Skip to Content
American Express
Merchant Services
Learn about Accepting the Card Manage Your Merchant Account Profit More from Your Relationship
Reconcile Payments and Resolve Disputes
Using a Terminal to Complete Transactions
Introducing Electronic Merchant Services
Review our Policies and Procedures
Data Security Operating Policies
General Standards
Additional Standards for Online Transactions
Reduce Fraud and Chargebacks
Learn about Online Merchant Services
Find Answers to Common Questions
Data Security Operating Policies Section 2

Log in to Online Merchant Services

Apply to accept the Card

American Express expects Merchants to take every precaution to protect Cardmember information at all times, including during online transactions.

In addition to the General Security Standards in Section I, the following additional requirements apply to Merchants that conduct (or intend to conduct) online transactions.


Infrastructure Requirements
When a Merchant processes Cardmember transactions online, the following security requirements must be implemented:
  • Web site must be enabled with Secure Socket Layer 3.0, with 128-bit encryption.*
  • American Express-certified POS device and/or methodology must be used to transmit all transaction data to American Express.
  • Every Web transaction must be authorised using a unique Internet Merchant number and appropriate POS Data Code.
Authentication Requirements
  • Merchants must authenticate customers prior to payment submission.
  • Merchants must follow authentication standards to protect Cardmember data such as:
    • Establish time limits for consumer sessions.
    • Prevent consumer access to secure data, following three failed log-on attempts.
    • Establish safeguards to prevent employee access to Cardmember passwords.
    • Set up administrative authority for resetting passwords, issuing temporary passwords and accessing payment data by restricting access to authorised employee groups and enabling the creation of audit trails.
    • Monitor/track access and usage reporting.

* Note: From January 1, 2003 a Merchant must store all Cardmember payment data using triple DES encryption. In addition, all data that is transmitted must utilise Secure Socket Layer 3.0 with 128-bit encryption. As technology and industry standards evolve, these security requirements may be amended to reflect continued technological advancement. Without limiting the generality of the foregoing, the Merchant shall take measures to secure and protect Cardmember payment data, including Card account information, against “hackersEand others who may seek to obtain or modify data without the consent of American Express or the Cardmember.


Please review the general security standards for storing permissible data:

Data Security Operating Policies Section 1  General Security Standards

reasons to enrol for Automated Batch Submission Internet Options,simple, fast, safe
Online merchant services, fast & easy cash flow management, click for details now