American Express has defined Do's and Don't for data security as described below and American express requires its merchants to follow in-order to stay in compliance with the standard set forth.Do for Data Storage
- Encrypt all stored payment data using triple DES encryption.
Employee access / Passwords
Don'ts for Data Storage
- Assign employee access to payment data on a need-to-know basis
- Assign a unique ID to each person with computer access to payment data
- Maintain the ability to track employee access to payment data through the use of unique IDs
- Change employee Passwords regularly
- Ensure employee security policy is understood by all your employees.
- Require two-person control to access encrypted data Systems
- Routinely test internal security systems and processes. Quarterly certification of systems and processes by a third-party Security Evaluation Company is preferred. As a convenience, American Express has negotiated a free, one-time website security test for our online merchants. Begin your free security test.
- Maintain physical building and premise-access security
- Restrict physical access to Card member payment data Audits
- Be prepared to provide audit reports to American Express or allow American Express audits
- Never store payment data on a web server or cache anywhere in memory related to a web server. Payment data may only be stored in a separate, secure database, with at least one external firewall.
- Never store Card Identification (CID) information. (A CID may be maintained on your systems only to obtain authorization, in order to process a Cardmember payment.)
- Never use Cardmember payment data for any purpose other than processing future transactions
- Never store track data from the magnetic stripe on the back of the Card
If you store American Express® payment information, you are obligated to notify us immediately if that data is (or may have been) compromised. In addition, you're expected to act in good faith and work with American Express to rectify any issues that may result from this activity. American Express is your partner in resolving these issues and will respect your request for confidentiality. By Notification Duties, we can help strengthen customer faith in our businesses and continue to fortify the relationship between companies.
Please contact your Client Manager or call American Express at 1-800-528-5200 if you believe that payment data may have been compromised.
Failure to notify
In the event that you fail to immediately notify American Express of a security compromise, you will be responsible for (i) all fraudulent transactions related to such compromise and (ii) all costs American Express incurs as a result of resolving any illegal activity.
American Express can identify Cards that are compromised at the merchant's site through common point of purchase techniques.
Storage of cardholder Info
- Website must be enabled with Secure Socket Layer 3.0, with 128-bit encryption.
- American Express-certified POS device and/or methodology should be used to transmit all transaction information to American Express.
- Every online transaction must be authorized using a unique Internet SE number and appropriate POS Data Code.
- Establish time limits for consumer sessions
- Prevent customer access to secure data, following three failed log-on attempts
- Establish safeguards to prevent employee access to Card member Passwords
- Set up administrative authority for resetting Passwords, issuing temporary Passwords, and accessing payment information by restricting access to authorized employee groups and enabling the creation of audit trails
- Monitor / track access and usage reporting
Do not store the following under any circumstance:
- Full contents of any track from the magnetic stripe on the back of the card.
- Card-validation code--the three-digit value printed on the signature panel of a MasterCard®, Visa®, Discover®Card, JCB®, or Diners Club® card, and four-digit code printed on the front of an American Express® card.
Store only that portion of the customer's account information that is essential to your business--i.e. name, account number or expiration date. Store all material containing this information (e.g., authorization logs, transaction reports, transaction receipts, car rental agreements, and carbons) in a secure area limited to authorized personnel. Destroy or purge all media containing obsolete transaction data with cardholder information.
Use of Agents of Third Parties
- Agents or third parties may include vendors, processors, software providers, payment gateways, or other service providers.
- Advise each merchant bank or processing contact (representing each of your card brands) of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf-regardless of the manner or duration of such activities.
- Make sure these agents adhere to all rules and regulations governing cardholder information security. Any violation by your agent may result in unnecessary financial exposure and inconvenience to your business.
Reporting a Security Incident
- In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant bank or processing contact for each card brand immediately.
- This report will not only minimize risk to the payment system, but protect your customers in the most responsible manner. Systems and procedures are in place to immediately stop the unauthorized use of compromised data, but are effective only when you do your part to promptly report a security incident.
Fraud Prevntion: record of Charge Truncation
On December 04, 2003, President GW Bush approved a federal law which preempts existing state laws requiring truncation of account numbers on customer receipts, thereby creating a uniform national standard. This legislation, called the Fair and Accurate Credit Transactions Act of 2003, provides (among many other things) that "no person accepting credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction.
Impact to Your Business
This requirement applies only to receipts that are electronically printed, and does not apply to transactions in which the sole means of recording a credit or debit card account number is by handwriting or by an imprint or copy of the card. Equipment that is first put into use on or after January 1, 2005 must comply with this requirement, and equipment in use before that date must become compliant by December, 2006.
American Express Response
American Express actively p romotes the protection of Cardmember information, as well as other fraud prevention measures. Although merchants are liable for ensuring they are compliant with this new law, American Express encourages and will support merchants in their efforts to become compliant with these laws as they apply to American Express transactions and/or products.
Secure Auditor™ helps in staying compliance by running tests exploring software vulnerabilities and issues related to change management. The most up to date known vulnerabilities database checks and compares your operational system against security related issues. Audits performed are presented in comprehensive report and executive summary which helps your organization stay in compliance with American Express Compliance requirements.
VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business