You place an order on Amazon, you confirm the payment, and at no point are you asked for the three digits on the back of your card. On most other merchant sites, this code (the visual cryptogram, or CVV) is systematically required. Amazon operates differently, and this choice is based on specific technical mechanisms.
Tokenization of credit cards: what Amazon really stores
When you register a card on Amazon, the site does not keep your card number as is. It uses a system called EMV tokenization, a standard supported by international payment networks. The principle: your actual number is replaced by a unique digital token, a “token,” which serves as a reference for future transactions.
You may also like : 5 tips for buying a new car
This token is reusable. With each new purchase, Amazon transmits this token to the payment network without directly handling your card number or your cryptogram. Visa and Mastercard have implemented specific programs for large merchants eligible for this tokenization. Amazon is part of this.
The cryptogram therefore no longer has a role to play after the initial registration. It may have been requested only once, when adding the card, to verify that you were indeed the cardholder. After that, the token takes over. If you are wondering why Amazon does not ask for 3D Secure for every order, this mechanism largely explains it.
Further reading : Cyprien: An Inspiring Role Model for Women
Strong authentication and DSP2: the role of your bank
You may have noticed that Amazon sometimes redirects you to your bank’s app to validate a purchase. This is not a coincidence. Since the implementation of the European DSP2 directive (the second directive on payment services), strong authentication is mandatory for online payments in Europe.
Strong authentication relies on two factors from three possible categories:
- Something you know (a secret code, a password)
- Something you possess (your phone, a physical card)
- Something you are (fingerprint, facial recognition)
The three-digit cryptogram does not fit robustly into any of these categories. It is a static code, printed on the card, easy to copy. DSP2 has pushed banks to develop more reliable validations: notifications on the banking app, temporary SMS codes, biometrics.
Your bank triggers this verification, not Amazon. The merchant transmits the transaction data, and the issuing bank decides the level of authentication required. Amazon can therefore do without the cryptogram because security relies on another link in the chain.
Exemptions to strong authentication: why some purchases go through without validation
You have probably noticed that not all your Amazon purchases trigger a bank verification. Some orders go through directly, without SMS codes or notifications. DSP2 provides exemptions to streamline the purchasing process.
Cases where strong authentication can be bypassed:
- Low-value transactions (below a threshold defined by the bank)
- Recurring payments to a same merchant identified as “trustworthy”
- Transactions deemed low risk by the bank or payment provider’s analysis
Amazon has a very low fraud rate on its transactions. This low fraud rate allows it to benefit from broader exemptions from payment networks. When a merchant demonstrates a solid security history, banks agree to validate more transactions without additional authentication.
The cryptogram then becomes doubly unnecessary: the token replaces the card number, and the DSP2 exemption dispenses with traditional bank verification.
Amazon payment security without a cryptogram: the limits to know
This system is generally reliable, but it shifts the responsibility. If someone gains access to your Amazon account (compromised password, session open on a shared device), they can place orders without ever needing your physical card. Protecting your Amazon account becomes the real security lock.
Enabling two-step verification on your Amazon account is the most effective measure. Without it, a stolen password is enough to order with your saved cards, since neither the full number nor the cryptogram will be requested again.
What you can do concretely
Check that two-factor authentication is active in your account’s login settings. Remove cards that you no longer use. Regularly check the list of devices connected to your Amazon account to spot any unknown sessions.
The cryptogram was never designed as a strong barrier. It is a static code, visible to anyone holding the card. Tokenization and bank authentication via DSP2 offer a higher level of protection, provided that access to your account remains secure on your end.
Amazon has chosen fluidity by relying on payment technologies that render the cryptogram obsolete in the context of recurring transactions. This is not an oversight or a shortcut in security: it is an architecture where each actor (merchant, card network, bank) plays a distinct role. The security of your password remains the only element that you alone can guarantee.