PCI merchant levels have been clearly defined by all the major payment brands (VISA, MasterCard, American Express, Discover Card, and JCB). What’s important to note is that you should also look at each of the payment brand’s respective Levels for truly understanding where you fall.
Thus, PCI merchant levels for American Express are defined as the following:
Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.
Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.
Level 3: Merchants processing less than 50,000 American Express transactions annually.
Thus, the requirements for these respective Levels as far as compliance is concerned are the following:
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.
Level 2: Quarterly Network Scan by ASV.
Level 3: Quarterly Network Scan by ASV.
To learn more about PCI Merchant Levels and the Payment Card Industry Data Security Standards (PCI DSS), visit pciassessment.org