If you accept American Express (Amex) credit cards in your business, you need to meet certain requirements meant to protect your customers and your business.
They’re designed to protect cardholder data, which can improve customer relationships, your profitability, and prevent a costly security breach and damage to your business reputation.
There are a few steps to meeting these regulations, which we’ll go over in this article.
- Make Sure You Are PCI Compliant
- Determine Your Merchant Level with Amex
- Complete the Required Steps and Documentation
- Submit Your Information to Amex
- Useful Resources and Further Information
Make Sure You Are PCI Compliant
PCI DSS is an agreed upon set of standards to protect cardholders, businesses, networks, service providers, and card issuers. PCI DSS involves meeting 12 requirements across 6 different areas. It’s essential that you’re compliant with PCI DSS before you go onto the next step, so if you’re not familiar with it already, be sure to read up on PCI compliance.
Determine Your Merchant Level with Amex
Once you’re compliant with PCI DSS, you’ll need to find your merchant level with Amex. The higher your merchant level, the more proof of compliance you’ll need to provide. Find your merchant level as follows:
- Level 1 Merchant – You’re a level 1 merchant if you process more than 2.5 million Amex transactions a year. Amex can also classify you as a level 1 merchant if your business has suffered a data breach that impacted Amex cardholder data.
- Level 2 Merchant – You’re a level 2 merchant if you process between 50,000 and 2.5 million Amex transactions a year.
- Level 3 Designated Merchant – You’re a level 3 designated merchant if you process fewer than 50,000 transactions a year and Amex has decided you are a “designated” merchant. They will contact you if that’s the case.
- Level 3 Merchant – You’re a level 3 merchant if you process between 10,000 and 50,000 Amex transactions a year.
- Level 4 Merchant – You’re a level 4 merchant if you process fewer than 10,000 Amex transactions a year.
Note that in the past, American Express has also referred to “Level EMV Merchants,” which are those that process more than 50,000 Amex transactions per year with at least 75% going through an EMV chip card terminal. These EMV merchant requirements were in addition to requirements for other levels. However, at the time of this update, the Level EMV merchant category is not listed in Amex’s merchant levels on its website. If we are able to confirm with Amex that this still exists, we will update this article. For now, we are leaving references to it for historical purposes.
Complete the Required Steps and Documentation
You’ll need to meet certain requirements and file paperwork depending on your merchant level. The requirements are listed in the table. Links below the table provide more information about each requirement.
Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor
Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.
*Remember that EMV merchant requirements are in addition to any other merchant requirements.
Failure to complete the EMV attestation may result in non-validation fees. Your processor may also impose EMV non-compliance fees.
Submit Your Information to Amex
You can submit your required documents to Amex via Trustwave, who administers Amex’s Data Security Compliance Program. You can contact Trustwave and submit information to them as follows:
- Submit via secure portal – Log in with your user ID at trustwave.com.
- Submit via secure fax – Fax your validation documentation to +1 (312) 276-4019.
You will need to provide:
- Your DBA (Doing Business As) name.
- The name, address, and phone number of your data security contact.
- Your 10-digit American Express merchant number (if applicable).
Useful Resources and Further Information
- Training courses and resources on PCI DSS.
- Complete information on PCI DSS.
- American Express Data Security Operating Policy website