American Express - Merchant Levels

Start of menu

My Account
You are under MyAccount Primary Tab
Card AccountExpand / Collapse
Business AccountsExpand / Collapse
Other AccountsExpand / Collapse
- International Money Transfers for Card Members
Cards
You are under New Cards Primary Tab
Personal CardsExpand / Collapse
Small Business CardsExpand / Collapse
Corporate CardsExpand / Collapse
Gift CardsExpand / Collapse
- View Gift Cards
Travel
You are under Travel Primary Tab
Online TravelExpand / Collapse
Travel ResourcesExpand / Collapse
Business TravelExpand / Collapse
Travel MoneyExpand / Collapse
Insurance
You are under Insurance Primary Tab
All InsuranceExpand / Collapse
- Insurance Homepage
Insure my travelsExpand / Collapse
Insure my pet and possessionsExpand / Collapse
- Pet Insurance
- Gadget Insurance
Insure meExpand / Collapse
Rewards
You are under Rewards Primary Tab
Membership RewardsExpand / Collapse
Other Reward ProgrammesExpand / Collapse
OffersExpand / Collapse
- Cardmember offers
- Refer friends. Get rewarded.
InvitesExpand / Collapse
- Entertainment
Business
You are under Business Primary Tab.
MerchantsExpand / Collapse
CorporationsExpand / Collapse
Small Business CardsExpand / Collapse
Global NetworkExpandir / Colapsar

GET STARTED...

	Data Security Home
	Merchant Information
	Service Provider Information
	PCI Security Requirements
	Frequently Asked Questions
	Watch Data Security Video

Data Security
Standard

Merchant
Levels

Compliance
Requirements

In Case Of
A Breach

Merchant Levels
All American Express Merchants are categorised into one of three levels for data security, based on their volume of American Express transactions. Your data security requirements are determined by the level your business falls under. The table below will help you to determine your level, and shows your requirements for compliance with the American Express Data Security Operating Policy.

Merchant Levels	Definition	Validation Documentation	Requirement
1	2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1	Annual Onsite Security Audit Report, and Quarterly Network Scan	Mandatory
2	50,000 to 2.5 million American Express Card transactions per year	Quarterly Network Scan and Annual Self Assessment Questionnaire	Mandatory
3	Less than 50,000 American Express Card transactions per year	Quarterly Network Scan	Strongly Recommended*

* Level 3 Merchants need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy. View the American Express Data Security Operating Policy (PDF).