Credit Card Processing, Security and PCI Compliance

American Express Data Security Operating Policy


April 06, 2020

If you accept American Express (Amex) credit cards in your business, you need to meet certain requirements. These requirements are meant to protect your customers and your business. They’re designed to protect cardholder data, which can improve customer relationships, your profitability, and prevent a costly security breach and damage to your business reputation.

There are a few steps to meeting these regulations, which we’ll go over in this article.

Make Sure You Are PCI Compliant

PCI DSS is an agreed upon set of standards to protect cardholders, businesses, networks, service providers, and card issuers. PCI DSS involves meeting 12 requirements across 6 different areas. It’s essential that you’re compliant with PCI DSS before you go onto the next step, so if you’re not familiar with it already, be sure to read up on PCI compliance.

Determine Your Merchant Level with Amex

Once you’re compliant with PCI DSS, you’ll need to find your merchant level with Amex. The higher your merchant level, the more proof of compliance you’ll need to provide. Find your merchant level as follows:

  • Level 1 Merchant – You’re a level 1 merchant if you process more than 2.5 million Amex transactions a year. Amex can also classify you as a level 1 merchant if your business has suffered a data breach that impacted Amex cardholder data.
  • Level 2 Merchant – You’re a level 2 merchant if you process between 50,000 and 2.5 million Amex transactions a year.
  • Level 3 Designated Merchant – You’re a level 3 designated merchant if you process fewer than 50,000 transactions a year and Amex has decided you are a “designated” merchant. They will contact you if that’s the case.
  • Level 3 Merchant – You’re a level 3 merchant if you process fewer than 50,000 Amex transactions a year.
  • Level EMV Merchant – You are a level EMV merchant if you process more than 50,000 Amex transactions a year and at least 75% go through an EMV chip card terminal. EMV terminals are hardware capable of processing chip-enabled and contactless Amex transactions.
    Note that EMV merchant requirements are in addition to any requirements listed for other levels.

Complete the Required Steps and Documentation

You’ll need to meet certain requirements and file paperwork depending on your merchant level. The requirements are listed in the table. Links below the table provide more information about each requirement.

Amex Merchant Level Chart

Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor

Once you know what you need to do, you’ll need to contact an approved vendor to carry out the requirements and go through the validation process.

*Remember that EMV merchant requirements are in addition to any other merchant requirements.
Failure to complete the EMV attestation may result in non-validation fees. Your processor may also impose EMV non-compliance fees.

Submit Your Information to Amex

You can submit your required documents to Amex via Trustwave, who administers Amex’s Data Security Compliance Program. You can contact Trustwave and submit information to them as follows:

  • Submit via secure portal – Log in with your user ID at
  • Submit via secure fax – Fax your validation documentation to +1 (312) 276-4019.

You will need to provide:

  • Your DBA (Doing Business As) name.
  • The name, address, and phone number of your data security contact.
  • Your 10-digit American Express merchant number (if applicable).

Useful Resources and Further Information

See also:

MasterCard SDP

Ben Dwyer

BY Ben Dwyer

Ben Dwyer began his career in the processing industry in 2003 on the sales floor for a Connecticut‐based processor. As he learned more about the inner‐workings of the industry, rampant unethical practices, and lack of assistance available to businesses, he cut ties with his employer and started a blog where he could post accurate information about credit card processing. As the blog gained in popularity, Ben began directly assisting merchants in their search for a processor. Ben believes in empowering businesses by providing access to fair, competitive pricing, accurate information, and continued support. His dedication to transparency and education has made CardFellow a staunch small business advocate in the credit card processing industry.

Please join the conversation

Your email address will not be published.


Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!

You might also like…

Amex Rates
Amex OptBlue

View all articles