Amex F29 - Card Not Present Fraud
On this page
F29 is Amex's primary fraud code for e-commerce and card-not-present transactions. The cardholder claims they did not authorize the charge. Your best defense is SafeKey (3D Secure) authentication: with it, liability shifts to the issuer. Without it, you need AVS/CVV matches, delivery proof, and device-level evidence. Response window is 20 calendar days, shorter than Visa or Mastercard.
Overview
Amex files F29 when a cardholder reports that a card-not-present transaction was not authorized. This covers online purchases, phone orders, mail orders, and any transaction where the physical card was not presented. It is the single most common Amex chargeback code for e-commerce merchants.
When This Code Applies
- Cardholder denies making an online purchase
- Stolen card credentials used for a CNP transaction
- Account takeover resulting in unauthorized orders
- Family member or household user makes purchase without authorization
- Friendly fraud (cardholder made the purchase but claims otherwise)
Conditions for Valid Dispute
Amex Must Verify
- Cardholder did not authorize the transaction
- Transaction occurred in a card-not-present environment
- Dispute filed within the allowable time frame
- Cardholder did not benefit from the transaction
Transaction Must Be
- E-commerce (online checkout)
- Mail order or telephone order (MOTO)
- Recurring billing without proper SafeKey authentication
- Any environment where the physical card was not presented
Time Frames
Amex gives merchants 20 calendar days to respond to chargebacks, roughly half of Visa's 30-day window. Missing this deadline means an automatic loss.
| Stage | Window |
|---|---|
| Inquiry response | 20 calendar days |
| Chargeback response | 20 calendar days |
| Documentation request | 10 calendar days |
Amex Inquiry Process
Amex frequently sends an inquiry before escalating to a full chargeback. Treat inquiries as urgent. Ignoring them guarantees a chargeback.
SafeKey (3D Secure) Liability Shift
Full Liability Shift (Issuer Liable)
When the transaction is fully authenticated through SafeKey:
- SafeKey challenge completed by cardholder
- ECI 05 = fully authenticated
- Valid cryptogram/AEVV present
No Liability Shift (Merchant Liable)
| Scenario | ECI | Merchant Liability |
|---|---|---|
| Authentication attempted, issuer unavailable | 06 | Reduced |
| Authentication failed or not attempted | 07 | Full |
| SafeKey not implemented | N/A | Full |
| Certain excluded MCC categories | Any | Full |
Merchants with SafeKey authentication see F29 chargeback rates drop by 60-80%. If you process any volume on Amex, implementing SafeKey should be a top priority.
Representment Options
1. SafeKey Authentication
When to use: Transaction was authenticated via SafeKey (3DS).
Evidence required:
- ECI value showing full authentication (05)
- AEVV/cryptogram
- Authentication timestamp
- SafeKey transaction ID
2. AVS and CVV Match
When to use: Address and security code verified successfully.
Evidence required:
- AVS response showing match (full or partial)
- CVV/CID match confirmation
- Delivery confirmation to the AVS-verified address
3. Delivery Confirmation
When to use: Physical goods were delivered to the cardholder.
Evidence required:
- Carrier tracking showing delivered status
- Signature confirmation (strongly recommended)
- Delivery address matching billing or AVS-verified address
- Photo proof of delivery (if available)
4. Digital Goods Access
When to use: Digital products or services were accessed by the cardholder.
Evidence required:
- IP address at time of download or access
- Access/usage logs showing activity after purchase
- Account login history
- Download confirmation records
5. Prior Transaction History
When to use: The cardholder has a history of undisputed purchases.
Evidence required:
- Previous undisputed transactions from the same account
- Matching email, device, or IP across transactions
- Established customer relationship documentation
6. Cardholder Communication
When to use: You have direct communication with the cardholder acknowledging the purchase.
Evidence required:
- Order confirmation sent to cardholder email
- Customer service correspondence about the order
- Chat transcripts or call recordings
Required Documentation
| Evidence Type | Strength |
|---|---|
| SafeKey authenticated (ECI 05) | Very Strong |
| AVS match + CVV match + signed delivery | Strong |
| Tracking delivered + AVS match | Medium-Strong |
| Prior undisputed transactions + device match | Medium |
| No authentication or delivery proof | Very Weak |
Win Rate Expectations
| Defense Type | Expected Win Rate |
|---|---|
| SafeKey authenticated (ECI 05) | 70-85% |
| AVS + CVV + delivery proof | 45-60% |
| Prior transaction history + device match | 35-50% |
| Standard evidence only | 25-40% |
| No evidence | Under 15% |
Prevention Strategies
Authentication
- Implement SafeKey (3D Secure 2.0) - Primary liability shift protection for Amex
- Use frictionless flow where possible - Maintains conversion while adding protection
- Challenge high-risk transactions - Step up authentication when fraud signals are present
Verification
- Require CVV/CID on every transaction - Amex 4-digit CID on card front
- Check AVS on every order - Decline or review mismatches
- Verify email addresses - Send order confirmations
- Phone verification for high-risk orders - Callback confirmation
Evidence Collection
- Log everything - IP addresses, device fingerprints, timestamps, session data
- Retain all communications - Emails, chat logs, call recordings
- Require delivery confirmation - Tracking plus signature for high-value orders
- Document account history - Build customer profile over time
Fraud Screening
- Real-time fraud scoring - ML-based detection at checkout
- Velocity checks - Flag unusual ordering patterns
- Device fingerprinting - Track and match devices across sessions
- Address validation - Cross-reference shipping and billing
Common Mistakes
- Not implementing SafeKey - Missing the most effective liability protection
- No delivery confirmation - Unable to prove receipt of goods
- Ignoring Amex inquiries - Letting them auto-escalate to chargebacks
- Missing the 20-day window - Shorter than Visa/MC, easy to miss
- Weak evidence packaging - Submitting incomplete documentation
Related Codes
- F10 - Missing Imprint
- F24 - No Cardholder Authorization
- F30 - EMV Counterfeit
- F31 - EMV Lost/Stolen/NRI
Next Steps
Got this chargeback?
- Check if SafeKey was used --> If ECI 05, you have a strong defense
- Pull AVS/CVV results --> Document match status
- Gather delivery proof --> Tracking, signature, address match
- Check for prior undisputed transactions --> Same device/email/IP?
- Respond within 20 days --> Representment Workflow
Prevent future F29 chargebacks:
- Implement 3D Secure / SafeKey for liability shift
- Set up dispute alerts to refund before chargeback
- Configure fraud detection to catch unauthorized use early
See Also
- 3D Secure Implementation - SafeKey setup and configuration
- Compelling Evidence Guide - Evidence requirements
- Friendly Fraud - First-party abuse patterns
- Third-Party Fraud - True unauthorized fraud
- Account Takeover - ATO defense
- Device Fingerprinting - Proving cardholder involvement
- AVS & CVV - Address and security code verification
- Velocity Rules - Fraud pattern detection
- Risk Scoring - Pre-transaction screening
- Chargeback Alerts - Deflect before filing
- Amex Reason Codes - All Amex codes
- Visa 10.4 - CNP Fraud - Visa equivalent
- Mastercard 4837 - Fraud - Mastercard equivalent