Protecting Payment Data Helps Protect Everyone

Protecting Payment Data Helps Protect Everyone

Get the information you need around PCI compliance and data security.

 

The Importance of PCI Compliance

 

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) helps protect you and your customers from data compromises. 

 

Protecting your payments data can help:

Avoid damage to your business’s brand

Prevent financial loss

Retain customer relationships

The PCI Data Security Standard

PCI DSS is a set of technical and operational standards developed to protect payment card data. Adopted by payment card networks and applicable to all entities that process, store or transmit Cardholder Data and/or Sensitive Authentication Data, the goal of PCI DSS is to promote safe payments worldwide.

Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems

- Install and maintain a firewall configuration to protect Cardholder data

- Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

- Protect stored Cardholder data

- Encrypt transmission of Cardholder data across open, public networks

Maintain a Vulnerability Management Program

- Protect all systems against malware and regularly update antivirus software or programs

- Develop and maintain secure systems and applications

Implement Strong Access Control Measures

- Restrict access to Cardholder data by business need to know

- Identify and authenticate access to system components

- Restrict physical access to Cardholder data

Regularly Monitor and Test Networks

- Track and monitor all access to network resources and Cardholder data

- Regularly test security systems and processes

Maintain an Information Security Policy

- Maintain a policy that addresses information security for all personnel

American Express Data Security Requirements

  • Comply with the current PCI Data Security Standard
  • Only store Cardholder Data needed to process American Express Card transactions
  • Use only PCI-approved Payment Devices
  • Report your PCI DSS compliance status to American Express, as required
  • Notify American Express of a Data Incident within 72 hours
  • Adhere to applicable data incident management obligations resulting from a Data Incident

To view Data Security information for another country, click here.

What to do if you have a Data Incident 

Please follow these steps if you have identified a Data Incident at your business.

Step 1:

Fill out the Merchant Data Incident Initial Notice Form and email to EIRP@aexp.com within 72 hours after the Data Incident is discovered

Step 2:

Conduct a thorough investigation; this may require you to hire a Payment Card Industry (PCI) Forensic Investigator.

Step 3:

Promptly provide us with all compromised American Express® Card numbers.

Step 4:

Work with us to help resolve any issues arising from the Data Incident.

View Section 3 of the Data Security Operating Policy for more details on Data Incident Management Obligations.

 

Have more questions?

International: +1 (602) 537-3021

EIRP@aexp.com

We’re here to help.

American Express offers Data Security Incident Notification Services1 to help you inform American Express Card Members who have been affected by a Data Incident at your business.2

We can:

  • Help you reach affected American Express Card Members by working with us and an authorized print vendor who can send out notices3
  • Put you in contact with vendors who can help with various other services, such as call center management and return mail handling
  • Put you in contact with a credit reporting agency that can help offer ID-theft- protection services to the affected American Express Card Members

Have more questions? dataincidentservices@aexp.com.

PCI DSS Reporting Requirements

You’re required to regularly report your PCI DSS status, whether you are compliant or non-compliant. Reporting on time, regardless of status, can prevent a nonrefundable, non-validation data-security fee.

 

The standard PCI validation documents are universal which means you can use the same validation document to report to all the payment brands. The PCI DSS status reporting requirements are determined by the number of American Express Card transactions you process in a given year.  

 

These reporting requirements apply to both Merchants and Service Providers.

To view more details, see Section 4 in the Data Security Operating Policy.

What is Security Technology Enhancement Program (STEP)?

The Security Technology Enhancement Program (STEP)6 is a way for American Express to recognize Merchants that deploy additional security technologies to improve the security of Cardholder Data and Sensitive Authentication Data. 

 

Merchants who qualify for STEP (as determined by American Express):

  • Submit only an annual STEP Attestation form as their annual PCI validation documentation
  • Will not be required to submit any other annual PCI document (ROC or SAQ) or a quarterly vulnerability scan

View our frequently asked questions to learn more and see if you qualify.

How to report your PCI compliance status

 

SecureTrust, a division of Trustwave, is the program administrator of the American Express PCI Compliance Program. You can use SecureTrust™ PCI Manager to upload or create your required PCI DSS validation documents.

 

Log in to your SecureTrust PCI Manager account at: https://portal.securetrust.com

 

Take this training to learn how to report your PCI Compliance.

 

If you have questions about your account, your status, how to use SecureTrust PCI Manager, or if you are no longer the data security contact for your business, please contact SecureTrust at americanexpresscompliance@securetrust.com or call 1-866-659-9016 (available 24/7/365).

Helpful tips and resources

Check out these helpful resources to help protect your business:

Learn PCI DSS Basics

 

Get a better understanding of data security basics, from firewalls to chip technology.

 

Insights & Information

 

View industry articles and information to help your business protect payment data.

 

Follow the PCI Data Security Standard

 

Visit the PCI Security Standards Council document library for specifications and tools.

 

Frequently Asked Questions

1 For US Merchants only

2 Only customers with an American Express Card issued by American Express will be available for notification through this service. Services are not available for customers using American Express Cards issued by other financial institutions, nor for holders of cards other than American Express Cards. 

3 You will be responsible for payment to third parties for the costs of these services. 

4 The standard PCI validation documents are universal. You can use the same validation document to report to all the payment brands. 

5 Each payment brand defines their levels differently.

6 American Express Security Technology Enhancement Program is available to eligible Merchants only. Service Providers are not eligible for STEP.

Don't do business without it