A credit card transaction between two people at a café type shop.

How address verification services (AVS) make credit card transactions more secure

Friday, January 03, 2014

Preventing credit card fraud at your small business

As a business owner, you know that one of the biggest threats to your business is fraud, and more specifically, credit card fraud. That’s because when someone uses a fraudulent credit card at your business, it can put you at a loss of both the goods you sell and the money you believe you’ve made on the fraudulent transaction. So how can you protect your business from credit card fraud in ecommerce transactions? One of the most common tools to fight fraud is the Address Verification Service (AVS). So, in this article, we’ll take a closer look at what AVS means, how it works, and how you can increase protection at your business. To start, let’s define AVS.

What is the Address Verification Service?

At its base level, the AVS seems pretty straightforward. AVS is an authentication and fraud-prevention tool. It works by verifying that the billing address a customer gives at checkout is the same address as the cardholder's billing address on record at the issuing bank. An AVS check occurs as part of a merchant’s request for authorization of a credit card transaction – mostly in card-not-present (CNP) transactions. So, if you take credit card orders online, over the phone, or even mail-in orders, you’ll want to confirm the identity of the cardholder.

During the AVS process, a credit card processor sends a response code back to the merchant which indicates the level of address matching. This code helps to authenticate ownership of a particular card. AVS response codes are single-letter codes. Based on the code, a merchant can decide if the next step is transaction approval, exception, or decline.

AVS is one of the most common methods to help prevent CNP fraud, but it’s not a foolproof system. Sometimes, there are legitimate reasons that a cardholder’s billing address and the billing address on file with the bank may not match. These reasons include a recent residential move by the cardholder or perhaps an incorrect address on file to begin with.

Now that you have a basic understanding of AVS, let’s take a closer look at the steps in the process.

How does AVS work?

To fully understand the AVS process, let’s look at the basic process via an ecommerce transaction. Generally speaking, there are a few steps in the process that happen after a customer enters their credit card information into your ecommerce website. Let’s take a look at these steps.

For this example, you’re the owner of an online t-shirt company, Bree’s Tees. A customer, Frank, enters his credit card information into your ecommerce site, including his billing address. The data then goes to your payment gateway. Here’s what happens next:

  • The payment gateway on Bree’s Tees transmits this address to the credit card company (Visa, Mastercard, Discover, or American Express)
  • The credit card brand then sends this information to Frank’s card issuing bank – let’s say Wells Fargo. The card issuer compares this address information with the address they have on file for Frank.
  • The issuer (Wells Fargo) then sends an authorization status and associated AVS response code to your payment gateway.

Once this information is processed and if the billing addresses match, the transaction is completed. You can also set up accept/decline parameters to automatically decline the transaction if certain codes are returned or if there’s a mismatch. So, how does this help prevent credit card fraud? Let’s look at a few examples in the next section.

How does AVS help prevent fraud?

As we’ve seen, AVS is a valuable tool to help your business prevent credit card fraud. While it’s not foolproof, it can help in certain instances. Here are a couple of situations where AVS may help:

  1. In the first example, Bob has his credit card information stolen because of a cyber hacker. While this hacker may have Bob’s full name and credit card information, they didn’t get his billing address. Therefore, if the cyber criminal tries to input the credit card information to make a fraudulent purchase, an AVS system can flag and decline the transaction.
  2. In the second example, Hannah accidentally leaves her credit card on a counter at a store. Someone steals the credit card and attempts to go online to make fraudulent purchases. While they have the credit card in hand with her name, credit card information, and security code, the thief doesn’t have Hannah’s address. So while they may be able to get away with making fraudulent purchases in person with the card in hand, an AVS can decline the card if the thief tries to make a purchase without the billing information.

As you can see, the AVS is just one layer of security, but it can be a valuable level of protection to help your business prevent fraudulent transactions.

What are the AVS response codes?

As a merchant, you may wonder what each AVS response code means. It can vary between credit card brands, so here’s a general overview of the most common response codes and what they mean for each credit card brand.

Code

Visa

MasterCard

Discover

American Express

Y

Address & 5-digit or 9-digit ZIP match

Address & 5-digit ZIP match

Address only matches

Address & ZIP match

A

Address matches, ZIP does not

Address matches, ZIP does not

Address & 5-digit ZIP match

Address only matches

R

System unavailable, retry

System unavailable, retry

Not applicable

System unavailable, retry

U

Information not available

Information not available

System unavailable, retry

Information not available

Z

Either 5-digit or 9-digit ZIP match, address does not

5-digit ZIP matches, address does not

5-digit ZIP matches, address does not

ZIP code only matches

N

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match


Based on your business’s structure, you can set rules with your payment gateway in order to accept or reject transactions. This rules engine can help you define custom rules to specify which AVS codes are accepted and which AVS codes should trigger either an additional confirmation or force a decline. It’s important to note that there’s a fine line between being too aggressive and not being aggressive enough. Therefore, it’s a good idea to consult with your payment processing partner to decide what your parameters should be.

What are some of the challenges of AVS?

When it comes to AVS, it’s important to note that it doesn’t come without challenges. There are issues with AVS that can allow fraudsters to still stay ahead of the service. Here are a few of the challenges of AVS:

  • If a fraudster has access to a stolen card number and also has access to the customer’s name and address, there’s not much AVS can do to stop the fraud. While AVS can tell if the purchaser knows the card’s correct billing address, it can’t guarantee that the purchaser is the actual cardholder.
  • Because AVS relies on matching largely numeric data together, scammers can get around AVS if they have the house number and zip code correct. This means they don’t need to know the exact, full address.
  • Currently, AVS operates in the United States, the United Kingdom, and Canada. However, in the global economy, customers can order from anywhere in the world. That makes it difficult to protect your business if AVS is your only safeguard. That’s why it’s important to make sure you have a multi-layer security approach. You’ll also want to make sure that your payment gateway can support these international payments and transactions.
  • False declines are another challenge with AVS. While AVS can help you prevent fraudulent transactions, it could also prevent you from accepting legitimate transactions due to faulty customer information. This can eat into your financial bottom line, especially if it becomes a recurring issue.

Again, AVS can be a powerful tool for helping to prevent fraud. But it doesn’t come without considerations.

What other steps can you take to prevent fraud?

When it comes to fraud protection at your business, AVS is just one of the many systems you should look to incorporate. In addition to AVS, your business should also seek to use CVV/CVC validation codes (the 3 or 4 digit security codes on the back of credit cards), IP address verification, PCI compliance, and tokenization. These methods can help protect the security of the card data and help your business.

In this article, we’ve discussed AVS – what they are, how they work, and their limitations. After reading this article, hopefully you see the value of implementing AVS at your business, especially if ecommerce and other CNP transactions are a large part of your business. These practices can help make your business more secure and encounter fewer chargebacks. That’s good for your customers and your bottom line.


Ready to work with a payment processor who can help you prevent card-not-present fraud?

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.