Be prepared for Strong Customer Authentication (SCA)

SCA is a Two-Factor Authentication process designed to add an extra layer of security when Cardmembers make an electronic payment. Designed to reduce fraud, SCA requires that a Cardmember provides two independent sources of identity verification, commonly known as ‘Two-Factor Authentication,’ in order for a Card issuer to approve the electronic transaction.

Two of the following three independent verification options can be selected:

• something you know (e.g. PIN)

• something you have (e.g. a device)

• something you are (e.g. fingerprint)

SCA will therefore entail new authentication requirements for online and contactless payments where both the merchant and the Cardmember are located within the European Economic Area (EEA).

SCA is a new European regulatory requirement (part of the PSD2) being introduced across the EEA to reduce fraud and make electronic payments more secure.

PSD2 impacts anyone involved in the buying and selling of goods and services in the EU. Consumers, financial institutions, and the payments industry including aggregators and account information service providers are all affected by PSD2.

SCA applies to Cardmember-initiated electronic payments where both the merchant and the Card issuer are located within the EEA.Transactions that are not Cardmember-initiated electronic payments are ‘out of scope’. This includes Mail Order/Telephone Order (MOTO) transactions and merchant initiated transactions (MIT).

(There are also a number of exemptions such as transactions with a Trusted Beneficiary, unattended transport and parking terminal transactions, and online transactions below a specified transactions risk analysis threshold driven by fraud rate). Express List is the online tool that allows an American Express Cardmember to use the Trusted Beneficiary exemption for online purchases. 

In addition, a specific exemption has been granted by the Belgian National Bank for corporate payments when these payments are subject to dedicated processes and protocols guaranteeing a level of security equivalent to that of the SCA. This exemption applies to the Business Travel Account (BTA) and the Travel Card. 

The regulation (the Revised Payment Services Directive) came into force on 14 September 2019. Subsequently, the Opinion of the European Banking Authority stated that national regulators should not actively enforce the regulation until 31 December 2020 for e-commerce. The EU Commission and the European Banking Authority have since confirmed this stance. 

This means that full SCA requirements must be applied to all e-commerce transactions involving EU/EEA issued cards from 1 January 2021, unless a national regulator has established a revised enforcement date. Transactions without a valid SCA exemption or a 3D Secure / SafeKey request with two-factor authentication will be declined by the card issuer post the enforcement date set by the national regulator.

It is important to be aware that some national regulators have adopted a managed rollout period which introduces some variation around the timing of SCA requirements for locally issued cards. In the UK, the Financial Conduct Authority confirmed a revised enforcement date of 14 September 2021. Other countries, such as France, are also considering a short period of forbearance into spring 2021. At the same time, some regulators, in countries such as Belgium and the Netherlands, have required the industry to begin trialing SCA in advance of the December deadline.  

Given these circumstances, we urge merchants across the EU/EEA to continue to take immediate steps to prioritise smooth adoption of the new SCA requirements, notably by activating SafeKey for all online transactions. American Express is technically ready and has unique capabilities to offer a best in class experience to consumers and merchants.  

We does not foresee disruption to Cardmembers for online transactions. We recommend, however, that merchants across the EU/EEA continue to take steps to prioritise smooth adoption of the new SCA requirements, notably by activating SafeKey® for all online transactions.

In Belgium, the Belgian National Bank (BNB) has decided that from 24 August 2020, transactions over €1500 will have to go through Safekey®. If a merchant has not activated the Safekey® for online transactions, the purchase will be refused. From January 2021, this will be the case for all transactions over €500 (except for transactions with merchants on the Express List).

Very occasionally, where the Cardmember is physically present to make a transaction, they may face disruption at the point of sale where technical upgrades to terminals have not yet been fully implemented by a merchant. 

We urge merchants across the EU/EEA continue to take immediate steps to prioritise smooth adoption of the new SCA requirements, notably by activating SafeKey for all online transactions.

