New regulation means more authentication steps
Beginning 14 September 2019, a key part of the EU Revised Payment Service Directive (PSD2) is coming into effect. Its focus on security means all card issuers will need to verify your identity more often when you shop online, in-store with contactless, and when you access your Online Account.
How it will work for you
The new regulation requires you to authenticate yourself more often when you are shopping online, in-store, or accessing your Online Account.
Please check your contact details are up-to-date, in case we need to send you a verification request, so we know it's you who's making the purchase.
You'll see more of SafeKey®
You may need to verify your identity more often
We will send you verification codes via email or SMS. To ensure you can receive verification codes, check that your contact details are up to date.
You may need to enter part of your Card PIN
Occasionally we may need to ask for more than one piece of information, in those cases we will need you to enter part of your Card PIN. This is the same PIN that you use in-store. You can view your Card PIN in your Online Account.
Frequently Asked Questions
PIN
Your Card PIN is a Personal Identification Number which helps us to verify your identity when using your Card. It’s made up of four digits and is uniquely bound to your Card; it acts as a passcode to help prevent fraud.
You can view or change your Card PIN in your Online Account.
To view your PIN:
- Log in using your username and password. Once logged in, click on the 'Account Management' tab.
- Click on 'View PIN', you'll then be asked some security questions. Please answer and follow the steps as prompted on screen.
To change your PIN:
- Log in using your username and password. Once logged in, click on the 'Account Management' tab.
- Click on ‘Change PIN’, you'll then be asked some security questions. Please answer and follow the steps as
prompted on screen.
European legislation (the Payment Services Directive, known as ‘PSD2’) requires payment providers to perform additional authentication when you check out online to help prevent fraud. Certain transactions require stronger authentication such as asking for additional information to help verify your identity. Your Card’s Personal Identification Number (PIN) helps us to ensure it’s really you who is using your Card online as only you know your PIN. You will never be asked to enter your full PIN online.
Yes. You won’t ever be asked to enter the full four digits during online checkout and will only be asked for it in SafeKey with the digits hidden once you have entered them. Your PIN will be encrypted in SafeKey when it is sent for verification.
You can unlock your PIN in your Online Account.
Log in to your Online Account, click on the ‘Account Management’ tab and then ‘View PIN’. An alert will appear to unlock your PIN. Follow the prompts to unlock your PIN. You can also change it to something more memorable in your Online Account.
We won’t ask for part of your Card PIN every time you shop online, only when we need to perform an additional security check.
Add online sites to your Express List in your Online Account
Adding online sites to your Express List means you won’t have to verify yourself unless we need to check it’s really you who is making the purchase. You can set up your Express List in your Online Account:
- Log in using your username and password. Once logged in, click on the 'Account Management' section.
- Click on ‘Manage Express List’.
- You’ll be shown a list of online sites you have shopped at using your American Express® Card. Click ‘Add’ to add them to your Express List.
If you changed your PIN in your Online Account you can immediately start using your new PIN when shopping online.
The next time you use your PIN in-store you will need to use your old PIN once before you can start using your new PIN. This is so that your new PIN can be sent to the Chip in your Card at the terminal.
Legitimate websites will never ask for your full PIN. Additionally, you will never be asked by email or over the phone to provide your PIN. If you receive an email
requesting your PIN, you can forward the message to uk.asg.production@aexp.com.
If you have provided your PIN in full to an unknown person or an unknown company, you should change your PIN immediately using the method described above. You can also request a replacement Card by calling us on the number on the back of your Card.
SafeKey
A new legislation, the EU’s Second Payment Services Directive (PSD2) requires all Card issuers to perform Strong Customer Authentication (SCA) to payments made online. SCA is a two-factor authentication process designed to add an extra layer of security when you make an electronic payment. These rules mean that from 25 August 2020 we are required to apply them for relevant online payments. If your transaction meets the requirement for additional authentication checks and the merchant had not enabled SafeKey then the regulation mandates that we decline the transaction.
SafeKey is the American Express online verification service. Many thousands of merchants have already enabled SafeKey. Some, but not all, may display the SafeKey logo. If you want to check if a specific merchant has enabled SafeKey you should contact them directly.
