- Merchants must authenticate customers prior to payment
- Merchants must follow authentication standards to protect
Cardmember data such as:
- Establish time limits for consumer sessions.
- Prevent consumer access to secure data, following three failed
- Establish safeguards to prevent employee access to Cardmember
- Set up administrative authority for resetting passwords,
issuing temporary passwords and accessing payment data by
restricting access to authorised employee groups and enabling the
creation of audit trails.
- Monitor/track access and usage reporting.
* Note: From January 1, 2003 a Merchant must store
all Cardmember payment data using triple DES encryption. In
addition, all data that is transmitted must utilise
Secure Socket Layer 3.0 with 128-bit encryption. As technology and
industry standards evolve, these security requirements may be
amended to reflect continued technological advancement. Without
limiting the generality of the foregoing, the Merchant shall take
measures to secure and protect Cardmember payment data, including
Card account information, against "hackersEand others who may seek
to obtain or modify data without the consent of American Express or
Please review the general security standards for storing
General Security Standards