American Express PCI Compliance Policy

Visa and Mastercard are still the most used credit/debit cards for payments. However, American Express is also gaining a lot of popularity lately, especially for expensive purchases. It comes with a high processing fee, but the card issuer has implemented the best safety protocols to serve merchants and customers with excellent service. 

Like Visa and MasterCards, American Express has made it mandatory for the merchants to comply with the Payment Card Industry Data Security Standard to ensure maximum safety for customers. These safety protocols are developed to protect customers’ personal and sensitive data. Every business that accepts Amex cards is supposed to meet the PCI DSS compliance requirements not only to offer safety to their customers but strengthen their relationships with their clients. So, what exactly are the PCI DS standards? And, why do businesses need to comply with these security protocols?

PCI standards are a set of rules a business that accepts credit card payments has to comply with. These standards were developed from the security programs of MasterCard and Visa. Now, these measures have become the security standards that are to be followed by every entity (regardless of the products and services you offer). Every entity that stores, processes, and uses credit/debit cards for transactions has to follow the PCI DSS guidelines to ensure safe transactions. 

Basically, there are 6 regulations in the Payment Card Industry Data Security Standard set for businesses accepting card payments. A business must:

  1. Have a solid access control system 
  2. Assess their networks
  3. Protect the cardholder’s private information
  4. Implement a robust card processing network
  5. Implement software apps and antivirus programs that protect the system from malware and other virus attacks.

No matter the size and nature of your business, every company has to abide by the PCI DS standards if they accept credit and debit card payments. Even if your company reports a small volume of sales, you have to follow the PCI DSS guidelines if you accept American Express. Here are a few things you need to consider for PCI DSS compliance.

To Build a Robust and Safe Network: Implement a firewall to protect your customers’ private and sensitive data. Never use the default or merchant-supplied passwords for any system. Always check and reset the passwords and share these details with only authorized people.

Cardholder’s Data Protection: Take steps to protect the cardholder’s data.

A Vulnerability Management Program: It’s important to install an antivirus program to keep your system up-to-date and safe from malware attacks. Renew your antivirus software and use only the apps and networks that guarantee 100% security.

Solid Access Control: The access control measures restrict unauthorized access to your sensitive data and property. These measures should allow only the authorized users to access the cardholder’s data.

Check and Test Payment Networks: Check your security systems and management processes. Plus, check who has access to the cardholder’s data and other private information. 

Information Security Policy: A policy designed to educate people about the security protocols and address all issues associated with the employees’ and customers’ security.

It is important to note that not being able to report your Payment Card Industry Data Security Standard compliance to American Express can result in a non-validation fee. This is not the penalty for not complying with the PCI DS standards, it’s rather for those who fail to report to the AMEX in time. If you fail to adhere to the Payment Card Industry Data Security Standard, you will be charged the non-compliance fee, which can go up to $100,000. 

Basically, a merchant has to submit the PCI Validation Documentation to their banks or payment processor. Though these banks will submit your compliance documents to the AMEX on your behalf, it is highly recommended that you send a copy of these documents to American Express once a year. Here’s what you need to submit annually:

  • Onsite Security Assessment
  • Attestation of Compliance
  • Self-Assessment Questionnaire
  • Annual EMW Attestation

In addition to these, you need to hire an approved scan vendor to run a thorough network scan and submit these reports to the AMEX once every quarter.

Merchant Level with AMEX

The total proof of compliance you need to submit to the AMEX depends on your merchant level with the card issuer. It goes without saying that the higher your merchant level, the more compliance proof you need to submit.

Level 1 – Businesses that report over 2.5 million transactions every year are classified as the Level 1 AMEX merchant. In addition, you will be called a level 1 merchant if you have experienced a data breach in the past.

Level 2 – Businesses that report between 50,000 and 2.5 million AMEX transactions annually are considered the level 2 merchants.

Level 3 Designated – For businesses that report less than 50,000 transactions annually, AMEX will put you into the level 3 designated merchant category.

Level 3 – These are also the merchants that report less than 50,000 Amex transactions a year.

Level EMV – To be called the EMV merchant, you must report more than 50,000 transactions annually with around 75% managed through an EMV chip card terminal – hardware that supports contactless transactions. For an EMV level merchant, the Annual EMV Attestation report has to be submitted to American Express.

Here’s what AMEX PCI DSS Compliance Require:

  • Comply with the Payment Card Industry Data Security Standard set by American Express
  • Store only the cardholder’s data required to execute AMEX transactions
  • Implement PCI-approved payment systems only
  • Prepare the compliance documentation and report them to American Express, your bank, and the payment processor as and when required
  • Inform Amex of any form of data breach or incident within 72 hours
  • Comply with the data incident management obligations

Bottom Line

The Payment Card Industry Data Security Standard obligations are developed to guarantee maximum protection to the Amex cardholders. It is the merchant’s responsibility to comply with these standards and report the status of their PCI DSS compliance to Amex annually.

Save Time, Money, & Resources

Categories: American Express

Get Started

Ready for the ultimate credit card processing experience? Fill out this form!

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.