American Express - Thailand - Merchant Services - Manage Your Merchant Account - Data Security Operating Policies

Home | Personal | Business

Customer Service | Site Directory

Learn about Accepting the Card Manage Your Merchant Account Profit More from Your Relationship

Reconcile Payments and Resolve Disputes

Using a Terminal to Complete Transactions

Introducing Electronic Merchant Services

Review our Policies and Procedures

Data Security Operating Policies

General Standards

Additional Standards for Online Transactions

Reduce Fraud and Chargebacks

Learn about Online Merchant Services

Find Answers to Common Questions

A Merchant may store the following data, for processing future transactions:

Card number
Card expiration date

General Security Standard requirements for storing permissible data are described below.


	Notification Duty to American Express


	A joint effort by American Express and Merchants to prevent / limit damage and liability from potential data compromise or attack requires that certain responsibilities be assigned. If a Merchant stores American Express payment information, they are obligated to notify us immediately if that data is (or may be) compromised. In addition, the Merchant is expected to act in good faith and work with American Express to rectify any issues that may result. American Express is your partner in resolving these issues and will respect your request for confidentiality. By working together, we can help strengthen consumer faith in our businesses and continue to fortify the bottom lines of our companies. Please contact your Client Manager or call 1300 36 36 14, if you believe that payment data may be compromised.


	Failure to Notify


	In the event that the Merchant fails to notify American Express immediately, they may be liable for the dollar amount of any or all fraudulent transactions that occur on American Express Cards. American Express can identify Cards that are compromised at the Merchant’s site, through common point of purchase techniques.


	Do’s for Data Storage


	Disclosure Establish a company privacy policy that explains the security measures your company has put in place to protect Cardmember transaction data. Firewalls Employ internal and external firewalls to prevent intrusions from the Internet and from within your organisation. Encryption Encrypt all stored payment data using triple DES encryption.* Audits Be prepared to provide audit reports to American Express, or allow American Express audits. Employee Access/Passwords Assign employee access to payment data on a need-to-know basis. Issue a unique ID to each person with computer access to payment data. Maintain the ability to track employee access to payment data, by using unique IDs. Change employee passwords, regularly. Systems Routinely test internal security systems and processes. Annual certification of systems and processes by a third party Security Evaluation Company is preferred. Maintain physical building and premise access security. Restrict physical access to Cardmember payment data.


	Dont’s for Data Storage


	Never store payment data on a Web server or cache anywhere in memory related to a Web server. Payment data may only be stored in a separate database, with at least one external firewall. Never store the Card Identification (CID) number. (A CID may be maintained on your systems for up to 10 minutes, in order to process a Cardmember payment.) Never use Cardmember payment data for any purpose other than processing future transactions. * Note: From January 1, 2003 a Merchant must store all Cardmember payment data using triple DES encryption. In addition, all data that is transmitted must utilise Secure Socket Layer 3.0 with 128-bit encryption. As technology and industry standards evolve, these security requirements may be amended to reflect continued technological advancement. Without limiting the generality of the foregoing, the Merchant shall take measures to secure and protect Cardmember payment data, including Card account information, against “hackersEand others who may seek to obtain or modify data without the consent of American Express or the Cardmember. Please review the additional security requirements for online transactions: Additional Security Standards for Conducting Online Transactions

reasons to enrol for Automated Batch Submission Internet Options,simple, fast, safe

Online merchant services, fast & easy cash flow management, click for details now

View Web Site Rules and Regulations, Trademarks and Privacy Statement. Copyright © 2002 American Express Company. All Rights Reserved. Users of this site agree to be bound by the terms of the American Express Web Site Rules and Regulations. American Express (Thai) Company, Limited, S.P. Building, 388 Phaholyothin Road, Samsennai, Phayathai, Bangkok 10400, Thailand.