During authorization for an online credit or debit card transaction, the payment processor checks several key pieces of information: whether adequate funds are available to complete the purchase; if the billing address information provided matches the data on file at the bank; and whether the customer correctly entered the card’s security code.
AVS (Address Verification Service) refers to a desired response from the bank. The merchant’s processor relays the AVS, which indicates whether the billing address and postal code entered match the bank’s records. In order to receive this response, the merchant must provide the address and postal code to the processor.
Individual processors provide the response in different formats, and payment gateways may further interpret these results into a standardized form. For domestic orders, an AVS response of Y or X indicates that both the billing address and postal code match. A response of Z indicates that only the postal code matches, while a response of A indicates that only the street address matches. An AVS response of N indicates that neither matched. A response of U indicates the bank does not support AVS, an especially common result with prepaid debit cards (such as the case with store-bought gift debit cards).
International cards have different response codes. To further complicate matters, some processors may provide the information differently as well.
The key to remember is that AVS, if supported, will indicate two things: did the billing street address match, and did the billing postal code match?
What to do With the AVS Response
While merchants can use the AVS response in several ways to mitigate fraud, being overly restrictive can drastically and negatively impact sales. The simplest way to put the AVS to work is to establish transaction restrictions based on the AVS response. This restriction might mean that you will only process transactions where both address and postal code match.
Getting a billing address correct is only directly relevant when something is being sent to a physical address.
Keep in mind, however, that sometimes a legitimate customer may mis-enter some or even all of their information. For example, “123 Oak St., Apt 2” and “123 Oak Street, Apartment Two” read as different addresses. Issues may arise if the bank has the numeric apartment number on file but the customer enters the latter. Likewise, customers often neglect to update the bank about new addresses in a timely manner; however, they tend to enter their most up-to-date addresses correctly on a merchant’s website. This discrepancy can result in a partial or total mismatch.
Additionally, entering the correct billing address is only directly relevant with the purchase of a physical good. If a customer orders concert tickets for digital delivery to their email inbox, the AVS code can only determine if the purchaser knows the cardholder’s billing information; it does nothing to verify whether the purchaser is truly the cardholder. Unfortunately, when it comes to shipping addresses, fraudsters are often more accurate than the cardholders themselves.
The AVS response may also provide data related to the billing address. For example, if you investigate whether phone number (555) 555-5555 is associated with 123 Oak Street, and that address receives a Y response, you can be confident that the phone number belongs to the cardholder—in the event that, you wanted to call and ask them if they’d purchased concert tickets from your business.
The card verification value (or CVV) is a response provided by the processor that indicates whether or not the purchaser correctly entered a 3- or 4-digit code during online checkout. For Visa, MasterCard and Discover, the code is 3 digits on the back of each card:
For American Express, the code is 4 digits on the front:
Merchants receive a CVV2 response for online orders, a CVV1 for face-to-face transactions. The response can be M (code matched), N (code not matched), or P (code not processed).
What to do With CVV
Leveraging CVV rules risks fewer lost sales than strict AVS restrictions, since cardholders can simply look at their cards. Nonetheless, the best practice is to avoid processing transactions that get an N response.
However, whether or not it is necessary to ask for the code depends on the fraud tolerance of each business.
Here’s when it might make sense NOT to require CVV:
- The product being sold has very high margins
- The business is in hyper growth mode
- The businesses chargeback rate is well below any chargeback monitoring programs.
- The transaction is from a trusted user
Some merchants allow customers to save and use payment methods on their sites for future sales. These merchants should ask customers to confirm their CVV on future orders, even though skipping that extra step may seem easier. Without this security measure, anyone able to access that customer’s account can fraudulently use the customer’s credit cards. It makes sense to require re-entry of the card code whenever encountering an unrecognized device or changes to a shipping address.