American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country

Data Security is good business.

Data Security is good business.

Take steps to help protect your customers and your business.


The Data Security Operating Policy (DSOP) 



Keeping Card Member information safe and secure is an important part of your agreement to accept American Express® Cards. Compromised data has a negative impact on everyone involved, but there are steps you can take toward minimizing this threat and maintaining customer trust. Protecting data can help improve:




Improve customer relationships


Increase overall profitability



Prevent damage to your business's reputation


To view the Data Security information for another country, click here and select the country on the dropdown list. 




How to report your security status to American Express



The Payment Card Industry Data Security Standard (PCI DSS) status reporting requirements are determined by the number of American Express Card transactions you process in a given year. 


You’re obligated to report your PCI DSS status to us regularly, whether you are compliant or non-compliant. Reporting to us on time, regardless of status, can prevent a nonrefundable, non-validation Data Security fee.


These reporting requirements apply to both Merchants and Service Providers. 


  • Merchant, means the merchant and all of its affiliates that accept American Express Cards under an Agreement with American Express or its affiliates.
  • Services Providers are authorized processors, third party processors, gateway providers, and any other providers to Merchants at point of sale equipment, software, or systems, or other payment processing solutions or services.


Security Technology Enhancement Program (STEP)


The Security Technology Enhancement Program (STEP) is a way that American Express recognizes the investments Merchants* make in improving the security of Cardholder Data and Sensitive Authentication Data.  

Merchants that qualify for STEP are required to submit a simplified one-page annual attestation. In addition, STEP-qualified Merchants are no longer required to submit External Network Vulnerability Scan results.


View our frequently asked questions to learn more. 

  *Only Merchants are eligible for the American Express Security Technology Enhancement Program. Service Providers are not eligible for STEP.



Submitting Required Documents


Trustwave is a provider of information security and compliance management solutions, and they are the program administrator of the American Express PCI Compliance Program. 


Use the TrustKeeper® PCI Manager tool to either upload or create your required PCI DSS validation documents.

Access Secure Portal:

  • Log in to your TrustKeeper PCI Manager account at:
  • If needed, use the 'I forgot my Username Password' link to retrieve your username or reset your password.

On the documentation you submit, be sure to include:

  • Company DBA (Doing Business As) name
  • Name, address and phone number of your data security contact
  • 10-digit American Express merchant number (if applicable) 

If you have questions about your account, your status, how to use the TrustKeeper PCI Manager tool or if you are no longer the data security contact for your business, please contact Trustwave at or call 1 866 659 9016 (available 24/7/365) or 1 312 267 3208.




What to do if you have a data incident



Step 1



Immediately send an email to no later than 24 hours after the incident is discovered. Please complete the Merchant Data Incident - Initial Notice Form and attach it to your email.

Step 2



Conduct a thorough investigation that may require you to hire a Payment Card Industry (PCI) Forensic Investigator. 


Step 3



Promptly provide us with all compromised American Express® Card numbers.

Step 4



Work with us to help resolve any issues arising from the data incident.


We can help you notify American Express Card Members about a Data Incident


If your business has suffered a Data Incident, you can use the Data Incident Notification Services offered by American Express to help you inform affected individuals who are American Express® Card Members.*  


These services can assist you to:

  • Reach affected American Express Card Members by working with us and one of our authorized print vendors who will help send notices to them**
  • Put you in contact with one of our authorized vendors, who can help with various other services you may require, such as call center management and return mail handling.
  • Put you in contact with a credit reporting agency that can help offer ID theft protection services to the affected American Express Card Members.


For information about any of these Data Incident Notification Services, send an email with your contact details to 


*Only customers with an American Express Card issued by American Express will be available for notification through this service. Services are not available for customers using American Express Cards issued by other financial institutions, nor for holders of cards other than American Express Cards. 
**You will be responsible for payment to third parties for the costs of these Services.


Helpful Tips and Resources



Follow the PCI Data Security Standards 


Visit the PCI Security Standards Council document library to view specifications, tools and resources to ensure that your customer information is as secure as possible. 


Learn PCI DSS Basic 


From firewalls to chip technology, check out resources to better understand data security basics. 


Insights & Information


View industry articles and information to help your business protect payment data.



Learn how to report your PCI Compliance with this training


We created training to help guide you through your PCI DSS compliance reporting options.