Skip to Content
American Express
Merchant Services
Learn about Accepting the Card Manage Your Merchant Account Profit More from Your Relationship
Reconcile Payments and Resolve Disputes
Using a Terminal to Complete Transactions
Introducing Electronic Merchant Services
Review our Policies and Procedures
Data Security Operating Policies
General Standards
Additional Standards for Online Transactions
Reduce Fraud and Chargebacks
Learn about Online Merchant Services
Find Answers to Common Questions
Data Security Operating Policies Section 1

Log in to Online Merchant Services

Apply to accept the Card

A Merchant may store the following data, for processing future transactions:
  • Card number
  • Card expiration date
General Security Standard requirements for storing permissible data are described below.


Notification Duty to American Express
A joint effort by American Express and Merchants to prevent / limit damage and liability from potential data compromise or attack requires that certain responsibilities be assigned.

If a Merchant stores American Express payment information, they are obligated to notify us immediately if that data is (or may be) compromised. In addition, the Merchant is expected to act in good faith and work with American Express to rectify any issues that may result. American Express is your partner in resolving these issues and will respect your request for confidentiality. By working together, we can help strengthen consumer faith in our businesses and continue to fortify the bottom lines of our companies.

Please contact your Client Manager or call 1300 36 36 14, if you believe that payment data may be compromised.

Failure to Notify
In the event that the Merchant fails to notify American Express immediately, they may be liable for the dollar amount of any or all fraudulent transactions that occur on American Express Cards.

American Express can identify Cards that are compromised at the Merchantís site, through common point of purchase techniques.

Doís for Data Storage
Disclosure
  • Establish a company privacy policy that explains the security measures your company has put in place to protect Cardmember transaction data.
Firewalls
  • Employ internal and external firewalls to prevent intrusions from the Internet and from within your organisation.
Encryption
  • Encrypt all stored payment data using triple DES encryption.*
Audits
  • Be prepared to provide audit reports to American Express, or allow American Express audits.
Employee Access/Passwords
  • Assign employee access to payment data on a need-to-know basis.
  • Issue a unique ID to each person with computer access to payment data.
  • Maintain the ability to track employee access to payment data, by using unique IDs.
  • Change employee passwords, regularly.
Systems
  • Routinely test internal security systems and processes. Annual certification of systems and processes by a third party Security Evaluation Company is preferred.
  • Maintain physical building and premise access security.
  • Restrict physical access to Cardmember payment data.
Dontís for Data Storage
  • Never store payment data on a Web server or cache anywhere in memory related to a Web server. Payment data may only be stored in a separate database, with at least one external firewall.
  • Never store the Card Identification (CID) number. (A CID may be maintained on your systems for up to 10 minutes, in order to process a Cardmember payment.)
  • Never use Cardmember payment data for any purpose other than processing future transactions.

* Note: From January 1, 2003 a Merchant must store all Cardmember payment data using triple DES encryption. In addition, all data that is transmitted must utilise Secure Socket Layer 3.0 with 128-bit encryption. As technology and industry standards evolve, these security requirements may be amended to reflect continued technological advancement. Without limiting the generality of the foregoing, the Merchant shall take measures to secure and protect Cardmember payment data, including Card account information, against ďhackersĀEand others who may seek to obtain or modify data without the consent of American Express or the Cardmember.


Please review the additional security requirements for online transactions:

Data Security Operating Policies Section 2  Additional Security Standards for Conducting Online Transactions

reasons to enrol for Automated Batch Submission Internet Options,simple, fast, safe
Online merchant services, fast & easy cash flow management, click for details now