What is a Service Provider?
Service Providers are third party organisations that provide services to Merchants and other users related to the processing of American Express transactions. Service Providers include Authorised Processors, Third Party Processors, Gateway Providers, and any other providers of point of sale equipment, software, or systems or other payment processing solutions or services.
Service Providers, like Merchants, must agree to the American Express Data Security Operating Policy and comply with the Payment Card Industry Data Security Standard.
Data Security StandardAny business that processes, stores or transmits Cardmember information must take all possible precautions to protect their customers and themselves. By implementing the PCI Data Security Standard through compliance with the Data Security Operating Policy (DSOP), you can bring a higher level of confidence to your customers and your business.
American Express, working as a member of the PCI Security Standards Council, has been instrumental in the development of the PCI Data Security Standard, which sets out how to protect account payment data.
View the Payment Card Industry Data Security Standard.
All Service Providers are required to adhere to the American Express Data Security Operating Policy .
Service Providers must submit the following validation documentation:
1. Annual Onsite Security Assessment Validation Documentation
The Annual Onsite Security Assessment is a detailed onsite examination of a Merchant's technical and operational systems, equipment and networks (and their components) where Cardmember information is processed, stored, or transmitted. The assessment may be performed by a Qualified Security Assessor (QSA) or the Merchant, provided it is certified by the chief executive officer, chief financial officer, or principal of the Merchant. A list of assessors can be found at
The assessor completes a Report of Compliance (ROC), which provides details of the environment assessed, and the results of the assessment. The ROC contains an Attestation of Compliance (AOC) form, which the Merchant or QSA completes.American Express accepts either the AOC or executive summary of the ROC as suitable validation documentation.
2. Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that tests a Merchant's Internet-facing infrastructure, such as web servers and network devices for potential weaknesses and vulnerabilities. This test is performed remotely and must be performed by an Approved Scanning Vendor (“ ASV ”). A list of ASVs can be found at
American Express accepts either the executive summary of a passing vulnerability scan, or the Attestation of Scan Compliance (AOSC) for the vulnerability scan.
Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.
American Express Australia Limited
GNO Data Security Unit
GPO Box 1582
Sydney, NSW 2001
Non-Validation Fees and Termination of Card Acceptance Agreement
Please note that Merchants risk incurring fees for non-validation of PCI DSS compliance status and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.
In case of breach
Data Incident Management Obligations
Merchants must notify American Express immediately and no more than twenty-four (24) hours after discovery of a Data Incident.
If you believe that Cardmember information has been compromised, please call our Customer Care Services Team on 1300 363 614 (Monday - Friday, 6.30am - 6.00pm) immediately. You may also notify the American Express Enterprise Incident Response Program (EIRP) by filling out the Initial Notice Form and sending it via email to EIRP@aexp.com no later than twenty-four (24) hours from discovery of a Data Incident.
Please see the Data Security Operating Policy Section 2, for all details pertaining to Data Incident Management Obligations.