Start of menu
Search US website
Close Menu
Password
Forgot  
Password?
Create an account?
Register now
Log in to your account
Password
Forgot
 Password
?
Create an account
Access your American Express® Merchant Account online
Access account information 24/7
Manage payments and disputes online
Get insights, tools, merchandise and more
Safe. Secure. Simple.
American Express® requires that you take simple steps to help protect your customers' data and your business.
USA - English
Change

The Data Security Operating Policy

Complying with the Data Security Operating Policy (PDF) is part of your agreement to accept American Express Cards. That way you know you're doing everything you can to keep private information safe and protect your customers and your business.
Merchant and Service Provider
*
 requirements
To determine what is required of your business by the Data Security Operating Policy, find your merchant level below. Requirements are conditional based on volume of annual American Express Card transactions.
Level 1: 2.5 million or more American Express Card transactions per year (or if American Express has deemed you a Level 1 Service Provider)
Annual Onsite Security Assessment Report (required)
The Annual Onsite Security Assessment Report is a detailed onsite examination of merchant equipment, systems, networks and components where Cardmember information is stored, processed, or transmitted.
The exam must be performed by a Qualified Security Assessor (QSA), or, if performed by you, must be certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The results must be submitted annually to American Express.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (required)
The Quarterly Network Scan is a remote test of a merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. The scan must be performed by an Approved Scanning Vendor (ASV). You must complete and submit the ASV's Attestation of Scan Compliance ("AOSC") or the executive summary of findings of the scan to American Express every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level 2: 50,000 to 2.5 million American Express Card transactions per year
Annual Self Assessment Questionnaire (required)
The Annual Self Assessment Questionnaire is a self-examination of merchant equipment, systems, networks and components where Cardmember information is stored, processed, or transmitted using the PCI Security Standards Self-Assessment Questionnaire ("SAQ").
The Annual Self Assessment Questionnaire must be completed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The results must be submitted annually to American Express.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (required)
The Quarterly Network Scan is a remote test of a merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. The scan must be performed by an Approved Scanning Vendor (ASV). You must complete and submit the ASV's Attestation of Scan Compliance ("AOSC") or the executive summary of findings of the scan to American Express every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level 3: Less than 50,000 American Express Card transactions per year
Annual Self Assessment Questionnaire (recommended 
 )
The Annual Self Assessment Questionnaire is a self-examination of merchant equipment, systems, networks and components where Cardmember information is stored, processed, or transmitted using the PCI Security Standards Self-Assessment Questionnaire ("SAQ").
The Annual Self Assessment Questionnaire must be completed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. The results must be submitted annually to American Express.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Quarterly Network Scan (recommended 
 )
The Quarterly Network Scan is a remote test of a merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. The scan must be performed by an Approved Scanning Vendor (ASV). You must complete and submit the ASV's Attestation of Scan Compliance ("AOSC") or the executive summary of findings of the scan to American Express every 90 days.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Level EMV
**
50,000 or more American Express Card transactions per year with at least 75% made on an EMV-enabled terminal
Annual EMV Attestation (mandatory)
The Annual EMV Attestation ("AEA") involves a process using PCI DSS requirements that allows for self-examination of your equipment, systems, and networks and their components where Cardholder Data or Sensitive Authentication Data (or both) are stored, processed, or transmitted.
The AEA must be performed by you and certified by your chief executive officer, chief financial officer, chief information security officer, or principal. You must complete the process by submitting the AEA form annually to American Express.
For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF)
Submit required documents
American Express has retained Trustwave to administer our Data Security Compliance Program. Trustwave is a provider of information security and compliance management solutions to merchants and service providers.
Send required documents to Trustwave through their secure portal or by secure fax. Include your DBA (Doing Business As) name, the name, address and phone number of your data security contact, and your 10-digit American Express merchat number (if applicable). See the Data Security Operating Policy (PDF) for more details.
Submit through a secure portal
Log in with your User ID at login.trustwave.com
If you do not have your User ID, please contact Trustwave Support at
Submit via secure fax
Fax your Validation Documentation to +1 (312) 276-4019.
You are required to adhere to the American Express Data Security Operating Policy, including complying with the Payment Card Industry Data Security Standard.
* Service providers are third party organizations that provide services to merchants and other users related to the processing of American Express transactions. Service providers include Authorized Processors, Third Party Processors, Gateway Providers, and any other providers to merchants of point of sale equipment, software, or systems or other payment processing solutions or services.
** Qualifying transactions must be made by the Card Member with the physical Card present at a Point of Sale system compliant with EMV specifications and capable of processing contact and contactless American Express Chip Cards. EMV® is an open-standard set of payment industry specifications for integrated-circuit, chip-based payment and acceptance devices, including terminals and ATMs. The EMV specifications were developed to define a set of requirements to ensure interoperability between chip-based payment products and terminals.
Non-Validation Fees and Termination of Agreement
American Express has the right to impose non-validation fees on merchants and service providers and terminate the agreement to accept American Express Cards if these requirements are not fulfilled or if mandatory documentation has not been provided to American Express by the applicable deadline. See the Data Security Operating Policy (PDF) for more details.
* Service providers are third party organizations that provide services to merchants and other users related to the processing of American Express transactions. Service providers include Authorized Processors, Third Party Processors, Gateway Providers, and any other providers to merchants of point of sale equipment, software, or systems or other payment processing solutions or services.
What to do if your data has been compromised
In the event that cardholder data or sensitive authorization data has been compromised by unauthorized access, misuse or loss, you must notify American Express immediately, and in no case later than 24 hours after discovery of a Data Incident.
How to contact the American Express Enterprise Incident Response Program (EIRP):
US (888) 732-3750 (toll free)
International 1-(602)-537-3021
See section 2 of the Data Security Operating Policy (PDF) for details.
What to do if your data has been compromised
In the event that cardholder data or sensitive authorization data has been compromised by unauthorized access, misuse or loss, you must notify American Express immediately, and in no case later than 24 hours after discovery of a Data Incident.
How to contact the American Express Enterprise Incident Response Program (EIRP):
US (888) 732-3750 (toll free)
International 1-(602)-537-3021
See section 2 of the Data Security Operating Policy (PDF) for details.