Address verification service improves online payment security
WORLDPAY EDITORIAL TEAM
July 24, 2019
Every American merchant who has accepted a credit or debit card over the past few years should be well aware of the shift to EMV chip cards that took place in October 2015. Now when customers make an in-store purchase, they most likely insert cards into a POS terminal, rather than swipe in a magnetic stripe reader.
While that change has helped to protect card present purchases, card not present fraud in the US is on the rise. That means online purchases are more vulnerable today than ever before. And it just so happens that the US leads eCommerce worldwide with 77% of US merchants selling online.
So, how can eCommerce merchants reduce the risk of credit card fraud for their customers and their businesses? A comprehensive fraud and chargeback prevention system should include using the Address Verification Service (also known as Address Verification System).
AVS and CVV: How do they help reduce credit card fraud?
Customers might feel like they’re getting the third degree when it comes to making a purchase online, with more and more merchants requiring the credit card number, name on the card, Card Verification Value (CVV) code and, on top of that, zip code and/or full address. However, this extra information is for the sake of customers and merchants alike, because address verification can help to validate a credit card purchase.
When a card is not present, a verified address helps to increase the chances that the customer is the actual cardholder. In fact, AVS helps add an extra layer of security.
- Card Verification Value (CVV or CVV2) are the last three numbers on the back of a credit card or debit card.
- AVS is a numeric address verification system that matches customer information with the information on file with the card issuer.
Address Verification: Three examples of how it helps––or doesn’t
- Say, for instance, a cyber thief has stolen Jake’s credit card information by some means, such as hacking into a company’s data. That thief may have obtained Jake’s full name, his credit card number, and possibly even a CVV code. But the criminal probably does not have the address linked to Jake’s credit card account. Only the true cardholder would have that information. Without an address, a merchant can choose to not authorize a purchase with that card.
- Let’s say another customer, Angela, has forgotten her credit card on the checkout counter of a store, and someone picks up her card with the intent to try and use it for an online, card-not-present purchase. That thief now has an actual card with a CVV code on back, but not an address. Again, if the online merchant requires address verification for a credit card transaction, it will prevent a fraudulent purchase and most likely a chargeback.
- In this unfortunate instance, Sam dropped his wallet which held all of his credit cards, as well as his driver’s license. A not-so-innocent bystander picks it up and goes online to buy a new TV. The merchant requires the CVV code, plus address verification, both of which the thief has with the credit cards and driver’s license in hand. There’s not much a merchant can do to prevent a fraudulent purchase in this case, but he can more likely win a chargeback dispute because he did use the AVS system.
Ultimately, while AVS is not a perfect system, is does add a valuable, extra layer of security, particularly for card-not-present online purchases, one that protects both merchants and consumers. For that reason, online merchants are wise to use AVS as an extra security measure, and it’s worth the extra few seconds it takes to verify every customer’s address for online purchases.
How AVS works: it’s all in the numbers
AVS verifies the numeric portion of a cardholder’s address. For instance, if John Smith’s is making a purchase and plugs in his address as 1304 Main Street, Anytown, Illinois, 60473, the AVS will compare the numbers 1304 and/or 60473 with the address on file with the card issuer. The merchant is notified as to whether the numbers match or not, helping the merchant to make the wisest decision possible about authorizing a transaction.
AVS is one of the most widely used forms of fraud prevention for card-not-present purchases. Card associations or brands (for example, Mastercard, Visa, American Express) determine the rules and circumstances for banks and merchants when it comes to fraud and chargeback disputes. The associations favor merchants who use AVS, and a merchant is better protected when fraud disputes arise––and they will.
When a merchant makes sure to use AVS and receives a “full match” response, meaning the street address number and zip code the customer uses matches the numbers of the card issuer, it greatly reduces (but doesn’t eliminate) the merchant’s risk of a chargeback.
Without a positive AVS response, card-not-present merchants have fewer dispute rights. In addition, due to the extra security, merchants who process VISA transactions using AVS are given incentives such as better interchange rates and fees than those who do not.
