American Express Data Security Operating Policy
If you accept American Express (Amex) credit cards in your business, you need to meet certain requirements. These requirements are meant to protect your customers and your business. They’re designed to protect cardholder data, which can improve customer relationships, your profitability, and prevent a costly security breach and damage to your business reputation. There are a few steps to meeting these regulations, which we’ll go over in this article.
- Make Sure You Are PCI Compliant
- Determine Your Merchant Level with Amex
- Complete the Required Steps and Documentation
- Submit Your Information to Amex
- Useful Resources and Further Information
Make Sure You Are PCI Compliant
PCI DSS is an agreed upon set of standards to protect cardholders, businesses, networks, service providers, and card issuers. PCI DSS involves meeting 12 requirements across 6 different areas. It’s essential that you’re compliant with PCI DSS before you go onto the next step, so if you’re not familiar with it already, be sure to read up on PCI compliance.
Determine Your Merchant Level with Amex
Once you’re compliant with PCI DSS, you’ll need to find your merchant level with Amex. The higher your merchant level, the more proof of compliance you’ll need to provide. Find your merchant level as follows:
- Level 1 Merchant - You’re a level 1 merchant if you process more than 2.5 million Amex transactions a year. Amex can also classify you as a level 1 merchant if your business has suffered a data breach that impacted Amex cardholder data.
- Level 2 Merchant - You’re a level 2 merchant if you process between 50,000 and 2.5 million Amex transactions a year.
- Level 3 Designated Merchant - You’re a level 3 designated merchant if you process fewer than 50,000 transactions a year and Amex has decided you are a “designated” merchant. They will contact you if that’s the case.
- Level 3 Merchant - You’re a level 3 merchant if you process fewer than 50,000 Amex transactions a year.
- Level EMV Merchant - You are a level EMV merchant if you process more than 50,000 Amex transactions a year and at least 75% go through an EMV chip card terminal. EMV terminals are hardware capable of processing chip-enabled and contactless Amex transactions.
Note that EMV merchant requirements are in addition to any requirements listed for other levels.
Complete the Required Steps and Documentation
You’ll need to meet certain requirements and file paperwork depending on your merchant level. The requirements are listed in the table. Links below the table provide more information about each requirement.
Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.
*Remember that EMV merchant requirements are in addition to any other merchant requirements.
Failure to complete the EMV attestation may result in non-validation fees. Your processor may also impose EMV non-compliance fees.
Submit Your Information to Amex
You can submit your required documents to Amex via Trustwave, who administers Amex’s Data Security Compliance Program. You can contact Trustwave and submit information to them as follows:
- Submit via secure portal - Log in with your user ID at trustwave.com.
- Submit via secure fax - Fax your validation documentation to +1 (312) 276-4019.
You will need to provide:
- Your DBA (Doing Business As) name.
- The name, address, and phone number of your data security contact.
- Your 10-digit American Express merchant number (if applicable).
Useful Resources and Further Information
- Training courses and resources on PCI DSS.
- Complete information on PCI DSS.
- American Express Data Security Operating Policy website
Paul Maplesden is a writer specializing in business, finance, and technology. He finds research and writing about money deeply interesting.