We place an order on Amazon, click on “Buy now,” and the payment goes through without any security code being requested by the bank. No SMS, no notification on the banking app. The first time, we wonder if the transaction is really secure. This behavior, far from being a bug, relies on a specific mechanism governed by European regulations and Amazon’s technical choices.
DSP2 Exemptions: The Regulatory Framework that Allows Amazon to Bypass the Code
The European DSP2 directive generally requires strong customer authentication (SCA) for online payments. Two out of three factors must be validated: something we know (password, code), something we possess (phone, card), or something we are (fingerprint).
Read also : Why the Refurbished iPhone 13 Appeals for Its Ecological and Economic Impact
The same directive provides for cases where this verification can be bypassed. We refer to regulatory exemptions, and Amazon methodically exploits them to streamline the purchasing process. Several situations allow for this exemption:
- Low-value transactions, below a threshold defined by regulations, do not automatically trigger strong authentication.
- “Merchant whitelisting” allows the customer to declare Amazon as a trusted merchant with their bank, which removes the verification for subsequent purchases.
- Real-time risk analysis (Transaction Risk Analysis) allows the card issuer or payment provider to assess the level of risk and grant an exemption if the fraud rate remains below the regulatory thresholds set by the EBA.
This helps us understand why two-factor authentication on Amazon does not trigger with every order. The system relies on a trade-off between security and fluidity, governed by law.
Further reading : mastering online salary calculation for greater accuracy
Internal Fraud Detection at Amazon: What Replaces Your Bank’s SMS
If Amazon can afford not to trigger bank verification, it’s because the platform has developed its own detection mechanisms. The principle is simple: instead of asking for a code with every purchase, Amazon analyzes account behavior in real time.
The system evaluates several signals before validating a payment. The IP address used, the device (computer, phone), order history, delivery address, transaction amount. When the risk profile is deemed low, the order goes through without friction.
Conversely, a purchase from a new device, to an address never used, with an unusual amount, will trigger a verification. One might receive an SMS, a request for confirmation via email, or a notification in the banking app. The trigger depends on the estimated risk level, not just the amount.
This model has a direct consequence on the shopping experience. Amazon optimizes conversion by reducing the number of validation steps. Less friction means fewer cart abandonments, which represents a major commercial lever for the platform.
Fraud and Exemptions: The Risk Shifts, Not the Security
Strong authentication has significantly reduced fraud on online payments subject to SCA since its full deployment. Reports from European supervisors confirm this trend. However, attempts at fraud do not disappear.
They shift towards transactions that benefit from exemptions: low-value payments, one-click purchases, trusted merchants. Fraudsters target streamlined processes, those where no code is requested. This is a mechanical effect of the regulation.
Amazon’s Bet on Fluidity
Amazon invests in internal detection to offset this risk. The goal is to maintain a sufficiently low fraud rate to continue benefiting from DSP2 exemptions. If the fraud rate exceeds the thresholds set by the EBA, the issuing bank may refuse the exemption and require strong authentication systematically.
The balance is therefore fragile. Amazon must maintain a low fraud rate to keep its regulatory exemptions. It’s a cycle: the better the internal detection, the less the bank imposes verifications, and the smoother the purchasing process remains.
Bank Verification Refused on Amazon: What to Do Practically
Sometimes the verification triggers and fails. The purchase is blocked, the order does not go through. Several causes are possible, and the feedback varies on this point depending on the banks and account configurations.
- The phone number associated with the credit card is no longer up to date with the bank, preventing the receipt of the SMS code.
- The banking app used to validate the payment is not activated or not updated on the phone.
- The card registered on Amazon has expired or has been replaced without the Amazon account being updated.
- The online payment limit of the card has been reached, or the card does not allow international transactions.
The most effective reflex is to first check the security settings with the bank. Updating the phone number with the bank resolves the majority of blocks related to receiving the validation code.
On the Amazon Side
On the Amazon account, one can also delete and then re-register the payment method. This action forces a new verification of the card and resets the data transmitted to the bank during the next purchase.
The systematic absence of two-factor authentication on Amazon is neither an oversight nor a flaw. It is the result of a European regulatory framework that provides for exemptions, combined with a fraud detection system specific to the platform. Payment security relies on the entire chain, from the issuing bank to Amazon’s algorithms, and not just on a code received via SMS.