You register your credit card on Amazon, confirm an order, and the payment goes through without having to re-enter the security code or confirm anything on your bank’s app. The first time, it’s surprising.
On most e-commerce sites, the process requires entering the three digits on the back of the card, then validating via an SMS code or a bank notification. Amazon bypasses these two visible steps, which raises legitimate questions about the security of the transaction.
See also : Discover the ranking of real estate developers in France for 2024
Why Amazon doesn’t ask for the security code with every purchase
When you add a card to your Amazon account, the security code (CVV or CVC) is requested only once, during registration. After that, Amazon relies on other elements to verify the legitimacy of the payment: billing address, consistency of card data, and account history.
In practice, the system does not store the security code (PCI DSS standards prohibit this), but it no longer needs it for subsequent purchases. Amazon transmits a sufficient set of data to the issuing bank so that it authorizes the transaction without requiring the CVV again.
Further reading : The Legal and Ethical Nuances of Using Images in Digital Journalism
This operation is found with other players who tokenize the card: the actual number is replaced by a unique token, and it is this token that circulates with each payment. To better understand the absence of 3D Secure on Amazon, one must look at the shared responsibility between the merchant and the bank, not just at the user interface.
Strong authentication and 3D Secure: what happens in the background
The European DSP2 directive requires strong authentication for online payments. In practice, this involves the 3D Secure protocol, which triggers an additional verification (notification on the banking app, SMS code, biometrics).
However, Amazon seems to escape this step. In reality, the absence of visible 3D Secure does not mean the absence of authentication. Several mechanisms can explain why a payment goes through without customer intervention:
- The issuing bank may grant an exemption if it considers the risk low, based on its own analysis engine (modest amount, card history, usual behavior of the cardholder).
- The merchant can request an exemption based on transaction risk analysis (TRA), provided that its fraud rate remains below a regulatory threshold.
- Some cards are not enrolled in the 3D Secure system, which means that verification cannot technically be triggered, even if the merchant configures it as mandatory.
IXOPAY’s technical documentation confirms this point: a payment configured as 3DS “mandatory” can still go through as unauthenticated if the card is not enrolled. 3D Secure is not a binary switch.
Amazon’s fraud rate: why the bank accepts the risk
For a merchant to regularly obtain exemptions from strong authentication, its fraud rate must remain very low. Amazon invests heavily in real-time detection of suspicious behaviors. Each order is scrutinized by a risk engine that cross-references dozens of signals: device used, IP address, purchase history, delivery address, browsing speed.
This system allows Amazon to take on financial responsibility in the event of fraud (the “liability shift” moves to the merchant when there is no 3D Secure). Amazon accepts this transfer of responsibility because its algorithms filter out almost all fraudulent transactions before they are completed.
For the issuing bank, it’s a simple calculation: if Amazon assumes the loss in case of fraud and reports remain rare, there is no reason to block the transaction with additional authentication.
Amazon customer account security: protection shifts
Amazon has chosen to shift a significant part of the security to access to the account itself, rather than to each individual transaction. The platform offers two-factor authentication (2FA) on the customer account: password plus a temporary code via an app or SMS.
This architectural choice makes practical sense. A fraudster who does not have access to the Amazon account cannot exploit the registered card, even if they know the number and the security code. The barrier is upstream, not at the time of payment.
Other players adopt a similar approach. Revolut, for example, now offers credit cards with no visible number printed on them, based on the principle that sensitive data should no longer be physically exposed. The general trend in the industry is to reduce the attack surface rather than multiplying validation steps on the user side.
What to do if an Amazon payment goes through without bank verification
A payment validated without 3D Secure and without a security code does not mean that the transaction is vulnerable. Responses vary on this point depending on the banks and card configurations, but in the majority of cases, the combination of Amazon’s risk engine and regulatory exemptions covers the situation.
Some concrete reflexes to enhance your own security:
- Enable two-factor authentication on your Amazon account (account settings, “Login and security” section).
- Check that payment notifications are activated on the bank side, to immediately spot any unrecognized transaction.
- Never save your card on a shared device or a public Wi-Fi network without a VPN.
- Regularly check your order history and the devices connected to your account.
Amazon’s model relies on a calculated trade-off: less friction at payment, more control behind the scenes. As long as the fraud rate remains managed and financial responsibility is assumed by the merchant, banks have no interest in systematically imposing strong authentication. This operation is neither an oversight nor a flaw; it is a security architecture that places its locks elsewhere than where one would expect them.