Cardmembers may face disruption when they make a transaction where a merchant has not undertaken technical upgrades to their online checkout to support SCA,

In addition, you will see changes in the way you make online transactions. If you don’t have up to date contact details on file then your transaction will also be declined.

Card present and e-commerce transactions made using all payment cards (credit, charge, debit, prepaid), including Corporate Cards issued in the EEA and used at EEA merchants, are in scope. However, a specific exemption has been granted by the Belgian National Bank for corporate payments when these payments are subject to dedicated processes and protocols guaranteeing a level of security equivalent to that of the SCA. This exemption applies to the Business Travel Account (BTA) and the Travel Card. 

Yes, however, a specific exemption has been granted by the NBB to corporate payments when these payments are subject to specific processes and protocols which guarantee a level of security equivalent to that offered by the SCA. This exemption applies to the Business Travel Account (BTA) and the Travel Card

Business Travel Account (BTA) and Travel Card accounts are not affected and we believe that most non-plastic products will be. These products use dedicated processes and protocols that provide a level of security equivalent to that offered by the SCA. We are actively working with regulators regarding additional exemptions. All other cards, including corporate cards issued in the EEA and used at EEA merchants, are affected.

SCA applies to Cardmember-initiated electronic payments where both the merchant and the Card issuer are located within the EEA. Transactions that are not Cardmember-initiated electronic payments are ‘out of scope’. This includes Mail Order/Telephone Order (MOTO) transactions and merchant initiated transactions (MIT).

There are also a number of exemptions such as transactions with a Trusted Beneficiary, unattended transport and parking terminal transactions, and online transactions below a specified transactions risk analysis threshold driven by fraud rate). 

Express List is the online tool that allows an American Express Cardmember to use the Trusted Beneficiary exemption for their online purchases.

The most common way of authenticating an online card payment relies on 3D Secure—an authentication standard supported by the vast majority of European card issuers. American Express Cardmembers are automatically enrolled for American Express SafeKey, which uses the latest 3D Secure technology to help protect our customers against fraud while shopping online at participating SafeKey merchants.

When Cardmembers shop on certain sites, SafeKey appears as a box during the checkout stage. If the SCA requirements are not observed by the merchant, these transactions will be declined. 

Most of the time, Cardmembers don’t need to do anything as SafeKey will identify the transaction as being eligible for low risk journey based on a Cardmember’s previous purchase history. For certain purchases identified as high risk or otherwise requiring Strong Customer Authentication, we may send Cardmembers a One Time Code (OTC) verification code by text and/or email (depending on what the Cardmember has chosen). Once the Cardmember is verified, the online transaction is processed.

Online payments: SafeKey will continue to be used during the checkout stage. Where SCA is required, Cardmembers will automatically be sent verification requests by SMS or email, depending on what they have chosen.

American Express Cardmembers will be able to use Express List, our new trusted beneficiaries service. Where a merchant appears on the Cardmember’s Express List of trusted merchants (and where we haven’t otherwise identified the transaction as unusual or suspicious), SCA will not be applied.

Contactless payments: Contactless payments will continue as normal, however Cardmembers may sometimes be asked to enter their PIN to complete SCA if they have reached certain spending thresholds since the last time SCA was performed. With mobile wallets, Cardmembers will be prompted to authenticate themselves as normal when using Amex Pay, Apple Pay, Google Pay and Samsung Pay to complete their purchase.

Cardmembers can also be sent a verification code by email. This means they do not need a mobile phone as they can access email from their desktop. It is therefore important that Cardmembers ensure their account information contains their correct email address.

Express List is a new feature we have developed for American Express Cardmembers, enabling them to add merchants with whom they have shopped frequently online to a ‘trusted beneficiary’ whitelist. Where a merchant appears on the Cardmember’s Express List of trusted merchants (and where we haven’t otherwise identified the transaction as unusual or suspicious), SCA will not be applied.

