What is a Service Provider?
Service Providers are third party organisations that provide services to Merchants and other users related to the processing of American Express transactions. Service Providers include Authorised Processors, Third Party Processors, Gateway Providers, and any other providers of point of sale equipment, software, or systems or other payment processing solutions or services.
Service Providers, like Merchants, must agree to the American Express Data Security Operating Policy and comply with the Payment Card Industry Data Security Standard.
Data Security Standard for Service Providers
Any business that transmits, processes or stores Cardmember information must take all possible precautions to protect their customers and themselves. Implementing the PCI Data Security Standard through compliance with the Data Security Operating Policy (DSOP) brings a higher level of confidence to your customers and your business.
View the American Express Data Security Operating Policy for Service Providers (PDF).
American Express, working as a member of the PCI Security Standards Council, has been instrumental in the development of the PCI Data Security Standard, which sets out the necessary steps to address the issue of Cardmember security.
View the Payment Card Industry Data Security Standard.
Compliance Requirements for Service Providers
All Service Providers are required to adhere to the American Express Data Security Operating Policy, including compliance with the Payment Card Industry Data Security Standard.
In addition, Service Providers must take the following steps annually or quarterly:
Annual Onsite Security Audit Validation Documentation
The Annual Onsite Security Audit is a detailed onsite examination of a Service Provider's equipment, systems, and networks (and their components) where Cardmember information is processed, stored, or transmitted
Quarterly Network Scan Validation Documentation
The Quarterly Network Scan is a process that tests a Service Provider's internet-connected computer networks and web servers for potential weaknesses and vulnerabilities. This test is performed remotely, and must be undertaken by a third party security assessor acceptable to American Express
Once you have completed your requirements, you should send your validation documentation on a compact disc, in the required formats, to the following address, as detailed in the Data Security Operating Policy.
American Express Payment Services Limited
GNO Data Security Unit
PO Box 54886
London, SW1W 0YW
Non-Compliance Fees and Termination of Card Acceptance Agreement
Service Providers risk incurring fees for non-validation of compliance and potential termination of their American Express Card Acceptance Agreement if they do not comply with this policy.
Except as otherwise specified in this policy, a Service Provider's compliance with the Data Security Operating Policy shall not in any way relieve its indemnity obligations to American Express under its agreement with American Express, nor relieve or decrease its liability in any way. Service Providers are responsible at their sole expense for providing additional data security measures that they deem necessary to protect their particular data and interests. American Express does not in any way represent or warrant that the measures contained in such agreement or this policy are sufficient or adequate to protect Service Provider's particular data and interests.
AMERICAN EXPRESS HEREBY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES, AND LIABILITIES WITH RESPECT TO THIS DATA SECURITY OPERATING POLICY, THE PCI STANDARD, AND THE DESIGNATION AND PERFORMANCE OF THIRD PARTY SECURITY ASSESSORS, WHETHER EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Duty to Notify American Express
As a Service Provider, if you know or suspect that Cardmember information has been accessed or used without authorisation you must, as detailed fully in the Data Security Operating Policy:
1. Notify American Express immediately
2. Work with American Express and auditors to conduct a thorough audit of the incident
3. Provide any and all information, and follow all instructions provided by American Express with regard to the incident
If you believe that Cardmember information has been compromised, contact your Third Party Processor Relationship Manager or call our Customer Services Team on 01273 675 533.
You can avoid additional costs from a data incident:
1. By notifying American Express immediately if you know or suspect your data has been compromised
2. By ensuring that you are in full compliance with the American Express Data Security Operating Policy
3. If the data incident was not caused by the wrongful conduct of you or one of your employees or agents