Level 1: 2.5 million or more American Express Card transactions per year (or if you've been selected a Level 1 by American Express)
Annual On-site Security Assessment Report (required)
This is a detailed on-site examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted.
Either a Qualified Security Assessor (QSA) performs the exam, or you perform the exam and have the results certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (AOSC) or the executive summary of findings of the scan to us every 90 days.
Level 2: 50,000 to 2.5 million American Express Card transactions per year (Service providers: less than 2.5 million transactions)
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (SAQ).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (AOSC) or the executive summary of findings of the scan to us every 90 days.
Level 3 Designated: Less than 50,000 American Express Card Transactions per year and has been designated by American Express as being required to submit validation documents. (merchants only; does not apply to service providers).American Express will contact these designated merchants and provide them details for reporting their security status by submitting PCI validation documents.
Annual Self Assessment Questionnaire (required)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Data Security Standards Self-Assessment Questionnaire (SAQ).
You must complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.
Quarterly Network Scan (required)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (AOSC) or the executive summary of findings of the scan to us every 90 days.
Level 3: Less than 50,000 American Express Card transactions per year (merchants only; does not apply to service providers)
Annual Self Assessment Questionnaire (recommended)
This is a self-examination of the equipment, systems, networks and components where Card Member information is stored, processed, or transmitted using the PCI Security Standards Self-Assessment Questionnaire (SAQ).
You may complete the questionnaire and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results may be submitted to us annually. For more information, see Section 4, Step 2 of the Data Security Operating Policy (PDF). Quarterly Network Scan (recommended)
This is a remote test of your Internet-connected computer networks and web servers for potential vulnerabilities.
An Approved Scanning Vendor (ASV) must perform the exam. Then you must complete and submit the ASV's Attestation of Scan Compliance (AOSC) or the executive summary of findings of the scan to us every 90 days.
Level EMV*: 50,000 or more American Express Chip-enabled Card transactions per year with at least 75% made on an EMV-enabled (Chip-enabled) terminal capable of processing contact and contactless American Express transactions
Annual EMV Attestation (AEA) (required)
This is a self-examination of the PCI compliance status for equipment, systems, networks and their components where cardholder data or sensitive authorization data (or both) are stored, processed or transmitted.
You must complete the AEA and have it certified by your chief executive officer, chief financial officer, chief information security officer or principal. Results must be submitted to us annually.