American Express Data Security Standard

American Express requires that all of their merchants conform to a set of security standards in order to accept payments. These standards lay out rules for secure data storage and details methods used to ensure the privacy of transactions. Read on to find out how NGSSoftware's suite of security audit software can help your company to achieve and maintain compliance with the American Express Data Security Standard.

General Requirements:

"Employ internal and external firewalls to prevent intrusions from the internet and from within your own organization."

The pen-testing features of Typhon III and the NGSSQuirreL family of database scanners ensure the correct deployment of firewalls within the enterprise.

"Assign employee access to payment data on a need-to-know basis."

They also allow checking of password lifetimes, test for users with unnecessary access to data, and fulfil the requirements for routine tests of internal security systems and processes.

NGSSQuirreL will verify that any database servers are internally well configured and secure. Checks that thorough auditing is enabled, and that the systems are free of backdoors or other signs of compromise, cover the American Express notification requirement.

Online Security Requirements:

Typhon III will make sure that sufficient encryption (SSL 3) is enabled on customer facing web servers. The application testing features of Typhon can confirm that client web applications are free of vulnerabilities such as SQL injection and cross-site scripting.