Merchant Levels
All American Express Merchants are categorised into one of three levels for data security, based on their volume of American Express transactions. Your data security requirements are determined by the level your business falls under. The table below will help you to determine your level, and shows your requirements for compliance with the American Express Data Security Operating Policy.
Merchant Levels
|
Definition |
Validation
Documentation
|
Requirement |
1 |
2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1 |
Annual Onsite Security Audit Report, and Quarterly Network Scan |
Mandatory |
2 |
50,000 to 2.5 million American Express Card transactions per year |
Quarterly Network Scan and Annual Self Assessment Questionnaire |
Mandatory |
3 |
Less than 50,000 American Express Card transactions per year |
Quarterly Network Scan |
Strongly Recommended* |
* Level 3 Merchants need not submit Validation Documentation, but still must comply with all other provisions of the Data Security Operating Policy.
View the American Express Data Security Operating Policy (PDF).
|