American Express - Hong Kong - Merchant - Manage Your Merchant Account - Data Security Operating Policies

Home | Personal | Business

Customer Service | Site Directory

Learn about Accepting the Card Manage Your Merchant Account Profit More from Your Relationship

Reconcile Payments and Resolve Disputes

Using a Terminal to Complete Transactions

Introducing Electronic Merchant Services

Review our Policies and Procedures

Data Security Operating Policies

General Standards

Additional Standards for Online Transactions

Reduce Fraud and Chargebacks

Learn about Online Merchant Services

Find Answers to Common Questions

American Express expects Merchants to take every precaution to protect Cardmember information at all times, including during online transactions.

In addition to the General Security Standards in Section I, the following additional requirements apply to Merchants that conduct (or intend to conduct) online transactions.


	Infrastructure Requirements


	When a Merchant processes Cardmember transactions online, the following security requirements must be implemented: Web site must be enabled with Secure Socket Layer 3.0, with 128-bit encryption.* American Express-certified POS device and/or methodology must be used to transmit all transaction data to American Express. Every Web transaction must be authorised using a unique Internet Merchant number and appropriate POS Data Code.


	Authentication Requirements


	Merchants must authenticate customers prior to payment submission. Merchants must follow authentication standards to protect Cardmember data such as: Establish time limits for consumer sessions. Prevent consumer access to secure data, following three failed log-on attempts. Establish safeguards to prevent employee access to Cardmember passwords. Set up administrative authority for resetting passwords, issuing temporary passwords and accessing payment data by restricting access to authorised employee groups and enabling the creation of audit trails. Monitor/track access and usage reporting. * Note: From January 1, 2003 a Merchant must store all Cardmember payment data using triple DES encryption. In addition, all data that is transmitted must utilise Secure Socket Layer 3.0 with 128-bit encryption. As technology and industry standards evolve, these security requirements may be amended to reflect continued technological advancement. Without limiting the generality of the foregoing, the Merchant shall take measures to secure and protect Cardmember payment data, including Card account information, against “hackersEand others who may seek to obtain or modify data without the consent of American Express or the Cardmember. Please review the general security standards for storing permissible data: General Security Standards

reasons to enrol for Automated Batch Submission Internet Options,simple, fast, safe

Online merchant services, fast & easy cash flow management, click for details now

View Web Site Rules and Regulations, Trademarks and Privacy Statement. Copyright © 2002 American Express Company. All Rights Reserved. Users of this site agree to be bound by the terms of the American Express Web Site Rules and Regulations. American Express (Thai) Company, Limited, S.P. Building, 388 Phaholyothin Road, Samsennai, Phayathai, Bangkok 10400, Thailand.