American Express® Targeted Analysis Program—helping you target data incidents.
What is a Cardholder data compromise?
Cardholder data compromise occurs when Cardholder data is lost or stolen. American Express Targeted Analysis Program (TAP) is designed to identify potential Card data losses for our Merchants.
Cardholder data compromise can:
1. Happen when a criminal steals data from your Cardholder Data Environment.
2. Occur even if you don’t store Card numbers.
3. Be very difficult for you to detect.
Categories of Cardholder data compromise include, but aren’t limited to:
Common Point of Purchase (CPP):
American Express Cardmembers report fraudulent transactions on their Card accounts that, potentially, originated from a purchase(s) at your establishment(s).
Card Data Found:
American Express Card and Cardholder data found online are linked to transactions at your establishments.
Malware Suspected:
American Express suspects you’re using software infected with or vulnerable to malicious code.
Respond
Have the person in your office who handles data security contact us at AXPDataSecurity@aexp.com.
Review
Look for security gaps in your Cardholder Data Environment.
Tip: Follow Payment Card Industry Data Security Standard (PCI DSS) Guidance and include any supporting systems and third parties in your review. We may provide additional guidance or support as we work with you.
Report
Send an update about any security gaps you find to AXPDataSecurity@aexp.com.
Remediate
Fix the security gaps found during your review.
Important: If you confirm a data incident has likely occurred, you have 72 hours from discovery to notify the American Express Enterprise Incident Response Program.
Validate
Provide us with updated PCI DSS Validation documents as explained in Section 5 of our Data Security Operating Policy.
How we help you check for security gaps.
Whether evaluating your Cardholder Data Environment for security gaps proactively (recommended) or after receiving a notification from us about a potential Cardholder data compromise, the Targeted Analysis Program includes the following options for your convenience.
Your own technology personnel may review your Cardholder Data Environment for security gaps based on current Payment Card Industry Data Security Standard (PCI DSS) guidance. Here are a few resources to help:
- Website Compromise Checklist – A select list of PCI DSS requirements most often associated with potential compromises involving your website or e-commerce site.
- Payment Card Industry (PCI) Self-Assessment Questionnaire (SAQ) – A series of yes-or-no questions to help you assess security for Cardholder data. American Express provides Merchants with a SecureTrust PCI Manager account to help you determine which SAQ is right for you based on your Card-acceptance methods.
- External Vulnerability Scan – A scan conducted by an Approved Scanning Vendor to identify “high-risk” vulnerabilities requiring resolution. We recommend this scan if your Cardholder Data Environment connects to the internet—even if it’s not required by PCI DSS. We also provide our Merchants who are enrolled in the American Express PCI Compliance Program with a SecureTrust PCI Manager account which includes external vulnerability scans for up to five endpoints (including your ecommerce site) at no cost to you.
If you have questions, contact your American Express Client Manager or send us an email.
American Express is not responsible for your use of the information provided under the Targeted Analysis Program or any assumptions or conclusions you might draw from its use. American Express does not guarantee or warranty performance of any third party you elect to use.
We recommend engaging a PCI Forensics Investigator to help identify the threats that can result in the loss of sensitive data, credit card information or fraud. PCI Forensics Investigators are uniquely qualified to evaluate your Card acceptance systems and process for security gaps. Here are a few resources to help:
- Shopping Cart Inspect – An analysis of your e-commerce site to find previously unseen threats and malicious attack markers (such as malware, formjacking and cross-site scripting vulnerabilities) that may not be obvious during a self-assessment. This is one of several service options available to American Express Merchants from SecurityMetrics.
- Incident Response – A targeted evaluation of your Cardholder Data Environment. Conducted by any approved PCI Forensics Investigator (PFI) in good standing, this option can be used when you need extra support from someone outside your organization to analyze your riskiest Card payment acceptance channels (per your own internal, risk assessment).
- PCI Forensics Investigation – A thorough evaluation of your entire Cardholder Data Environment, as defined by the PCI Security Standards Council, conducted by an approved PCI Forensics Investigator (PFI) in good standing. A PFI is required if you experience a data security incident impacting more than 10,000 unique Cardholders.
If you have questions, contact your American Express Client Manager or send us an email.
American Express is not responsible for your use of the information provided under the Targeted Analysis Program or any assumptions or conclusions you might draw from its use. American Express does not guarantee or warranty performance of any third party you elect to use.
Whether payments are dipped, swiped, keyed or spoken, protecting your Customers’ Card information from unauthorized disclosure, theft, modification or destruction when accepted, processed or stored by you or your Covered Parties may have the following benefits:
- Enhance your customers’ experience and trust.
- Prevent damages to your company’s reputation.
- Keep fraud and chargebacks from occurring.
- Avoid costs associated with a data incident.
The Targeted Analysis Program (TAP) provides early identification of a potential Cardholder data compromise to help protect your Customers' Card information. TAP also allows for more flexible, preventive options for reviewing your Cardholder Data Environment (CDE) for potential security gaps.
Early identification, response and remediation can help minimize the impact of a data incident. Some of the costs that may be reduced or avoided when fewer than 10,000 unique American Express Card numbers are involved in a data incident include:
- PCI Forensics Investigation (~$20,000+).
- Compensation costs (calculated at $5 per impacted Card).