Common AVS response codes and what they mean to a merchant
When a merchant requests an AVS check on a transaction, the service automatically responds with a code that signifies how well the customer numbers entered match up with the address in the card issuer’s files. The resulting AVS code could be anywhere from a full match to a partial match to no match. And, based on that info, the merchant can make the decision whether to approve the purchase or decline it.
Following are some common AVS response codes, according to JPMorgan Chase, and how they relate to particular credit card associations:
|Y||Address & 5-digit or 9-digit ZIP match||Address & 5-digit ZIP match||Address only matches||Address & ZIP match|
|A||Address matches, ZIP does not||Address matches, ZIP does not||Address & 5-digit ZIP match||Address only matches|
|R||System unavailable, retry||System unavailable, retry||Not applicable||System unavailable, retry|
|U||Information not available||Information not available||System unavailable, retry||Information not available|
|Z||Either 5-digit or 9-digit ZIP match, address does not||5-digit ZIP matches, address does not||5-digit ZIP matches, address does not||ZIP code only matches|
|N||Neither ZIP nor address match||Neither ZIP nor address match||Neither ZIP nor address match||Neither ZIP nor address match|
How a merchant should use AVS
AVS applies to payments using VISA, Mastercard, American Express, and Discover cards. A merchant using AVS should follow these steps:*
- Ask the customer for the billing address as it appears on his/her monthly statement.
- Submit the required numeric portions of the address with the authorization request.
- Dig a bit deeper into all AVS partial matches. A “partial match” indicates that the billing addressbeing compared has the same ZIP code or the same numeric values in the street address, but not both. A “no match” response indicates that neither part of the billing address matches the card issuer data.
- Evaluate AVS “no match” responses carefully, as they are typically a strong indicator of fraud––but not necessarily. It’s a signal that the merchant should take further steps to authenticate the order.
- A “no match” response does not automatically result in the authorization being declined. Again, a little digging may prove the purchase is valid.
If you suspect fraud, it’s not always the case
Not every “no match” response is fraudulent. The AVS provides information, and the merchant must make the decisions. Often it’s worth the time to follow-up and get more information before declining a purchase.
“Neither ZIP nor address match”
This AVS response is a strong indicator of fraud, but in reality it could be a legitimate purchase. For example, a customer may have recently moved but has not yet notified his bank. You could follow-up by:
- Calling the customer to verify the telephone number, billing address and home address
- Contacting the cardholder’s issuer to determine whether the name, address and telephone number match those in the issuer’s file
- Using directory assistance or internet search tools to contact the individual at the billing address and confirm that he or she initiated the transaction
“AVS Service not supported by issuer”
This is a typical response to an international order, which AVS data does not support. One solution might be to fax a credit card slip to the consumer, requesting a faxed signature to verify the order, or to ask for a scanned signature by email. This may not be the most cost-effective means for all international orders, so a dollar threshold could be established to determine what level of risk you’re willing to accept.
What’s involved on the AVS side of authentication
When your customer enters an address during checkout and clicks Submit, the following happens:
1. Your payment gateway transmits the numeric address data to the customer’s credit card brand (Visa, Mastercard, Discover or American Express)
2. The credit card brand then sends this information to the issuer
3. The issuer compares the address numbers with the numbers stored on file
4. The issuer then sends an authorization status and associated AVS response code to your payment gateway
This process takes only a few seconds and is invisible to your customers.
AVS is just one layer in a multi-layered fraud protection system
The more fraud protection layers, of course, the better. And AVS authentication is one part of a multilayered fraud protection system to help ensure that valid transactions are approved, and those deemed suspicious are declined. AVS is not a guaranteed fraud prevention solution. Your payment gateway or payment processor should have other fraud protection layers in place, including PCI compliance and tokenization.
It’s best to discuss data security measures with your payment processor, card association, merchant account and bank. In the end, online merchants accepting card-not-present payments are vulnerable. Being extra cautious and discerning will better protect your customers and your business.