Skip to main content
Start of menu
Search US website
Close Menu
Select Your Country:
GET STARTED...
 
Data Security
Standard
Merchant
Levels
Compliance
Requirements
In Case Of
A Breach

 

Merchant Levels
Most Merchant Levels are based on the merchant's volume of American Express Card transactions submitted by its Establishments that roll-up to the highest American Express merchant account level. Merchants fall into one of three levels specified in the table below.

Level Definition Validation
Documentation
Requirement
1 2.5 million American Express Card transactions or more per year; or any merchant that American Express otherwise deems a Level 1 merchant. Annual Onsite Security Assessment Report and Quarterly Network Scan Mandatory
2 50,000 to 2.5 million American Express Card transactions per year Annual Self Assessment Questionnaire and Quarterly Network Scan Mandatory
3 Less than 50,000 American Express Card transactions per year Annual Self Assessment Questionnaire and Quarterly Network Scan Strongly Recommended*
EMV** 50,000 American Express Card Transactions or more per year, of which total Transactions at least 75% are made by the Cardmember with the physical Card present at a Point of Sale System compliant with EMV Specifications and capable of processing contact and contactless American Express Chip Cards. Annual EMV Attestation Mandatory

*Level 3 merchants and Level 3 Service Providers need not submit Validation Documentation, but nevertheless must comply with, and are subject to liability under all other provisions of this Data Security Operating Policy.

**Level EMV is not available for Service Providers, nor merchants that have had a Data Incident within twelve (12) months prior to the date of their Annual EMV Attestation.