What Is American Express SafeKey and Should You Be Using It?

The need to help web-based merchants more accurately authenticate their customers during online transactions prompted Visa more than a decade ago to create the 3-D Secure protocol and build a service around it, which it called “Verified by Visa“. The protocol enhances security by adding an additional authentication step at checkout, during which customers are asked to enter a password, which only the authorized user of the card used for payment is supposed to know. Rival MasterCard quickly followed suit with “MasterCard SecureCode” and then Japan’s JCB International launched its J / Secure version of the service.

American Express was a little late to develop its own 3-D Secure protocol, but eventually it did so and in late 2010 the company launched American Express SafeKey, which is still being phased in different parts of the world. Let’s take a look at how AmEx’s 3-D Secure service works and see whether or not implementing it makes sense.

American Express SafeKey Step-by-Step

As it is based on the same technology, which is at the core of its rivals’ authentication services, AmEx’s SafeKey works in the exactly same way. In order to participate, merchants need to first install on their websites a “Merchant Plug-In (MPI)” — software that incorporates cardholder validation functionality — through which they can then communicate with American Express’s SafeKey authentication servers. Here is a representation of the validation process:

There are two ways for authenticating cardholders at the checkout: using static and dynamic passwords. Here is how they work — first the static approach:

1. At checkout at a participating merchant, the customer is asked to enroll in SafeKey (if she hasn’t done so already) by providing her card’s details:

2. Then the customer is taken to a window asking her to select a personal message and a password (a “SafeKey”):

3. Once enrolled, the customer will see an order confirmation message on the merchant’s website:

4. The next time she shops at a SafeKey-participating merchant, the cardholder will see the SafeKey authentication window, prompting her to enter her password:

The dynamic authentication process differs from the static one in that it asks the cardholder at checkout for a one-time password, which is received by email or via SMS:

The next time she checks out of a participating merchant, the cardholder will be issued a different password to complete the authentication process. SafeKey’s dynamic authentication is also known as “strong authentication” and is the only authentication method that meets the European Central Bank’s (ECB) latest requirements (published in January 2013). In fact, the ECB has mandated that all 3-D Secure-based services should use “strong authentication” by 1 February 2015.

Should You Be Using SafeKey?

There are definite benefits to using SafeKey, having to do with fraud prevention and chargeback liability:

• Participating merchants can transfer the liability for chargeback losses from SafeKey-authenticated transactions to the card issuing bank, through AmEx’s Fraud Liability Shift Policy. In other words, the merchant will not be liable for losses on eligible transactions.
• SafeKey may decrease participating merchants’ number of chargebacks.
• SafeKey works alongside other fraud prevention tools — such as the card security codes — to help validate a cardholder’s identity.
• Increased shopper confidence through the extra fraud-prevention steps.

Against these benefits should be set the effects of implementing an additional checkout step on a participating merchant’s sales conversion rate. There is a huge volume of research, which shows quite conclusively that each additional action a cardholder is required to take, in order for a payment to be completed, reduces the probability that she would indeed complete the transaction. That is the reason many e-commerce merchants not only forgo 3-D Secure-based services altogether, but they also take out of the checkout process stages, which many of you might consider mandatory, such as requiring cardholders to enter their cards’ security codes.

So how do you balance these two seemingly incompatible objectives? Well, I would suggest that the answer would be determined by the severity of your chargeback problem, that is if you have one in the first place. If you have your chargebacks firmly under control, so that they affect neither your bottom line, nor the relationship with your acquirer, you would probably be better off not enrolling into 3-D Secure services. If, on the other hand, chargebacks are out of control, with your chargeback ratio inching perilously close toward the danger zone (if it reaches 0.3 percent – 0.4 percent, you should be concerned and if it is higher than that, you have a serious problem), a 3-D Secure merchant account is probably your best credit card acceptance option.

Image credit: YouTube / American Express.