Skip to main content
Start of menu
Close Menu

Data security is good business.

Learn how to take the required steps to protect your customers and your business.

The Data Security Operating Policy
Keeping Card Member information safe and secure is an important part of your agreement to accept American Express® Cards. Compromised data has a negative impact on everyone involved, but there are steps you can take toward minimising this threat and maintaining customer trust.
Protecting data can help:
Improve customer relationships
Increase overall profitability
Prevent damage to your business's reputation
Australia
Report a Data Incident
+1 602 537 3021 (international toll applies) or EIRP@aexp.com
Report Data Security Status
How to report your security status to American Express
Reporting requirements are based on your annual American Express Card transaction volume. Just determine your level of business below, and we'll tell you exactly what you need to do to comply with the Data Security Operating Policy.
Note that these requirements apply to both Merchants and service providers.
Australia
Need assistance reporting your data security status
Level 1: 2.5 million or more American Express Card transactions per year (or if you've been selected a Level 1 by American Express)
Annual On-site Security Assessment Report (required)
This is a detailed on-site examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted.
Either a Qualified Security Assessor (QSA) performs the exam, or you perform the exam and have the results certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level 2: 50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions)
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (“SAQ”).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level 3 Designated: Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. Merchants only; does not apply to service providers. American Express will contact these designated Merchants and provide them details for reporting their security status by submitting PCI validation documents.
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (“SAQ”).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level 3: Less than 50,000 American Express Card transactions per year (Merchants only; does not apply to service providers)
Annual Self Assessment Questionnaire (recommended)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (“SAQ”).
You may complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results may be submitted to us annually.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF).
Quarterly Network Scan (recommended)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (“AOSC”) or the executive summary of findings of the scan to us every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level EMV Merchant  Merchants who have not been involved in a Data Incident within the previous 12 months and also process 50,000 American Express Card Transactions or more per year. Of these transactions, at least 75% are made by the Card Member with the physical Card present, and originate from EMV Chip-Enabled Devices.
Annual Assessment of Compliance Milestones 1-4 of the PCI DSS Prioritised Approach Validation Documentation
This Annual Assessment is an examination of your equipment, systems, and networks (and their components) where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed or transmitted. It must be performed by you and certified by your chief executive officer, chief financial officer, chief information security officer or principal, and be submitted annually to American Express.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Submitting required documents
Trustwave is a provider of information security and compliance management solutions, and they are the program administrator of our Data Security Compliance Program. Send required documents to them via their secure portal or fax.
Be sure to include:
Trading as [Business Name]
Name, address and phone number of your data security contact
10-digit American Express Merchant number (if applicable).
Submit via secure portal
Log in with your user ID at login.trustwave.com.
Forgot your user ID or password? Contact Trustwave Support at
Submit via secure fax
Fax your validation documentation to +1 312 276 4019.
*Qualifying transactions must be made by the Card Member with the physical Card present at a Point of Sale system compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards. Only Merchants who have not had a Data Incident within the previous 12 months can qualify.
Non-Validation Fees and Termination of Agreement
American Express may impose non-validation fees on Merchants and terminate the Agreement if Merchants or service providers fail to provide the mandatory documentation to American Express by the applicable deadline.

How to help secure your systems against data incidents

54% of assets targeted are e-commerce1

31% of initial intrusions are due to weak passwords2

60% of small businesses close within six months of a data incident3

Australia
Report a Data Incident
+1 602 537 3021 (international toll applies) or EIRP@aexp.com
Report Data Security Status
So what else can you do to protect Card Member information?

Follow the PCI Data Security Standard

Use these global data security standards adopted by payment card brands to ensure that all of your customer information is as secure as possible.

Change your password

This is one of the easiest ways to help prevent data incidents. Small, easy to remember improvements to passwords can make a huge difference in the time it takes to crack a password.

Quick resources

From firewalls to chip technology, watch these short videos for a better understanding of data security basics.

Data Security Training

Check out the data security awareness training available to you and your employees.

1.Trustwave 2014 Global Security Report

2.Trustwave 2014 Global Security Report

3.Symantec 2013 Internet Security Report

What to do if you have a data incident

If Card Member information is compromised by unauthorised access, misuse or loss, you'll need to:

1. Immediately send an email to EIRP@aexp.com no later than 24 hours after the incident is discovered. Please complete the Merchant Data Incident - Initial Notice Form and attach it to your email.

2. Conduct a thorough investigation that may require you to hire a Payment Card Industry Forensic Investigator.

3. Promptly provide us with all compromised American Express Card numbers.

4. Work with us to help resolve any issues arising from the data incident.

The PCI Data Security Standard
Goals
PCI DSS requirements
Build and Maintain a Secure Network and Systems
1.
Install and maintain a firewall to protect cardholder data
2.
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3.
Protect stored cardholder data
4.
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5.
Protect all systems against malware and regularly update anti-virus software or programs
6.
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7.
Restrict access to cardholder data by business need to know
8.
Identify and authenticate access to system components
9.
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10.
Track and monitor all access network resources and cardholder data
11.
Regularly test security systems and processes
Maintain an Information Security Policy
12.
Maintain a policy that addresses information security for all personnel
How strong is your password?
Passwords should be easy for you to remember but difficult for others to guess
Try to avoid passwords with:
Single word that appears in the dictionary
First letter capitalised
Digits at the end of the password
Names of pets, family members, or sports teams
Examples - weak passwords
password
Password
Password123
Bailey1, Michael, Brumbies
Strong passwords are long and include:
Multiple words or abbreviations (12 characters)
Numbers substituted for letters (12 characters)
Numbers and special characters (20 characters)
Long strings of characters - abbreviations are easy to remember: my commute on the M31 Is a Nightmare
Examples - strong passwords
(Do not use these examples, create your own)
iHatetraf
iH@+3+r@f
i#Hate#M31
mcoM31i@NmMcom3!i$anM
Service Providers are authorised processors, third party processors, gateway providers, and any other providers to Merchants of point of sale equipment, software, or systems, or other payment processing solutions or services.