When making a purchase on Amazon, the SMS code validation or bank notification does not trigger for every transaction. This behavior regularly surprises cardholders in France, who are accustomed to strong authentication on most merchant sites. The absence of 3D Secure on Amazon relies on specific mechanisms, framed by European regulations, and now amplified by the exemption strategies of the banks themselves.
3D Secure Exemptions: What the DSP2 Directive Actually Allows
The European Payment Services Directive (DSP2) mandates strong authentication for online payments. It also provides a series of exemptions that allow bypassing this step without violating the law.
See also : How many French people own the Visa Infinite card and what does it offer them?
Amazon primarily exploits two of these exemptions. The first concerns transactions deemed low risk by the card issuer or acquirer. The second pertains to recurring payments or trusted beneficiaries registered by the cardholder with their bank.
| Type of DSP2 Exemption | Trigger | Applicable at Amazon |
|---|---|---|
| Real-time risk analysis (TRA) | Low fraud score calculated by the bank or provider | Yes, on the majority of orders |
| Trusted beneficiary | The customer has added the merchant to their bank whitelist | Yes, if the bank offers it |
| Recurring payment | Amount and merchant identical to a previous transaction | Yes, for subscriptions (Prime, etc.) |
| Small amount | Transaction under 30 euros | Partially, depending on the issuing bank |
To understand in detail why Amazon does not request 3D Secure, one must consider that the platform has an internal risk assessment system robust enough for payment providers to agree to waive the verification.
Related reading : Discover the authentic recipe for Réunionese cheese samosas step by step
Amazon Risk Analysis: A Scoring System that Replaces Bank Authentication
Amazon does not merely benefit from regulatory exemptions. The platform has built its own fraud detection engine, powered by behavioral data accumulated over the years.
Each order is evaluated in a matter of milliseconds. The system cross-references the IP address, the account’s purchase history, the device used, the delivery address, and the registered payment method. When the risk score remains low, Amazon requests a 3D Secure exemption from the issuing bank, which can either accept or decline it.
This mechanism has a direct effect on the conversion rate. The strong authentication step causes cart abandonment, especially when the SMS is delayed or the banking app malfunctions. By removing this friction on low-risk orders, Amazon significantly reduces payment abandonment.
- The delivery address matches one previously used for orders: the risk is considered low.
- A new device connects to the account from an unusual country: 3D Secure is triggered.
- The amount exceeds a threshold defined by the issuing bank: strong authentication becomes mandatory again.
Financial responsibility in case of fraud shifts to Amazon when the platform requests an exemption. If the transaction turns out to be fraudulent, it is the merchant, not the bank, who bears the cost of the refund. This transfer of responsibility explains why banks easily accept these exemption requests.
French Banks and Low-Risk Merchant APIs: A Trend Accelerating in 2026
The phenomenon now extends beyond Amazon’s initiative. Several French banks are developing or adopting so-called “low-risk merchant” APIs that automate the granting of 3DS exemptions for merchants with a very low fraud history.
The principle is simple: instead of evaluating each transaction individually, the bank assigns a low-risk merchant status to platforms like Amazon. This status allows bypassing the default strong authentication, unless a specific alert signal is detected.
This approach raises a consistency issue at the European level. The DSP2 was designed to harmonize payment security across the Union. However, each national bank applies its own risk thresholds and exemption criteria. A merchant classified as “low-risk” by a French bank may not receive the same treatment from a German or Dutch bank.
Fragmentation of Pan-European Security
Exemption thresholds vary from country to country, creating disparities in the level of protection offered to consumers. A French cardholder used to purchasing without authentication on Amazon might face a blockage when using a card issued in another EU country.
This fragmentation is not trivial. Fraudsters identify weak links and concentrate their attempts on circuits where authentication is least demanding. Low-risk merchant APIs, if not governed by common standards, risk shifting fraud rather than reducing it.
Bank Card Refused on Amazon: Cases Where 3D Secure Triggers Anyway
The absence of strong authentication is not systematic. Certain situations trigger 3D Secure even on Amazon, and payment may fail if the verification does not complete correctly.
- First use of a bank card on the account: the issuing bank requires initial authentication.
- Change of delivery address to a country different from the card’s country.
- Unusually high amount compared to the account’s history.
- Card issued by a bank that grants no exemptions, regardless of the platform.
In case of blockage, the most straightforward solution is to check that the banking app is up to date and that the phone number associated with the bank account is correct. A verification SMS sent to an old number is the primary cause of payment failure during an online purchase with 3D Secure.
Amazon’s model illustrates a constant trade-off between purchase fluidity and payment security. The platform absorbs the financial risk of fraud to eliminate friction, while French banks support this logic by expanding exemptions. The consumer benefits from speed, but protection now relies on proprietary algorithms rather than universal bank verification.