If your API produces a new value that the user needs to consume, then you have you have to accept the breaking change. The user has to know how to process "amex", and using a string does not really help with that. Preemptively listing card types might help, but there is a risk of users relying on a specific implementation instead of the contract, and that is also a source of bugs.
If your API both produces and consumes the new value you will not have a breaking change. I.e. If your API also includes the processCard function and everything else that needs the credit card type. Similarly, if your user produces values your API consumes it would not be a breaking change. Your user would still need to do updates to support the new card types, but it would still work with existing cards.
It might also be possible to specify to the API what card types are allowed, so that unexpected card types are never returned. Or have some sort of versioning system of the API that ensures a consistent behavior. You could also specify in the contract that new card types might be added and how the user should deal with these. Likely by invoking some kind of fallback or error handling system.