European Economic Area (EEA) Payment Service Directive 2 Strong Customer Authentication (SCA) regulation will impact all EU/EEA Merchants accepting Card Payments, regardless of Card Scheme.
SCA is a new technical customer authentication mandate that means Payment Services Providers (PSPs) are required to confirm the identity of their customers making payment transactions.
SCA requires a minimum of at least 2 out of the following 3 independent elements to authenticate the Cardmember:
Possession
Something the payer has, for example a mobile phone
Knowledge
Something the payer knows, for example a passcode.
Inherence
Something the payer is, for example biometric identification like fingerprints, facial recognition or an iris scan.
Any card present transactions which are not authenticated through Chip & PIN are declined by American Express.
What is being declined?
Magnetic stripe
Magnetic stripe transactions will no longer be compliant under PSD2, as signatures are not an approved authentication medium.
Keyed Card information
Any card information keyed into a Point Of Sale terminal as a method of payment where the Cardmember could authenticate themselves will be declined, as it does not satisfy the requirements for SCA.
Contactless Transactions
<£100
Regulation requires that once the Cardmember has a cumulative contactless spend, they will be required to use Chip & PIN authentication. Please ensure your terminal has been enabled for this.
Transactions
>£100
All card present transactions >£100 will require Chip & PIN authentication.
What action do I need to take?
Ensure all in person transactions are authenticated with Chip & Pin and that your terminals support Chip & Pin transactions.
Online transactions requiring authorisation that are not authenticated through SafeKey may be declined by American Express.
What will be declined?
Non SafeKey Authenticated Transactions
Online transactions requiring authorisation that are not authenticated through SafeKey may be declined by American Express.
What action do I need to take?
Ensure your website / application includes 3DS authentication, including American Express SafeKey. You can do this by contacting your Payment Service Provider.
1. Low Value Transactions
- American Express requests the usage of SafeKey for every single transaction. This allows for the fraud liability shift in favour of the Merchant.
- American Express look to green flow as many of the low value transactions as possible and minimise disruption to the Cardmembers and Merchants
2. Trusted Beneficiaries
- Cardmembers have the ability to add or remove Merchants on their trusted beneficiaries list through the American Express SafeKey Express list. This is maintained by both American Express and the Cardmember.
- To find out more information please visit www.americanexpress/safekey.
3. Transactional Risk Analysis
- Transactions are exempt from SCA when it’s identified by American Express as posing a low level of risk.
- The transaction will still need to be submitted through SafeKey, American Express will determine the level of risk posed and take the necessary action to authenticate the Cardmember.
4. Corporate Exemption
- There is an exemption from the requirement to apply SCA to payments initiated through the use of dedicated payment processes or protocols that are only made available to non-consumers. This is often referred to as ‘Corporate Exemption’.
- American Express intends to fully apply this exemption where possible to its various corporate Payment products.
- SafeKey will determine whether the product involved in the transaction requires SCA or not.
1. Mail Orders and Telephone Orders
- All mail orders and telephone orders (MOTO) are exempt from SCA. This is because the Merchant and their processor provides American Express with the correct data codes that clearly identify the transaction as MOTO.
2. Merchant Initiated Transactions
- Payment transactions that are not initiated by the Cardmember but by the Merchant, are not subject to SCA. This is because the Cardmember has provided a mandate (pre-agreement between Merchant and Cardmember) authorising the Merchant to initiate a transaction.
- For more information on all types of MIT out of scope for SCA please visit our Merchant spec website.
3. One Leg (EU/non EEA)
- Strong Customer Authentication will only apply to Merchants and Customers in EEA.
4. Transport and Parking
- Transactions initiated at unattended terminals for transport fares and parking fees are exempted from SCA.
- For more information with regards to American Express’s position on out of scope and exempted transactions, please visit www.americanexpress.com/merchantspecs.