The Data Security Operating Policy is an American Express policy, with which all Merchants, Processors, and Service Providers that store, process or transmit American Express® Cardmember information must comply. This policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data, which are applicable across the industry.
The Data Security Operating Policy applies to all entities (Merchants and Service Providers) that process, store or transmit Cardmember information. Its requirements apply to all equipment, systems, and networks on which American Express Cardmember information is processed, stored, or transmitted.
Compromised data can have a negative impact on your business, other Merchants and card issuers. Even one incident can severely damage a company's reputation and its ability to conduct business effectively. Addressing this threat by implementing security operating procedures can make your customers feel more secure, and can enhance the reputation of your business.
The Data Security Operating Policy is a sound business practice and a requirement of American Express. By accepting American Express® Cards, you agree to be bound to terms and conditions of our Card Acceptance Agreement, which includes data security requirements and mandates compliance with American Express policies and procedures.
From January 2007 all American Express Merchants and Service Providers are required to comply with the Data Security Operating Policy. This policy introduces additional obligations based on your transaction volume, including a requirement to provide American Express with documentation that validates your compliance with the PCI Data Security Standard. This test must be performed by a third party security assessor acceptable to American Express. American Express has the right to assess non-compliance fees in accordance with the Data Security Operating Policy for your failure to provide the documentation by the applicable deadline.
The policy applies to any of your equipment, systems, and networks that transmit or process Cardmember information.
We encourage Merchants and Service Providers to complete an initial review, develop a remediation plan, complete items on the remediation plan, and revalidate compliance of those outstanding items. This plan can be submitted to American Express for review until full compliance can be achieved. If American Express accepts the plan, in its sole discretion, it can choose not to impose the non-compliance fees for a Merchant's failure to provide the documentation validating its compliance with the PCI Data Security Standard. A Merchant may still remain liable for fraud as a result of a security compromise.
The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing Merchants and Service Providers to comply with one set of data security technical standards. The Data Security Operating Policy defines the levels, requirements and validation deadline for American Express.
Once you have completed your requirements as set out in the Data Security Operating Policy (DSOP), you should send your validation documentation by one of these methods:
Secure Portal: Validation Documentation may be uploaded via Trustwave’s secure portal. Please contact Trustwave at 000-800-100-4058 or via email at AmericanExpressCompliance@ trustwave.com for instructions in using this portal.
Secure Fax: Validation Documentation may be faxed to: +1 (312) 276-4019. Please include your name, DBA (Doing Business As) name, the name of your data security contact, your address and phone number, and, for merchants only, your 10-digit American Express merchant number.
Mail: Validation Documentation may be copied in an encrypted format on a compact disc. Place in an envelope marked “Mandatory” and mail to:
American Express - DSOP Compliance Program
70 West Madison, Suite 1050
Chicago, IL 60602 USA
E-mail the encryption key required to decrypt the Validation Documentation along with your name, DBA (Doing Business As), the name of your data security contact, your address and phone number and, for merchants only, your 10-digit American Express merchant number, to Trustwave at AmericanExpressCompliance@trustwave.com.
Level 3 merchants and Level 3 Service Providers (processing less than 50,000 American Express transactions per year) need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy. Some Level 3 merchants may be required to submit Validation Documents if so determined by American Express or to comply with applicable regulatory requirements.