FREQUENTLY ASKED QUESTIONSOctober 2017

* EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.

AMERICAN EXPRESS SAFEKEY® 2.0 (EMV®* 3-D SECURE)

2

SAFEKEY 2.0 FAQ

© 2017 American Express. All Rights Reserved.

WHAT IS AMERICAN EXPRESS SAFEKEY®?

American Express SafeKey is an authentication tool that adds an extra layer of security when a participating Card Member shops online. SafeKey can help reduce unauthorized online use before it happens by validating a Card Member’s identity through various methods including risk-based authentication and dynamic one-time passcodes.

SafeKey leverages EMV® 3-D Secure (3DS), an industry standard e-commerce fraud prevention protocol. For the sake of simplicity in this FAQ document, the current version of American Express SafeKey, based on 3-D Secure 1.0.2, will be referred to as SafeKey 1.0, and the upcoming version of SafeKey, based on EMV® 3-D Secure, will be referred to as SafeKey 2.0.

Q1: WHY DOES THE INDUSTRY NEED A NEW VERSION OF 3DS?

The current 3DS 1.0.2 protocol was designed to support Card Member authentication for PC browser-based, e-commerce transactions.

3DS 2.0 has been developed with the growth of new and emerging technologies in mind such as non-browser-based remote payments including in-app, mobile and digital wallets. In addition, the approach has been to deliver new capabilities in terms of technology, security, performance, user experience and flexibility to ensure longevity.

The global technical body, EMVCo, has expanded its scope to lead the payments industry in further developing the EMV 3DS specification and its associated testing and approvals (e.g., certification) program.

American Express is a member of EMVCo and is fully involved in developing the new 3DS 2.0 standard.

Q2: WHAT WILL THE NEW VERSION OF 3DS OFFER?

EMV 3DS aims to meet the evolving requirements of the remote payments environment, including the ability to support:

Browser and non-browser shopping needs, such as application-based purchases on smart devices (i.e., smartphones, gaming consoles, wearables, etc.)

Reduction in password requests through improved risk decisioning

Non-payment user authentication such as identification and verification (ID&V)

User authentication within digital wallets

Token-based transactions

More intuitive consumer experience/integration with the Merchant’s branding

Country-specific and regulatory requirements

Q3: WHERE CAN THE BASELINE EMV 3DS SPECIFICATION BE FOUND?

The EMVCo website (www.emvco.com) contains the latest version of the specifications.

Q4: WILL AMERICAN EXPRESS ENHANCE SAFEKEY TO MEET THE NEW EMV 3DS SPECIFICATION?

Yes. The EMV 3DS standards are the baseline for SafeKey 2.0, which have been published and are available at:

Issuers/Acquirers: https://network.americanexpress.com/globalnetwork/ sign-in/

MPI/ACS Providers: https://network.americanexpress.com/globalnetwork/ amex-enabled/

Merchants: http://www.americanexpress.com/merchantspecs

© 2017 American Express. All Rights Reserved. 3

SAFEKEY 2.0 FAQ

Q5: WHEN WILL AMERICAN EXPRESS SAFEKEY BE UPDATED?

The SafeKey 2.0 service will be available for deployment in Spring 2018. Completion of EMVCo’s test and approval service is a prerequisite for all participants to use SafeKey 2.0.

Q6: WHAT IS AMERICAN EXPRESS’S COMMITMENT TO SAFEKEY 1.0?

American Express will continue to support and maintain SafeKey 1.0.

Q7: CAN SAFEKEY 1.0 AND SAFEKEY 2.0 WORK TOGETHER?

Yes, SafeKey 1.0 and 2.0 operate independently so they can co-exist. The EMV 3DS specifications and American Express SafeKey specification defines the process to manage different versions of SafeKey.

Q8: CAN SAFEKEY 2.0 BE DEPLOYED WITHOUT SAFEKEY 1.0?

Yes, however, a participant (e.g., Merchant or Issuer) should be made aware that it will take time for SafeKey 2.0 to become established, ensuring all payment providers can support it.

Q9: WILL CARD MEMBERS HAVE TO ENROLL IN SAFEKEY 2.0 IF THEY HAVE ALREADY ENROLLED IN SAFEKEY 1.0?

Card Members will not have to enroll in SafeKey 2.0 as all eligible Card Members will be pre-enrolled by Issuers as a requirement of the EMVCo specification. The Activation-During-Shopping (ADS) feature that exists in SafeKey 1.0 will not be available in SafeKey 2.0.

Q10: AS A MERCHANT, HOW DO I KNOW WHEN MY MPI PROVIDER WILL BE READY FOR SAFEKEY 2.0?

Per EMVCo naming conventions, MPI providers are now referred to as “3DS Servers.” MPI/3DS Server providers will be working with EMVCo and American Express to certify for SafeKey 2.0. Merchants should contact their provider to discuss their plans.

Q11: WILL MERCHANTS HAVE TO ENROLL IN SAFEKEY 2.0 IF THEY HAVE ALREADY ENROLLED IN SAFEKEY 1.0?

Merchants should work with their MPI/3DS Server to understand the procedures for benefitting from SafeKey 2.0.

Q12: I AM A MERCHANT NOT CURRENTLY USING SAFEKEY. HOW DO I ENROLL IN SAFEKEY 2.0?

Merchants will be able to enroll once the SafeKey 2.0 service is available. Meanwhile, merchants are advised to engage with their selected MPI/3DS Server providers to discuss planning.

Q13: HOW WILL A MERCHANT OR MPI/3DS SERVER KNOW WHICH VERSION OF SAFEKEY AN ISSUER SUPPORTS?

The MPI/3DS Server will be provided information as to which Issuers support SafeKey 2.0. The MPI/3DS Server will use this data to determine whether a SafeKey 1.0 or SafeKey 2.0 transaction should be performed.

Q14: IS CERTIFICATION FOR SAFEKEY 2.0 NECESSARY IF SAFEKEY 1.0 CERTIFICATION HAS BEEN COMPLETED?

Yes, for ACS and MPI/3DS Server providers, separate certifications are required for SafeKey 1.0 and SafeKey 2.0. SafeKey 1.0 certification requirements remain unchanged. For SafeKey 2.0, EMVCo will be providing a mandatory approval service for ACS and MPI/3DS Server providers, which must be completed prior to American Express certification. The existing network certification for SafeKey 1.0 for Issuers and Acquirers remains valid for SafeKey 2.0.

Q15: WILL FRAUD LIABILITY SHIFT (FLS) CONTINUE TO BE OFFERED WHEN SAFEKEY 2.0 IS MADE AVAILABLE BY AMERICAN EXPRESS?

Yes, FLS will continue to be offered when SafeKey 2.0 is released.

Q16: WILL SAFEKEY 2.0 BE AVAILABLE TO NETWORK ISSUERS AND MERCHANTS WITHOUT CHARGE?

Yes, as with SafeKey 1.0, SafeKey 2.0 will be available to network Issuers and Merchants without a cost from American Express. However, there are no restrictions in place preventing SafeKey ACS and MPI/3DS Server providers from charging for their service to connect to SafeKey.