Start of menu
Search United Kingdom website
Close Menu
Skip to content

Frequently Asked Questions

Here are the answers to some of our Merchants' most frequently asked questions.

Answers

The Data Security Operating Policy is an American Express policy, with which all Merchants, Processors, and Service Providers that store, process or transmit American Express® Cardmember information must comply. This policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data which are applicable across the industry.

Back To Top

The Data Security Operating Policy applies to all entities (Merchants and Service Providers) that process, store or transmit Cardmember information. Its requirements apply to all equipment, systems, and networks on which American Express Cardmember information is processed, stored, or transmitted.

Back To Top

Compromised data can have a negative impact on your business, other Merchants and card issuers. Even one incident can severely damage a company's reputation and its ability to conduct business effectively. Addressing this threat by implementing security operating procedures can make your customers feel more secure, and can enhance the reputation of your business.

Back To Top

The Data Security Operating Policy is a sound business practice and a requirement of American Express. By accepting American Express® Cards, you agree to be bound to terms and conditions of our Card Acceptance Agreement, which includes data security requirements and mandates compliance with American Express policies and procedures.

Back To Top

From January 2007 all American Express Merchants and Service Providers are required to comply with the Data Security Operating Policy. This policy introduces additional obligations based on your transaction volume, including a requirement to provide American Express with documentation that validates your compliance with the PCI Data Security Standard. This test must be performed by a third party security assessor acceptable to American Express. Validation documentation must be received by American Express no later than 31st March 2008. American Express has the right to assess non-compliance fees in accordance with the Data Security Operating Policy for your failure to provide the documentation by the applicable deadline.

Back To Top

Yes, the policy still applies to any of your equipment, systems, and networks that transmit or process Cardmember information.

Back To Top

We encourage Merchants and Service Providers to complete an initial review, develop a remediation plan, complete items on the remediation plan, and revalidate compliance of those outstanding items. This plan can be submitted to American Express for review until full compliance can be achieved. If American Express accepts the plan, in its sole discretion, it can choose not to impose the non-compliance fees for a Merchant's failure to provide the documentation validating its compliance with the PCI Data Security Standard. A Merchant may still remain liable for fraud as a result of a security compromise.

Back To Top

The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing Merchants and Service Providers to comply with one set of data security technical standards. The Data Security Operating Policy defines the levels, requirements and validation deadline for American Express.

Back To Top

Level 1 and Level 2 Merchants must submit the validation documentation described in the Data Security Operating Policy in a protected manner. The documents should be encrypted, placed on a compact disc and submitted to:
American Express Payment Services Limited
GNO Data Security Unit
PO Box 54886
London, SW1W 0YW
United Kingdom

Email the encryption key and your 10-digit American Express Merchant number to: AmericanExpressDataSecurityemea@aexp.com

Back To Top

Level 3 Merchants are not required to submit validation documentation to American Express, but nevertheless must comply with and are subject to liability under all other provisions of the Data Security Operating Policy. It is strongly recommended that Level 3 Merchants consider obtaining quarterly network scans.

Back To Top

American Express has retained Trustwave to help us administer our Data Security Compliance Program. Trustwave is a leading provider of information security and compliance management solutions to merchants and service providers. We are glad you're checking up on this - we can assure you that this company is reputable and will adhere to all American Express privacy principles.

Back To Top

Yes. You may use any of the approved vendors listed at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

Back To Top

Yes, it will be necessary for you or your chosen authorised security vendor to submit this information to Trustwave (TW). TW has been contracted and authorised to collect this information on behalf of American Express.

Back To Top

Yes, you may submit your validation documentation to Trustwave via our secure portal. Send an email to Trustwave at AmericanExpressCompliance@trustwave.com and request a customised link to the secure portal. Uploading your validation documentation is quick and easy.

Back To Top