Cardmembers can set up Express List as part of a SafeKey journey. It will allow them to select individual merchants or the Cardmember can chose to ‘select all’ merchants presented to them (up to 100 merchants the Cardmember has previously spent at will appear on the Express List). Cardmembers can also set up their Express List in their Online Account in addition to the Safekey journey.

Cardmembers are able to self serve and manage their list of merchants in their Express List via their American Express Online Account.

You can create a new Online Account via the American Express website in the Cardmember’s country e.g. www.americanexpress.com in French or www.americanexpress.com in Dutch.

The NBB recognized that the travel and hospitality industry would have to undergo many changes to comply with the CAS and committed to a detailed review of the payment scenarios facing the travel and hospitality industries in order to provide timely clarification.

To date, the NBB in Belgium has formally agreed that all BTA & Travel Card transactions are exempt from the SCA guidelines (subject to certain criteria) and we anticipate that other regulators within the EEA will take the same view. 

Other products such as Corporate Cards and Corporate Meeting Cards in a filed scenario are still under discussion. American Express is working with EEA regulators to validate this position and avoid disruption to merchants and Cardholders.

It is very important that American Express has up to date email addresses and mobile numbers for  Cardmembers so that one-time passcodes can be sent to the Cardmembers as part of the new two factor authentication requirements under SCA transaction.

You can update your contact details in your online profile and in your American Express Online Account by logging in to your Online Account. Alternatively, you can call your American Express customer service team on the number on the back of your Card.

American Express takes your privacy seriously and we will not use your details for marketing purposes without your consent. Your details will be stored in accordance with our privacy policy which you can access via the American Express website www.americanexpress.be

Contactless payments will continue as normal however the new regulations will require Cardmembers to perform a Chip and Pin transaction each time the Cardmember has reached cumulative contactless spend of €150. Most of the time Corporate Cardmembers will be able to use their contactless Card as usual however a contactless transaction may be declined because the culminative contactless spend threshold has been reached. In the event that a contactless transaction is declined Cardmembers should attempt the transaction again using Chip and Pin.

All new and renewed Corporate Cards are equipped with the contactless payment function since May 2020. 

Corporate Cardmembers will see SafeKey appear during the checkout stage more often. SafeKey helps protect against fraud while shopping online by confirming it’s really the Cardmember making the purchase. Cardmembers will also automatically receive verification requests by text or email (depending on what they have chosen) more often, as they complete their online payments.

Corporate Cardmembers will see more verification requests when they access their account online. When they log into their online American Express Account they will need their username and password as usual. Sometimes American Express may send them an extra verification request by text or email when they are trying to access certain parts of their account such as viewing their PIN.

In addition, Business Cards, Corporate Card, Corporate Meeting Card Cardmembers accessing their Online Account portals will see more verification requests as well.

The regulation specifies ‘...a maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed five minutes…’This applies to all impacted online portals, including a Cardmember’s American Express Online Account.

No, they can only provide one set of contact information. It is very important that American Express has up to date email addresses and mobile numbers for Corporate Cardmembers so that one-time passcodes can be sent to the Cardmembers as part of transaction verification processes.

Mobile push notifications will only be sent to the specific American Express Card account that is registered in the American Express Mobile App. i.e. if the Cardmember has set up their Corporate Card in the App, they will be able to receive the push notifications for that specific card. However, if they have set up their Consumer Card account in the App instead, they won’t be able to receive push notifications for their Corporate Card.

SCA is only required on the initial Cardmember-transaction, subsequent transactions. Subsequent transactions initiated by the merchant (i.e. the recurring billings) are out of scope. There is no impact to existing set ups.

Cardmembers will be required to complete SCA for any online payment that isn’t covered by an exemption. Two key exemptions for online transactions are the Transaction Risk Analysis exemption, and low-value exemption.

The TRA exemption allows American Express to not apply SCA if the transactions are deemed low risk, and where fraud rates remain beneath specified thresholds.

