American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country

Data Security is good business.

Data Security is good business.

Take steps to help protect your customers and your business.

 

The Data Security Operating Policy (DSOP) 

 

 

Keeping Card Member information safe and secure is an important part of your agreement to accept American Express® Cards. Compromised data has a negative impact on everyone involved, but there are steps you can take toward minimizing this threat and maintaining customer trust. Protecting data can help improve:

 

 

 

Improve customer relationships

 

Increase overall profitability

 

 

Prevent damage to your business's reputation

 

To view the Data Security information for another country, click here and select the country on the dropdown list. 

 

 

 

How to report your security status to American Express

 

 

The Payment Card Industry Data Security Standard (PCI DSS) status reporting requirements are determined by the number of American Express Card transactions you process in a given year. 

 

You’re obligated to report your PCI DSS status to us regularly, whether you are compliant or non-compliant. Reporting to us on time, regardless of status, can prevent a nonrefundable, non-validation Data Security fee.

 

These reporting requirements apply to both Merchants and Service Providers. 

 

  • Merchant, means the merchant and all of its affiliates that accept American Express Cards under an Agreement with American Express or its affiliates.
  • Services Providers are authorized processors, third party processors, gateway providers, and any other providers to Merchants at point of sale equipment, software, or systems, or other payment processing solutions or services.

 

Security Technology Enhancement Program (STEP)

 

The Security Technology Enhancement Program (STEP) is a way that American Express recognizes the investments Merchants* make in improving the security of Cardholder Data and Sensitive Authentication Data.  


Merchants that qualify for STEP are required to submit a simplified one-page annual attestation. In addition, STEP-qualified Merchants are no longer required to submit External Network Vulnerability Scan results.

 

View our frequently asked questions to learn more. 


  *Only Merchants are eligible for the American Express Security Technology Enhancement Program. Service Providers are not eligible for STEP.

 

 

Submitting Required Documents

 

Trustwave is a provider of information security and compliance management solutions, and they are the program administrator of the American Express PCI Compliance Program. 

 

Use the TrustKeeper® PCI Manager tool to either upload or create your required PCI DSS validation documents.


Access Secure Portal:

  • Log in to your TrustKeeper PCI Manager account at: https://login.trustwave.com
  • If needed, use the 'I forgot my Username Password' link to retrieve your username or reset your password.

On the documentation you submit, be sure to include:

  • Company DBA (Doing Business As) name
  • Name, address and phone number of your data security contact
  • 10-digit American Express merchant number (if applicable) 

If you have questions about your account, your status, how to use the TrustKeeper PCI Manager tool or if you are no longer the data security contact for your business, please contact Trustwave at americanexpresscompliance@trustwave.com or call 1 866 659 9016 (available 24/7/365) or 1 312 267 3208.

 

 

 

What to do if you have a data incident

 

 

Step 1

 

 

Immediately send an email to EIRP@aexp.com no later than 24 hours after the incident is discovered. Please complete the Merchant Data Incident - Initial Notice Form and attach it to your email.

Step 2

 

 

Conduct a thorough investigation that may require you to hire a Payment Card Industry (PCI) Forensic Investigator. 

 

Step 3

 

 

Promptly provide us with all compromised American Express® Card numbers.

Step 4

 

 

Work with us to help resolve any issues arising from the data incident.
 

 

We can help you notify American Express Card Members about a Data Incident

 

If your business has suffered a Data Incident, you can use the Data Incident Notification Services offered by American Express to help you inform affected individuals who are American Express® Card Members.*  

 

These services can assist you to:

  • Reach affected American Express Card Members by working with us and one of our authorized print vendors who will help send notices to them**
  • Put you in contact with one of our authorized vendors, who can help with various other services you may require, such as call center management and return mail handling.
  • Put you in contact with a credit reporting agency that can help offer ID theft protection services to the affected American Express Card Members.

 

For information about any of these Data Incident Notification Services, send an email with your contact details to dataincidentservices@aexp.com. 

 

*Only customers with an American Express Card issued by American Express will be available for notification through this service. Services are not available for customers using American Express Cards issued by other financial institutions, nor for holders of cards other than American Express Cards. 
**You will be responsible for payment to third parties for the costs of these Services.
 
 

 

Helpful Tips and Resources

 

 

Follow the PCI Data Security Standards 

 

Visit the PCI Security Standards Council document library to view specifications, tools and resources to ensure that your customer information is as secure as possible. 

 

Learn PCI DSS Basic 

 

From firewalls to chip technology, check out resources to better understand data security basics. 

 

Insights & Information

 

View industry articles and information to help your business protect payment data.

 

 

Learn how to report your PCI Compliance with this training

 

We created training to help guide you through your PCI DSS compliance reporting options.