What is the Data Security Operating Policy? The Data Security Operating Policy is an American Express policy, with which all Merchants, Processors, and Service Providers that store, process or transmit American Express® Cardmember information must comply. This policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data which are applicable across the industry.
To whom does the Data Security Operating Policy apply? The Data Security Operating Policy applies to all entities (Merchants and Service Providers) that process, store or transmit Cardmember information. Its requirements apply to all equipment, systems, and networks on which American Express Cardmember information is processed, stored, or transmitted.
Why is the Data Security Operating Policy important to my business? Compromised data can have a negative impact on your business, other Merchants and card issuers. Even one incident can severely damage a company's reputation and its ability to conduct business effectively. Addressing this threat by implementing security operating procedures can make your customers feel more secure, and can enhance the reputation of your business.
Why should my business comply with Data Security Operating Policy? The Data Security Operating Policy is a sound business practice and a requirement of American Express. By accepting American Express® Cards, you agree to be bound to terms and conditions of our Card Acceptance Agreement, which includes data security requirements and mandates compliance with American Express policies and procedures.
What is the deadline for my business to be compliant? From January 2007 all American Express Merchants and Service Providers are required to comply with the Data Security Operating Policy. This policy introduces additional obligations based on your transaction volume, including a requirement to provide American Express with documentation that validates your compliance with the PCI Data Security Standard. This test must be performed by a third party security assessor acceptable to American Express. Validation documentation must be received by American Express no later than 31st March 2008. American Express has the right to assess non-compliance fees in accordance with the Data Security Operating Policy for your failure to provide the documentation by the applicable deadline.
Does the Data Security Operating Policy still apply to me if I do not store Cardmember information? Yes, the policy still applies to any of your equipment, systems, and networks that transmit or process Cardmember information.
Can a Merchant/Service Provider be considered compliant if it has outstanding non-compliance issues, but provides a remediation plan? We encourage Merchants and Service Providers to complete an initial review, develop a remediation plan, complete items on the remediation plan, and revalidate compliance of those outstanding items. This plan can be submitted to American Express for review until full compliance can be achieved. If American Express accepts the plan, in its sole discretion, it can choose not to impose the non-compliance fees for a Merchant's failure to provide the documentation validating its compliance with the PCI Data Security Standard. A Merchant may still remain liable for fraud as a result of a security compromise.
How does the Data Security Operating Policy compare to the PCI Data Security Standard? The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing Merchants and Service Providers to comply with one set of data security technical standards. The Data Security Operating Policy defines the levels, requirements and validation deadline for American Express.
Where do I submit my documentation? Level 1 and Level 2 Merchants must submit the validation documentation described in the Data Security Operating Policy in a protected manner. The documents should be encrypted, placed on a compact disc and submitted to:
American Express Payments Europe, S.L.. GNO Data Security Unit PO Box 54886 London, SW1W 0YW United Kingdom
Email the encryption key and your 10-digit American Express Merchant number to: AmericanExpressDataSecurityemea@aexp.com
By what date should a Level 1 or Level 2 Merchant be compliant? Validation documentation must be received by American Express no later than 31st March 2008.
By what date should a Level 3 Merchant be compliant? Level 3 Merchants are not required to submit validation documentation to American Express, but nevertheless must comply with and are subject to liability under all other provisions of the Data Security Operating Policy. It is strongly recommended that Level 3 Merchants consider obtaining quarterly network scans.
I've been contacted by a company called Trustwave on behalf of American Express. I don't know who this Trustwave company is, and this sounds like a phishing scam. How do I know this isn't a scam? American Express has retained Trustwave to help us administer our Data Security Compliance Program. Trustwave is a leading provider of information security and compliance management solutions to merchants and service providers. We are glad you're checking up on this - we can assure you that this company is reputable and will adhere to all American Express privacy principles.
Can I use another company other than Trustwave to conduct the required assessment and/or scans? Yes. You may use any of the approved vendors listed at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
If I used another company to conduct my scan, do I have to provide it to Trustwave? Yes, it will be necessary for you or your chosen authorised security vendor to submit this information to Trustwave (TW). TW has been contracted and authorised to collect this information on behalf of American Express.
May I submit my validation documentation directly to Trustwave? Yes, you may submit your validation documentation to Trustwave via our secure portal. Send an email to Trustwave at AmericanExpressCompliance@trustwave.com and request a customised link to the secure portal. Uploading your validation documentation is quick and easy.
|