2-factor auth is typically mandatory when using a chip and PIN card to buy things online. Rather than physically entering the PIN on a keypad, you're doing something through a flow using your user account with the bank. So not only would the random retailer need to be compromised, but the bank would have to be as well.