Card transactions below €30 are also subject to an exemption from SCA.

It is a 6-digit code sent via SMS and/or email (depending on what the Cardmember has chosen) that Cardmembers need to enter into the SafeKey or Online Access login screen to verify it’s them. This layer of security lets us know it’s them who are making the purchase, because we are sending the code to their registered contact details.

Different reasons could cause the failure of a transaction. When the verification code was entered incorrectly or some of the security questions have not been answered correctly, the access to SafeKey could be blocked. If the verification code wasn’t entered correctly after three attempts, the transaction will expire. Technical issues in the payment service of the merchant could also interrupt the transaction. If your transaction is unsuccessful you will receive an on-screen notification.

You should ensure that your mobile phone and email messages are readily accessible before you start a transaction at a participating SafeKey merchant. You can re-request your verification code as often as you like during the ten-minute validity period. You should delete your verification code once you have successfully completed the transaction with the merchant.

You will immediately receive a verification code to the email address and/or mobile phone number that American Express has on record for you (if we have those records). Your verification code is only valid for ten minutes from the time you submit your Card details to the merchant. If you do not complete your transaction during the ten minutes, you will need to restart the transaction with the merchant.

When making a transaction, the Cardmember is the only person who may use the Card and is responsible for the authorisation of a transaction if the Card is in the Cardmembers’ name. The verification code is sent to the registered contact details of the Cardmember. If a PA makes a booking through a corporate travel management or corporate purchasing system on behalf of the Cardmember, the lodged Card scenario may apply (please refer to the answer to the lodged Card scenario below).

To date, the NBB has formally agreed that all BTA and Travel Card transactions are exempt from the SCA guidelines (subject to certain criteria) and we expect other regulators within the EEA to take the same position. 

Other products such as Corporate Cards/Corporate Meeting Cards in the lodged Card scenario are still under discussion. American Express is working with EEA regulators to validate this position and ensure that there is no disruption to merchants and Cardholders.

SCA is an important initiative to reduce fraud and make electronic payments more secure and we welcome any measures to reduce the incidence of fraud across the industry. We continue to advise merchants to continue to deploy appropriate fraud capabilities to protect their businesses.

American Express started informing its Cardmembers about SCA in July 2019. We have issued emails and/or direct mailings to Cardmembers. Our communications also give Cardmembers information on Express List, an online trusted beneficiaries service developed in response to the rules on SCA requiring card companies to send verification codes more frequently when customers shop online.

Express List enables Cardmembers to add merchant websites where they have previously shopped online frequently with their AMEX. Where a merchant appears on the Cardmember’s Express List of trusted merchants (and where we haven’t otherwise identified the transaction as unusual or suspicious), SCA will not be applied.

It is also very important that American Express has up to date email addresses and mobile numbers for Corporate Cardmembers so that one-time passcodes can be sent to the Cardmembers as part of the new two factor authentication requirements under SCA transaction.

Online payments: SafeKey will appear more often during the checkout stage. When shopping online, Cardmembers will be sent verification requests more often by SMS, email or a push notification. To minimise verification requests, Cardmembers will be able to use Express List, our trusted beneficiaries service. SCA will only be required when a payment is over the transactional risk analysis threshold and the merchant is not on Express List (and where we haven’t otherwise identified the transaction as unusual or suspicious).

Contactless payments: Contactless payments will continue as normal however the new regulations will require Cardmembers to perform a Chip and Pin transaction each time the Cardmember has reached cumulative contactless spend of €150. Most of the time Corporate Cardmembers will be able to use their contactless Card as usual however a contactless transaction may be declined because the culminative contactless spend threshold has been reached. In the event that a contactless transaction is declined Cardmembers should attempt the transaction again using Chip and Pin.

Online account access: When logging into their online American Express account, Cardmembers will need to use their username and password as usual. We may also send an extra verification request by text, email or push notification. It is therefore important that Cardmembers ensure their account information contains their correct email address.