American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country
Password
Create an account?
Register now
Log in to your account
Password
Forgot
 Password
?
Create an account
Access your American Express® Merchant Account online
Access account information 24/7
Manage payments and disputes online
Get insights, tools, merchandise and more

Data security is good business.

Learn how to take steps to help protect your customers and your business.

The Data Security Operating Policy
Keeping Card Member information safe and secure is an important part of your agreement to accept American Express® Cards. Compromised data has a negative impact on everyone involved, but there are steps you can take toward minimizing this threat and maintaining customer trust.
Protecting data can help:
Improve customer relationships
Increase overall profitability
Prevent damage to your business's reputation
USA-English
Report a Data Incident
1-888-732-3750 or EIRP@aexp.com
Report Data Security Status
Use Data Incident Notification Services
What to do
Take these recommended steps from the PCI web site toward securing your systems against data incidents.
Know what's required of your business and submit the appropriate paper work on time.
In the event that Card Member information has been compromised, you must report the data incident.
How to report your security status to American Express
Reporting requirements are based on your annual American Express Card transaction volume. Just determine your level of business below, and we'll tell you exactly what you need to do to comply with the Data Security Operating Policy.
Note that these requirements apply to both merchants and service providers.
USA-English
Need assistance reporting your data security status
Level 1: 2.5 million or more American Express Card transactions per year (or if you've been selected a Level 1 by American Express)
Annual On-site Security Assessment Report (required)
This is a detailed on-site examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted.
Either a Qualified Security Assessor (QSA) performs the exam, or you perform the exam and have the results certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Level 2: 50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions)
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (“SAQ”).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Level 3 Designated: Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. (merchants only; does not apply to service providers).American Express will contact these designated merchants and provide them details for reporting their security status by submitting PCI validation documents.
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (“SAQ”).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Level 3: Less than 50,000 American Express Card transactions per year (merchants only; does not apply to service providers)
Annual Self Assessment Questionnaire (recommended)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Security Standards Self-Assessment Questionnaire (“SAQ”).
You may complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results may be submitted to us annually. For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF).
Quarterly Network Scan (recommended)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Level EMV*:  50,000 or more American Express Chip-enabled Card transactions per year with at least 75% made on an EMV-enabled (Chip-enabled) terminal capable of processing contact and contactless American Express transactions
Annual EMV Attestation (AEA) (required)
This is a self-examination of the PCI compliance status for equipment, systems, networks and their components where cardholder data or sensitive authorization data (or both) are stored, processed or transmitted.

You must complete the AEA and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of theData Security Operating Policy (PDF)
Submitting required documents
Trustwave is a provider of information security and compliance management solutions, and they are the program administrator of our Data Security Compliance Program. Send required documents to them via their secure portal or fax.
Be sure to include:
DBA (Doing Business As) name
Name, address and phone number of your data security contact
10-digit American Express merchant number (if applicable)
Submit via secure portal
Log in with your user ID at login.trustwave.com.
Forgot your user ID or password? Contact Trustwave Support at
Submit via secure fax
Fax your validation documentation to +1 (312) 276-4019.
*Qualifying transactions must be made by the Card Member with the physical Card present at a Point of Sale system compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards. Only Merchants who have not had a Data Incident within the previous 12 months can qualify.
Non-Validation Fees and Termination of Agreement
American Express may impose non-validation fees on merchants and terminate the Agreement if merchants or service providers fail to provide the mandatory documentation to American Express by the applicable deadline.

How to help secure your systems against data incidents

54% of assets targeted are e-commerce1

31% of initial intrusions are due to weak passwords2

60% of small businesses close within six months of a data incident3

USA-English
Report a Data Incident
1-888-732-3750 or EIRP@aexp.com
Report Data Security Status
Use Data Incident Notification Services
So what else can you do to protect Card Member information?

Follow the PCI Data Security Standard

Use these global data security standards adopted by payment card brands to ensure that all of your customer information is as secure as possible.

Change your password

This is one of the easiest ways to help prevent data incidents. Small, easy to remember improvements to passwords can make a huge difference in the time it takes to crack a password.

Quick resources

From firewalls to chip technology, watch these short videos for a better understanding of data security basics.

Data Security Training

Check out the data security awareness training available to you and your employees.

1.Trustwave 2014 Global Security Report

2.Trustwave 2014 Global Security Report

3.Symantec 2013 Internet Security Report