Skip to main content
Start of menu
Search US website
Close Menu
Select Your Country:
GET STARTED...
 
Frequently Asked Questions
 

Here are the answers to some of our merchants' most frequently asked questions.


 
FAQ's - Answers
 

What is the Data Security Operating Policy?
The Data Security Operating Policy is an American Express policy, first implemented in 2002, with which all merchants, processors, and service providers that store, process or transmit American Express® Cardmember information must comply. The latest version of this policy has been strengthened to reflect current business conditions, provides additional requirements to help safeguard Cardmember information, and aligns with the Payment Card Industry Data Security Standard (PCI Standard). The PCI Data Security Standard sets out a common set of technical requirements for safeguarding sensitive payment data applicable across the industry.

Back To Top

To whom does the Data Security Operating Policy apply?
The Data Security Operating Policy applies to all merchants and service providers that process, store, or transmit American Express® Cardmember information. Its requirements apply to all of their equipment, systems, and networks on which this information is processed, stored, or transmitted.

Back To Top

Why is the Data Security Operating Policy important to my business?
The Data Security Operating Policy is a sound business practice and a requirement of American Express. Compromised data negatively impacts consumers, merchants, and card issuers. Even one incident can severely damage a company's reputation and its ability to effectively conduct business. Addressing this threat by implementing the Data Security Operating Policy helps improve customer trust, and has the potential to increase profitability as well as enhance a company's reputation. American Express knows that you share our concern and requires, as part of your responsibilities, that you comply with the data security provisions in your agreement to accept the American Express´┐Ż Card ("Agreement") and the Data Security Operating Policy.

Back To Top

Does the Data Security Operating Policy still apply to me if I do not store Cardmember information?
The Data Security Operating Policy applies to all your equipment, systems, and networks on which Cardmember Information is stored, processed, or transmitted.

Back To Top

Can a merchant/service provider be considered compliant if it has outstanding non-compliance issues?
Please refer to Data Security Operating Policy Section 4, Merchants Not Compliant with PCI DSS, for detailed information pertaining to this situation.

Back To Top

How does the Data Security Operating Policy compare to the PCI Data Security Standard?
The PCI Data Security Standard is the technical foundation for the Data Security Operating Policy, allowing merchants to comply with one set of data security standards for all payment brands. The Data Security Operating Policy defines the merchant levels, validation requirements and deadlines. Each payment card network defines its own merchant levels, validation requirements and deadlines.

Back To Top

Who should I contact if I have questions about the American Express Data Security Operating Policy?
American Express has retained Trustwave to administer our Data Security Compliance Program. Trustwave is a leading provider of information security and compliance management solutions to merchants and service providers. Please contact them with any questions at: AmericanExpressCompliance@trustwave.com or 1-866-659-9016.

Back To Top

If my business doesn't accept credit card payments through its website, is there any point for me to do a scan?
If you have an outward-facing and active IP address, then you must have a scan performed. Any outward-facing and active IP addresses that are associated with the network in which credit card processing occurs are in scope for scanning.

Back To Top

Will I be notified of my compliance status by American Express?
American Express will be notifying you of compliance status. If you have submitted acceptable documents, no further action will be required until the next quarterly network scan is due.

Back To Top