What is the Data Security Operating policy?
The Data Security Operating Policy is an American Express policy, first implemented in 2002, with which all Merchants, processors, and service providers that store, process or transmit American Express Cardmember information must comply. The latest version of this policy has been modified to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data applicable across the industry.
Does the Data Security Operating Policy apply to me?
Yes. The Data Security Operating Policy applies to all Merchants and service providers that process, store, or transmit American Express Cardmember information. It's requirements apply to all of your equipment, systems, and networks on which this information is processed, stored, or transmitted.
Does the Data Security Operating Policy still apply to me if I do not store Cardmember information?
The Data Security Operating Policy applies to all your equipment, systems, and networks on which Cardmember Information is stored, processed, or transmitted.
Why is the Data Security Operating Policy important to my business?
The Data Security Operating Policy is a sound business practice and a requirement of American Express. Compromised data negatively impacts consumers, Merchants, and Card issuers. Even one incident can severely damage your reputation and its ability to effectively conduct business. Addressing this threat by implementing the Data Security Operating Policy helps improve customer trust in your business. American Express knows that you share our concern and requires, as part of your responsibilities, that you comply with the data security provisions in your American Express Card Acceptance Agreement ("Agreement") and the Data Security Operating Policy.
Can I be considered compliant if I have outstanding non-compliance issues?
Please refer to Data Security Operating Policy Section 4, Merchants Not Compliant with PCI DSS, for detailed information pertaining to this situation.
How does the Data Security Operating Policy compare to the PCI Data Security Standard?
The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing you to comply with one set of data security standards for all payment brands. The Data Security Operating Policy defines the Merchant levels, validation requirements and deadlines. Each payment Card network defines its own Merchant levels, validation requirements and deadlines.
If my business doesn't accept Card payments through its website, is there any point for me to do a scan?
If you have an outward-facing and active IP address, then you must have a scan performed. Any outward-facing and active IP addresses that are associated with the network in which Card processing occurs are in scope for scanning.
How do I know my compliance status with American Express?
American Express will be notifying you of your compliance status. If you have submitted acceptable documents, no further action will be required until the next quarterly network scan is due.
Who should I contact if I have questions about the American Express Data Security Operating Policy?
American Express has retained Trustwave to administer our Data Security Compliance Program. Trustwave is a leading provider of information security and compliance management solutions to Merchants and service providers. Please contact them with any questions via email at AmericanExpressCompliance@trustwave.com or call at 1-866-659-9016.
How can I access a copy of the American Express Data Security Operating Policy?
You can view the Data Security Operating Policy
here.