tests a Merchant's Internet-facing infrastructure, such as     web servers and network devices, for potential weaknesses and vulnerabilities. This test is performed     remotely and must be performed by an Approved Scanning Vendor (:ASV;). A list of ASVs can be
    found at
    https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php .

     American Express accepts either the executive summary of a passing vulnerability scan, or the      Attestation of Scan Compliance (AOSC) for a passing vulnerability scan.

Step 2 Once you have completed your validation documentation requirements please upload your documents to Trustwave using our secure portal. For instructions on how to access and use this portal you may contact Trustwave via email at americanexpresscompliance@trustwave.com, or via a toll free international number. To call from Hong Kong please dial: 001-800-9000-1140.

In case of breach
Data Incident Management Obligations
If you believe that Cardmember information has been compromised, immediately contact your Client Manager or call our Customer Services Team on 2277-2277 .
You may also notify the American Express Enterprise Incident Response Program (EIRP) by filling out the Initial Notice Form and sending it via email to EIRP@aexp.com.

Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.
What・s your level?

What・s your level?

While all Merchants are required to comply with the Data Security Operating Policy, American Express has established three levels based on transaction volume to determine what validation documentation is required and the frequency of submission.

The table below helps you determine your level and shows your requirements for compliance with the American Express Data Security Operating Policy.


* Level 3 Merchants need not submit Validation Documentation, but must still comply with all other provisions of the Data Security Operating Policy. View the American Express
Data Security Operating Policy (PDF).

In case of breach
Data Incident Management Obligations
If you believe that Cardmember information has been compromised, immediately contact your Client Manager or call our Customer Services Team on 2277-2277 .
You may also notify the American Express Enterprise Incident Response Program (EIRP) by filling out the Initial Notice Form and sending it via email to EIRP@aexp.com.

Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.