- Never store payment data on a Web server or cache anywhere in memory related to a Web server. Payment data may only be stored in a separate database, with at least one external firewall.
- Never store the Card Identification (CID) number. (A CID may be maintained on your systems for up to 10 minutes, in order to process a Cardmember payment.)
- Never use Cardmember payment data for any purpose other than processing future transactions.
* Note: From January 1, 2003 a Merchant must store all Cardmember payment data using triple DES encryption. In addition, all data that is transmitted must utilise Secure Socket Layer 3.0 with 128-bit encryption. As technology and industry standards evolve, these security requirements may be amended to reflect continued technological advancement. Without limiting the generality of the foregoing, the Merchant shall take measures to secure and protect Cardmember payment data, including Card account information, against ďhackersĀEand others who may seek to obtain or modify data without the consent of American Express or the Cardmember.
Please review the additional security requirements for online transactions:
Additional Security Standards for Conducting Online Transactions