- Non-compliance fees (up to $100,000).
- Other remediation and communication costs.
Failing to take appropriate action regarding a potential Cardholder data compromise puts your customers’ data and your brand at risk.
Additionally, per the Data Security Operating Policy (DSOP), failure to meet your Cardholder data compromise obligations may result in the following actions:
- Application of non-compliance fees.
- Withholding payment.
- Termination of your Card Acceptance Agreement.
- AXPDataSecurity@aexp.com
- EIRP@aexp.com
- AXPPCIComplianceProgram@aexp.com
- AmericanExpressCompliance@securetrust.com
We encourage you to contact your Client Manager or Merchant Services at 800-528-5200 to verify the validity of any American Express communications.
American Express doesn’t apply a fee when we alert you to a potential Cardholder data compromise. However, per the DSOP, a non-compliance fee may be applied for failure to identify and remediate security gaps contributing to a Cardholder data compromise in a timely manner. Therefore, it’s important to engage with the American Express Data Security team (AXPDataSecurity@aexp.com) as soon as possible.
While your Payment Card Industry Data Security Standard (PCI DSS) validation scope may be reduced when you outsource all or part of your Card acceptance processes or systems (a recommended practice in many cases), you remain responsible for ensuring Card data accepted, processed or stored by you and your Covered Parties is protected. We recommend contacting any third-party vendors or service provider to whom you provide Cardholder-information access for assistance when you are contacted about a potential Cardholder data compromise.
Please email AXPDataSecurity@aexp.com to let them know you’ve discovered an incident. Then, contact the American Express Enterprise Incident Response Program (EIRP) toll free at 1-888-732-3750, or at 1-602-537-3021, or fill out the Merchant Incident Initial Notice Form and email to EIRP@aexp.com.
Per the DSOP, you must notify American Express immediately and in no case later than 72 hours after discovery of a data incident.
All Merchants and Service Providers required to participate in the American Express PCI Compliance Program must submit PCI DSS validation documentation to SecureTrust.
SecureTrust is a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). You may use the secure portal to complete or upload PCI DSS validation documentation to include the annual assessment and, as applicable, quarterly external vulnerability scans at no cost to you (some limits may apply).
No. You may hire any Payment Card Industry Forensics Investigator (PFI) of your choice to review your Cardholder Data Environment (CDE) for security gaps.
Note: American Express does not guaranty or warranty performance of any third party you elect to use.
A full PCI Forensics Investigation (PFI) is conducted by an approved PCI Forensics Investigator in good standing. Its purpose is to determine the occurrence of a data incident to include when and how it may have happened. The result is a formal PFI report in a format defined/approved by the PCI Security Standards Council. A full PFI is required when a data incident impacts more than 10,000 unique American Express Cards.
A PFI Examination is any Cardholder data security review conducted by a PCI Forensics Investigator in good standing that doesn’t meet the requirements of a full PFI. Typically, lower-cost and more flexible than a full PFI, an examination (aka Shopping Cart Inspect, Incident Response, Compromise Assistance) allows you to engage a PCI Forensics Investigator to conduct a targeted, risk-based evaluation of your CDE.
Note: Use of a PFI Examination over a full PFI is a business decision to be made by you. American Express does not guarantee that another Acquirer or Card Brand will accept the results of a PFI Examination. Nor does American Express guarantee that a PFI Examination will be sufficient to fully remediate a data incident and American Express may require you to take additional action.
The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements to protect Card data. Applicable to all entities involved in payment card processing, PCI DSS requires annual assessment of your entire CDE and, as applicable, quarterly external vulnerability scans.
Providing your PCI validation documentation demonstrates your knowledge of and compliance status with PCI DSS requirements.
Merchants required to participate in the American Express PCI Compliance Program must submit the validation documentation to SecureTrust.
If you have questions about submitting your PCI validation documentation, please contact SecureTrust at 1-866-659- 9016 or 1-312-267-3208, or via email at americanexpresscompliance@securetrust.com
The Data Security Operating Policy (DSOP) is a set of requirements embedded into your Card Acceptance Agreement. American Express Merchants must adhere to these requirements in order to protect Cardholder Data and Sensitive Authentication Data.
These requirements include:
- Comply with the current PCI DSS technical and operational requirements
- Store cardholder data only as needed to facilitate American Express Card transactions
- Use only PCI-approved PIN Entry Devices or Payment Applications
- Provide PCI DSS validation documentation to American Express as required
- Notify American Express within 72 hours of discovering a data incident
- Adhere to applicable indemnity obligations resulting from a data incident
View the Data Security Operating Policy to learn more.
When we identify a potential Cardholder data compromise associated with Merchants accepting the American Express Card via a Merchant Services Provider, we notify the Merchant Services Provider who, in turn, notifies you.
Your Merchant Services Provider may provide alternative security gap review or remediation support. For more information about your Cardholder data compromise obligations see www.americanexpress.com/dsr
- CDE: Cardholder Data Environment
- TAP: Targeted Analysis Program
- DSOP: Data Security Operating Policy
- PCI DSS: Payment Card Industry Data Security Standard
- PCI: Payment Card Industry
- PFI: a formal PCI Forensics Investigation conducted by a PCI Forensics Investigator
