What is the Data Security Operating Policy?
The Data Security Operating Policy is an American Express policy, first implemented in 2002, with which all merchants, processors, and service providers that store, process or transmit American Express® Cardmember information must comply. The latest version of this policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data applicable across the industry.
To whom does the Data Security Operating Policy apply?
The Data Security Operating Policy applies to all merchants and service providers that process, store, or transmit American Express® Cardmember information. Its requirements apply to all of their equipment, systems, and networks on which this information is processed, stored, or transmitted.
Why is the Data Security Operating Policy important to my business?
The Data Security Operating Policy is a sound business practice and a requirement of American Express. Compromised data negatively impacts consumers, merchants, and card issuers. Even one incident can severely damage a company's reputation and its ability to effectively conduct business. Addressing this threat by implementing the Data Security Operating Policy helps improve customer trust, and has the potential to increase profitability as well as enhance a company's reputation. American Express knows that you share our concern and requires, as part of your responsibilities, that you comply with the data security provisions in your agreement to accept the American Express� Card ("Agreement") and the Data Security Operating Policy.
Does the Data Security Operating Policy still apply to me if I do not store Cardmember information?
The Data Security Operating Policy applies to all your equipment, systems, and networks on which Cardmember Information is stored, processed, or transmitted.
Can a merchant/service provider be considered compliant if it has outstanding non-compliance issues?
Please refer to Data Security Operating Policy Section 4, Merchants Not Compliant with PCI DSS, for detailed information pertaining to this situation.
How does the Data Security Operating Policy compare to the PCI Data Security Standard?
The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing merchants to comply with one set of data security standards for all payment brands. The Data Security Operating Policy defines the merchant levels, validation requirements and deadlines. Each payment card network defines its own merchant levels, validation requirements and deadlines.
Who should I contact if I have questions about the American Express Data Security Operating Policy?
American Express has retained Trustwave to administer our Data Security Compliance Program. Trustwave is a leading provider of information security and compliance management solutions to merchants and service providers. Please contact them with any questions at: AmericanExpressCompliance@trustwave.com or 1-866-659-9016.
If my business doesn't accept credit card payments through its website, is there any point for me to do a scan?
If you have an outward-facing and active IP address, then you must have a scan performed. Any outward-facing and active IP addresses that are associated with the network in which credit card processing occurs are in scope for scanning.
Will I be notified of my compliance status by American Express?
American Express will be notifying you of compliance status. If you have submitted acceptable documents, no further action will be required until the next quarterly network scan is due.