Data Security Standard for Merchants
Any business that transmits, processes or stores Cardmember information must take all possible precautions to protect their customers and themselves. Implementing the PCI Data Security Standard through compliance with the Data Security Operating Policy (DSOP) brings a higher level of confidence to your customers and your business.
View the American Express Data Security Operating Policy (PDF).
American Express, working as a member of the PCI Security Standards Council, has been instrumental in the development of the PCI Data Security Standard, which sets how to address the issue of Cardmember security.
View the Payment Card Industry Data Security Standard.
All American Express Merchants are categorised into one of three levels for data security, based on their volume of American Express transactions. Your data security requirements are determined by the level your business falls under. The table below will help you to determine your level, and shows your requirements for compliance with the American Express Data Security Operating Policy.
* Level 3 Merchants need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy. View the American Express Data Security Operating Policy (PDF).
Compliance Requirements for Merchants
All Merchants are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard. In addition, some Merchants may be required to take additional steps to ensure data security.
- Step 1 is to determine your Merchant Level and documentation requirements. If you have not already done so, please see the Merchant Levels Chart to determine which level your business falls under. Depending on your particular requirements, you may be asked to provide one or more of the following:
- Annual Onsite Security Audit Validation Documentation The Annual Onsite Security Audit is a detailed onsite examination of a Merchant's equipment, systems and networks (and their components) where Cardmember information is processed, stored, or transmitted
- Quarterly Network Scan Validation Documentation The Quarterly Network Scan is a process that tests a Merchant's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. This test is performed remotely and must be undertaken by a third party security assessor acceptable to American Express
- Annual Self assessment Questionnaire The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). For more information on the Self-Assessment Questionnaire, please visit the PCI SSC website
- Step 2 Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.
American Express Payment Services Limited
GNO Data Security Unit
PO Box 54886
London, SW1W 0YW
Non-Compliance Fees and Termination of Card Acceptance Agreement
Merchants risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.
Duty to Notify American Express
As a Merchant, if you know or suspect that Cardmember information has been accessed or used without authorisation you must, as detailed fully in the Data Security Operating Policy:
1. Notify American Express immediately
2. Work with American Express and auditors to conduct a thorough audit of the incident
3. Provide any and all information, and follow all instructions provided by American Express with regard to
If you believe that Cardmember information has been compromised, contact your Client Manager or call our Customer Services Team on 01273 675 533. You may also notify the American Express Enterprise Incident Response Program (EIRP) by filling out the Initial Notice Form and sending it via email to EIRP@aexp.com.
You can avoid additional costs from a data incident:
1. By notifying American Express immediately if you know or suspect your data has been compromised
2. By ensuring that you are in full compliance with the American Express Data Security Operating Policy
3. If the data incident was not caused by the wrongful conduct of you or one of your employees or agents