Credit Card Processing, Security and PCI Compliance

American Express Data Security Operating Policy

by

July 11, 2018

If you accept American Express (Amex) credit cards in your business, you need to meet certain requirements. These requirements are meant to protect your customers and your business. They’re designed to protect cardholder data, which can improve customer relationships, your profitability, and prevent a costly security breach and damage to your business reputation.

There are a few steps to meeting these regulations, which we’ll go over in this article.


Make Sure You Are PCI Compliant

PCI DSS is an agreed upon set of standards to protect cardholders, businesses, networks, service providers, and card issuers. PCI DSS involves meeting 12 requirements across 6 different areas. It’s essential that you’re compliant with PCI DSS before you go onto the next step, so if you’re not familiar with it already, be sure to read up on PCI compliance.

Determine Your Merchant Level with Amex

Once you’re compliant with PCI DSS, you’ll need to find your merchant level with Amex. The higher your merchant level, the more proof of compliance you’ll need to provide. Find your merchant level as follows:

  • Level 1 Merchant – You’re a level 1 merchant if you process more than 2.5 million Amex transactions a year. Amex can also classify you as a level 1 merchant if your business has suffered a data breach that impacted Amex cardholder data.
  • Level 2 Merchant – You’re a level 2 merchant if you process between 50,000 and 2.5 million Amex transactions a year.
  • Level 3 Designated Merchant – You’re a level 3 designated merchant if you process fewer than 50,000 transactions a year and Amex has decided you are a “designated” merchant. They will contact you if that’s the case.
  • Level 3 Merchant – You’re a level 3 merchant if you process fewer than 50,000 Amex transactions a year.
  • Level EMV Merchant – You are a level EMV merchant if you process more than 50,000 Amex transactions a year and at least 75% go through an EMV chip card terminal. EMV terminals are hardware capable of processing chip-enabled and contactless Amex transactions.
    Note that EMV merchant requirements are in addition to any requirements listed for other levels.

Complete the Required Steps and Documentation

You’ll need to meet certain requirements and file paperwork depending on your merchant level. The requirements are listed in the table. Links below the table provide more information about each requirement.

Amex Merchant Level Chart

Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor

Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.

*Remember that EMV merchant requirements are in addition to any other merchant requirements.
Failure to complete the EMV attestation may result in non-validation fees. Your processor may also impose EMV non-compliance fees.

Submit Your Information to Amex

You can submit your required documents to Amex via Trustwave, who administers Amex’s Data Security Compliance Program. You can contact Trustwave and submit information to them as follows:

  • Submit via secure portal – Log in with your user ID at trustwave.com.
  • Submit via secure fax – Fax your validation documentation to +1 (312) 276-4019.

You will need to provide:

  • Your DBA (Doing Business As) name.
  • The name, address, and phone number of your data security contact.
  • Your 10-digit American Express merchant number (if applicable).

Useful Resources and Further Information

See also:

Visa CISP
MasterCard SDP

TwitterFacebookLinkedIn
Paul Maplesden

BY Paul Maplesden

Paul Maplesden is a freelance writer specializing in business, finance, and technology. He brings shrewd research skills to CardFellow, resulting in detailed, actionable information for business owners.Paul finds writing about money deeply interesting, and much of his work for CardFellow focuses on the intersection of payments and technology. Whether he's writing about the latest payment app or detailing the differences in popular ecommerce platforms, Paul's work helps businesses understand the myriad products and services available in the processing industry.Aside from writing, he loves Earl Grey tea, pivot tables, hats, and other fine geekery.

FOUND THIS USEFUL? SHARE THIS!
 

Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!
 

You might also like…

Amex Rates
Amex OptBlue

View all articles

Please join the conversation

Your email address will not be published.