Skip to content

Data Security

American Express has a long-standing commitment to protecting Cardmember Information.

Compromised data has a negative impact on consumers, merchants, and card issuers. Even one incident can severely damage a company's reputation and impair its ability to conduct business effectively. Addressing this threat by implementing the American Express Data Security Operating Policy can make your customers feel more secure, and can enhance the reputation of your business.

Our Role in Data Security

Our long-standing commitment to Data Security

Cardmembers rely on American Express for the highest level of service and protection. This is why we have developed this Data Security Operating Policy and are working with merchants and service providers to help you establish appropriate security programs.

Our history of participating in the industry development of PCI

American Express is a founding member of the PCI Security Standards Council. The Council is designed to manage the ongoing evolution of the PCI Data Security Standard and to foster its adoption in the payment card industry. Through our participation in the Council, American Express continues our commitment to pursue all aspects of data security with diligence.

Your Role in Data Security

Merchants have an important role to play in protecting Cardmember information. In agreeing to accept the American Express® Card, you have agreed to the terms of our Card Acceptance Agreement. This contains the Data Security Operating Policy, which helps us to work together in implementing the PCI Data Security Standard. Our Data Security Operating Policy can be viewed from this website. In the case of a conflict between the provisions of the website and the policy, the provisions of the policy will prevail.

FAQs

The Data Security Operating Policy is an American Express policy, with which all Merchants, Processors, and Service Providers that store, process or transmit American Express® Cardmember information must comply. This policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data, which are applicable across the industry.

The Data Security Operating Policy applies to all entities (Merchants and Service Providers) that process, store or transmit Cardmember information. Its requirements apply to all equipment, systems, and networks on which American Express Cardmember information is processed, stored, or transmitted.

Compromised data can have a negative impact on your business, other Merchants and card issuers. Even one incident can severely damage a company's reputation and its ability to conduct business effectively. Addressing this threat by implementing security operating procedures can make your customers feel more secure, and can enhance the reputation of your business.

The Data Security Operating Policy is a sound business practice and a requirement of American Express. By accepting American Express® Cards, you agree to be bound to terms and conditions of our Card Acceptance Agreement, which includes data security requirements and mandates compliance with American Express policies and procedures.

From January 2007 all American Express Merchants and Service Providers are required to comply with the Data Security Operating Policy. This policy introduces additional obligations based on your transaction volume, including a requirement to provide American Express with documentation that validates your compliance with the PCI Data Security Standard. This test must be performed by a third party security assessor acceptable to American Express. American Express has the right to assess non-compliance fees in accordance with the Data Security Operating Policy for your failure to provide the documentation by the applicable deadline.

The policy applies to any of your equipment, systems, and networks that transmit or process Cardmember information.

We encourage Merchants and Service Providers to complete an initial review, develop a remediation plan, complete items on the remediation plan, and revalidate compliance of those outstanding items. This plan can be submitted to American Express for review until full compliance can be achieved. If American Express accepts the plan, in its sole discretion, it can choose not to impose the non-compliance fees for a Merchant's failure to provide the documentation validating its compliance with the PCI Data Security Standard. A Merchant may still remain liable for fraud as a result of a security compromise.

The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing Merchants and Service Providers to comply with one set of data security technical standards. The Data Security Operating Policy defines the levels, requirements and validation deadline for American Express.

Once you have completed your requirements as set out in the Data Security Operating Policy (DSOP), you should send your validation documentation by one of these methods:

Secure Portal: Validation Documentation may be uploaded via Trustwave’s secure portal. Please contact Trustwave at 000-800-100-4058 or via email at AmericanExpressCompliance@ trustwave.com for instructions in using this portal.

Secure Fax: Validation Documentation may be faxed to: +1 (312) 276-4019. Please include your name, DBA (Doing Business As) name, the name of your data security contact, your address and phone number, and, for merchants only, your 10-digit American Express merchant number.

Mail: Validation Documentation may be copied in an encrypted format on a compact disc. Place in an envelope marked “Mandatory” and mail to:

American Express - DSOP Compliance Program
c/o Trustwave
70 West Madison, Suite 1050
Chicago, IL 60602 USA

E-mail the encryption key required to decrypt the Validation Documentation along with your name, DBA (Doing Business As), the name of your data security contact, your address and phone number and, for merchants only, your 10-digit American Express merchant number, to Trustwave at AmericanExpressCompliance@trustwave.com.

Level 3 merchants and Level 3 Service Providers (processing less than 50,000 American Express transactions per year) need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy. Some Level 3 merchants may be required to submit Validation Documents if so determined by American Express or to comply with applicable regulatory requirements.