American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express

Data Security Standard


Any business that transmits, processes or stores Cardmember information must take all possible precautions to protect its customers and itself. Implementing the Payment Card Industry (PCI) Data Security Standard through compliance with the Data Security Operating Policy (DSOP) brings a higher level of confidence to your customers and your business.

View the American Express Data Security Operating Policy
American Express, working as a member of the PCI Security Standards Council, has been instrumental in the development of the PCI Data Security Standard, which helps to address the issue of Cardmember security.

View the Payment Card Industry Data Security Standard.

In Case of a Breach

Data Incident Management Obligations

You must notify American Express immediately and in no case later than twenty-four (24) hours after discovery of a Data Incident.

To notify American Express, please contact the American Express Enterprise Incident Response Program (EIRP) at:

  • +1 (602) 537-3021 (+ indicates International Direct Dial “IDD” prefix, international toll applies) or
  • email at

You must designate an individual as your contact regarding such Data Incident.

You can avoid additional costs from a data incident:

  1. By notifying American Express immediately if you know or suspect your data has been compromised
  2. By ensuring that you are in full compliance with the American Express Data Security Operating Policy
  3. If the data incident was not caused by the wrongful conduct of you or one of your employees or agents
Merchant Levels


There are four Levels for merchants and three for Service Providers. Most levels are based on your volume of American Express Card Transactions. For merchants, this is the volume submitted by their establishments that roll-up to the highest American Express merchant account level. You will fall into one of the Levels specified in the table below.

*Level 3 merchants and Level 3 Service Providers need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy. Some Level 3 merchants may be required to submit Validation Documents if so determined by American Express or to comply with applicable regulatory requirements.
**Level EMV is not available for Service Providers, nor merchants that have had a Data Incident within twelve (12) months prior to the date of their Annual EMV Attestation.

Compliance Requirements


All Service Providers are required to adhere to the American Express Data Security Operating Policy , including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.

Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please view the ‘Merchant Levels’ tab above to determine which level your business falls under.

Depending on your particular requirements, you may be asked to provide any of the following:

Annual Onsite Security Assessment Validation Documentation – The Annual Onsite Security Assessment is a detailed onsite examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed or transmitted.

Annual Self Assessment Questionnaire Validation Documentation – The Annual Self Assessment is a process using the PCI DSS Self-Assessment Questionnaire (“SAQ”) that allows self-examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed, or transmitted. It must be performed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The AOC section of the SAQ must be submitted annually to American Express. To fulfill validation obligations under this policy, the AOC section of the SAQ must certify your compliance with all requirements of the PCI DSS and include full copies of the SAQ on request.

Quarterly Network Scan Validation Documentation – The Quarterly Network Scan is a process that remotely tests your internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. It must be performed by an Approved Scanning Vendor (“ASV”). You must complete and submit the ASV Scan Report Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan quarterly to American Express.

Annual EMV Attestation Validation Documentation – You must complete the Annual EMV Attestation (“AEA”) process by submitting the AEA form annually to American Express. The AEA form must certify that you have 50,000 American Express Card Transactions or more per year, of which total Transactions at least 75% are made by the Cardmember with the physical Card present at a Point of Sale System compliant with EMV Specifications and capable of processing contact and contactless American Express Chip Cards.

Step 2. Once you have completed your requirements, you should send your validation documentation by one of these methods:

Secure Portal: Validation Documentation may be uploaded via Trustwave’s secure portal. Please contact Trustwave at 000-800-100-4058 or via email at for instructions in using this portal.

Secure Fax: Validation Documentation may be faxed to: +1 (312) 276-4019. Please include your name, DBA (Doing Business As) name, the name of your data security contact, your address and phone number, and, for merchants only, your 10-digit American Express merchant number.

Mail: Validation Documentation may be copied in an encrypted format on a compact disc. Place in an envelope marked “Mandatory” and mail to:

American Express - DSOP Compliance Program
c/o Trustwave
70 West Madison, Suite 1050
Chicago, IL 60602 USA

E-mail the encryption key required to decrypt the Validation Documentation along with your name, DBA (Doing Business As), the name of your data security contact, your address and phone number and, for merchants only, your 10-digit American Express merchant number, to Trustwave at

Non-Compliance Fees and Termination of Card Acceptance Agreement
Merchants risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.