Sie sind auf Seite 1von 1


Q1: How can a Merchant begin enrollment, certification and

testing for American Express SafeKey?

Q5: Will Merchant Terms and Conditions require changes to

support the American Express SafeKey programme?

Merchants will be able to enroll and collect test results from testing
in the SafeKey programme by visiting the SafeKey enrollment portal Alternatively Merchants can contact their
Payment Service Provider or visit

Yes, the Terms and Conditions for American Express Card Acceptance
may be amended or re-issued to enable the Fraud Liability Shift.
Q6: What is the definition of an attempted transaction?

Depending on the processing model, varying levels of technical

development may be required to support the integration of
American Express SafeKey. Merchants should consider costs
incurred from internal technical development and external linkages
with third parties.

An American Express SafeKey authentication attempt occurs when a

Merchant requests to authenticate the Cardmember but the
Cardmember or Issuer has not been enrolled in the SafeKey
programme, and both the Merchant and Issuer are in SafeKey
designated markets. In this scenario, valid authentication data [e.g.
American Express Verification Value (AEVV) and Electronic
Commerce Indicator (ECI)] value will be required in the Authorisation
and Submission messages as evidence of the attempt.

Q3: Can SafeKey be turned off by the Merchant after


Q7: Will a participating Merchant obtain a Fraud Liability Shift on

all Internet transactions?

Technically, SafeKey can be switched off by the Merchant. However,

please note that the intention of SafeKey is to reduce instances of
online card fraud. As such, American Express does not recommend
turning off SafeKey at any time in accordance with guidelines.

No. Merchants can only obtain FLS on fully authenticated SafeKey

charges. For non-authenticated SafeKey charges, or standard ecommerce charges, the standard Card Not Present card acceptance
policy applies and the Merchant is liable if the Cardmember later
disputes the charge.

Q2: What is the estimated development effort for a Merchant

choosing to implement American Express SafeKey?

Q4: How is a Card authenticated and authorised when both

the Merchant and Cardmember are enrolled in American
Express SafeKey?

During checkout, the Cardmember inputs their payment

method as American Express and provides the Card number.


The Merchant Plug-in (MPI) component running at the

Merchant will communicate with the American Express
Directory Server to determine if the American Express Card is
enrolled in American Express SafeKey.


The American Express Directory Server will communicate with

the Card Issuer to determine if the Card is enrolled in the


The Issuer will respond with a status of Y if the Card is

enrolled, along with a URL where the Cardmember needs to
be sent for authentication (the Authentication Site).


The Merchant application will automatically redirect the

Cardmember to the Authentication Site.


At the Authentication Site, the Issuer will display the password

page where the Cardmember will input the password. The
Issuer will send a response to the Merchant with the
authentication result. For security, the message will be
digitally signed.

(vii) The MPI will validate the signature and advise the Merchant of
the authentication result.

Q8: Where can a Merchant obtain Authorisation and Submission

specifications for American Express SafeKey?
The most up-to-date global Merchant technical specifications can be
found at For additional
information on which market standard specifications currently support
American Express SafeKey, Merchants may contact their American
Express Client Manager or their Payment Service Provider (PSP).
Q9: Who should a Merchant contact for additional information?
For additional details, Merchants can contact their PSP or visit the
American Express SafeKey website
Q10: What criteria must be satisfied for a Merchant to qualify for
the Fraud Liability Shift?
In order to be eligible for the Fraud Liability Shift a Merchant must:

Use all other American Express online fraud prevention tools

available in their market, and
Utilize SafeKey, and
Maintain a Fraud-to-Gross (FTG) level of 1% or less for all SafeKey

In the UK, for example, this would mean the Merchant would need to
participate in AVS and collect/send the Printed Card Security Code
(PCSC) in addition to utilizing SafeKey and maintaining the appropriate
FTG level.

(viii) The Merchant can approve or decline the transaction based

on the authentication result.

Page | 1 of 1
November 2012

2012 American Express All Rights Reserved

Merchant FAQs