Some sites may not be technically ready to add SafeKey to their online checkout journey. Please contact the merchant directly if you have any questions about their checkout journey.
The EU regulation requires that American Express apply Strong Customer Authentication (SCA) for online payment transactions. SafeKey is the American Express online verification system helping us to ensure that the person making the transaction is who they say they are.
If your transaction meets the requirement for additional authentication checks and the merchant had not enabled SafeKey then the regulation mandates that we decline the transaction.
We may also have to decline your transaction if we suspect fraudulent activity on your Card or we are unable to verify your identity. If this is the case we’ll usually be in touch straight away via email, SMS or telephone.
The new authentication rules will apply when you shop online at merchants located within the EEA. Some European Economic Area (EEA) countries may follow a slightly different schedule in the implementation of these rules, so you may have a different experience depending on where the online site is located.
Express List gives you more control over your security
Your Express List is a personalised list of American Express approved merchants you’ve recently shopped at. By selecting merchants, you won’t need to receive verification codes when you shop there, unless we need to confirm it's you making the purchase.
You may see more Chip and PIN
Most of the time you will be able to use your contactless Card as usual. However, you may sometimes be asked to enter your PIN. On these occasions, the terminal will ask you to place your Card into the card reader and enter your PIN.
Contactless is a secure way to pay. Our security systems work in the background checking your purchase against your previous buying patterns and thousands of other patterns, looking for irregularities that might signal fraud. If we suspect a problem, our team will contact you by call, text or email to check it was you making the purchase.
We added an additional layer of security to your American Express Online Account to make sure the person logging in is really you.
Here’s what you’ll see:
- Log in normally with your Username and Password or biometrics
- Enter the verification code we send to you
- Tell us whether we should Remember This Device in the future
Choosing Remember This Device helps speed up your log in experience without compromising on security. Our systems are working in the background 24/7 to ensure your Online Account is secure.
If you’d rather enter verification codes as part of your log in journey, you can skip the Remember This Device step.
You can manage your remembered device setting at any time on americanexpress.com/icc or via the American Express® ICC App.
Frequently Asked Questions
Two-Step verification is an enhanced security check for Account login.
Step One: We verify your Username and Password or biometrics.
Step Two: We verify that you are logging in from a device we trust by sending you a verification code. We'll send a verification code any time you log in using a device we don't recognize. You can tell us to Remember This Device and we won’t send verification codes when you log in from that device in the future.
We recommend setting up any device which you regularly use to log into your Online Account or the Amex ICC App. You can choose to set up more than one trusted device e.g. your mobile phone, your personal laptop, your tablet. You should not enable Remember This Device on shared devices or public computers.
We’ll send a verification code if we ever need to re-verify your device, for example if you clear your cache and cookies or happen to delete and reinstall the Amex ICC App. You’ll see these requests more often if you log in via the web.
The verification code we send is unique to you alone. This means that when you enter this code on your device, we can be confident that it’s really you who is making the request to Remember This Device. Our systems capture this information so next time you log in on the same device we’ll know that we can trust it.
Yes. Our security systems will be running in the background as usual, so we’ll always perform additional checks if needed.
It’s important that we have your up to date contact details on file. You can check and update your details at anytime by logging into your Online Account. If you have any issues, then please call the number on the back of your Card and we’ll be able to update your details.
Security and convenience
We're making sure the new way we authenticate you, both maintains our high security standards and is also less hassle for you.
Our existing security systems
We use sophisticated technology to help keep your Account safe. We've made big investments in the advance machine learning that powers our intelligent security systems. This means we're confident it's you making the purchase, even when you're using contactless or shopping online. If we suspect a problem, our team will contact you by call, text or email to check it was you making the purchase. The complex algorithms we use are built using data from millions of payments. We check your purchase against your previous buying patterns and thousands of other patterns, looking for irregularities that might signal fraud.
And unlike most other card companies, we both supply the Card and process the payment, making us uniquely well-placed to spot any unusual activity and solve problems faster.