Credit Card Processing Blog

It has been quite a while since we have written anything about the Address Verification Service (AVS) and I thought I should offer a refresher course. Also, there is some new information about the service that needs to be shared.

What Is AVS?

AVS is a risk management service provided by the card brands that allows merchants processing card-not-present transactions to verify the billing address provided by their customers by comparing it to the one on file with the card issuer.

At present, AVS is supported in only a few countries, including the U.S., Canada and the United Kingdom.

AVS verifies only the numeric portion of the address. For example, if your address is 10 State Street, Boston MA 02109, AVS will check 10 and 02109. AVS may also check additional digits like an apartment number.

AVS Process

AVS verifications are typically processed together with the transaction authorization requests. The process goes through the following stages:

1. The customer provides her credit card account information at the check-out for payment.
2. The merchant includes the provided billing address into the authorization request, along with the other transaction information. Both requests are routed to the processing bank and from there, to the card brand (Visa, MasterCard, Discover or American Express).
3. The card brand then routes the request on to the card issuer. The issuer matches the received billing address to the one it has on file for its cardholder.
4. The issuer returns both the authorization and the AVS responses to the merchant through the same channel. The AVS response consists of a single-digit code.

The AVS process takes only a few seconds.

AVS Response Codes

AVS response codes differ from one card brand to another. To avoid confusion, some processors may change the originally received code to one that is applicable to all brands. Listed in the table below are the possible response codes you may receive.

Using AVS Response Codes

When deciding on how to proceed with the transaction, you need to take into account the AVS response code. The following general guidelines should apply:

• Exact match (e.g. X, Y, D, M, F). If there are no other causes for suspicion, you will want to proceed with the transaction.
• Partial match (e.g. A, Z, B, P, T, W). You may want to be a bit more careful when the address matches, but the ZIP code does not, or vice versa. It is not a good idea to outright decline such transactions, especially if there are no other causes for suspicion. Rather, look for typical signs of fraudulent transactions, such as larger-than-average orders, orders with overnight delivery; big-ticket items, etc. Try to verify the phone number and contact the cardholder to confirm the order.
• No match (N). If neither the address nor the ZIP code match, you have a strong indicator of fraud, although there is a possibility that the cardholder has moved recently and the issuer has not yet updated the billing information. Call your customer and verify the order. If you cannot reach your customer, do not proceed with the transaction.
• Unavailable or not supported (e.g. U, S, G, I, C). If that is the response you get, you will have to base your processing decision on other factors. Again, do a reverse search for the phone and address and call your customer to confirm the order.

Generally speaking, you would want to use AVS for all of your card-not-present transactions. It is a simple and inexpensive way to verify customer information and there is no reason not to use it that I can think of.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit card fraud is much more difficult to prevent when neither the cardholder nor the card are present during the transaction. In a face-to-face setting the merchant can inspect the card to ensure that it is valid and can verify that the cardholder is an authorized user on the account by matching his or her signature on the transaction receipt to the one on the back of the card and request an ID when in doubt. None of these actions can be performed when the payment is submitted online or accepted by phone.

Yet, a combination of best practices and fraud prevention tools can provide card-not-present merchants with strong fraud prevention capabilities. If your business accepts payments online or by phone, you should implement the following safeguards:

• Verify the phone number and transaction information. Prior to shipping your products, call the phone number provided by the customer and verify the transaction information. Criminals may be unable to verify such information, because in their haste to max out the credit line before the fraud is discovered, they often order at random and do not keep records.
• Examine priority shipment requests. Costly priority shipments may indicate a fraudulent transaction, especially if a free shipping option has been ignored. Unlike the rest of us, criminals do not much care about shipping costs.
• Validate orders from repeat customers that differ from the established pattern. If an order from a past customer deviates from the established pattern, contact the customer and validate the transaction.

In addition to implementing the above procedures, you should take advantage of the available fraud prevention tools. Following is a short list of the most prominent among them:

• Address Verification Service (AVS). AVS enables you to compare the billing address (the address to which the card issuer sends its monthly statement for the account) provided by your customer with the billing address on the card issuer’s file before processing a transaction. These addresses should match.
• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction.
• Verified by Visa and MasterCard SecureCode. These fraud prevention services are offered by the two Credit Card Associations to e-commerce merchants and to online shoppers. MasterCard SecureCode and Verified by Visa enable cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs. These services protect merchants against fraudulent “unauthorized use” chargebacks.
• PCI compliance. All merchants accepting card payments are now required to be compliant with the requirements of the Payment Card Security Data Security Standard (PCI DSS), which sets the rules for data security management, policies, procedures, network architecture, software design and other protective measures.

Additionally, you should build and maintain an internal negative file that includes data from fraudulent transactions that you have not been able to prevent. Be sure to leave out of it information that relates to customer disputes or chargebacks, as these can be caused by reasons that are unrelated to fraud. Whenever a new order contains information that matches data in the file, your system should be designed to automatically identify the mismatch and trigger an examination.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant services or gateway fees.

We recently reviewed the requirements for accepting card-present Discover transactions. In this post we will go over the requirements for processing mail and telephone order (MO / TO) sales.

Just as is the case with Visa and MasterCard, the floor limit for card-not-present Discover transactions is zero. This means that merchants accepting Discover card payments over the telephone or in the mail are required to obtain an authorization approval for each transaction. Listed below are the payment acceptance procedures that need to be followed for MO / TO transactions:

1. Cardholder verification. Although it is not a mandatory requirement, MO / TO merchants should verify the cardholder’s billing address and confirm the delivery address by using the Address Verification Service (AVS). AVS confirms an address provided by the cardholder by comparing it with the one on file with Discover. It is a strong tool for protection against fraud, although it does not eliminate the possibility of chargebacks.
2. Documentation of card sales. Merchants are required to include all merchandise and / or services purchased at one time on one sales receipt. Additionally, the following information must be provided for each mail or telephone order card sale:
   • Cardholder name.
   • Card account number.
   • Card expiration date.
   • Merchant’s name.
   • Shipping address.
   • Description of the merchandise or service purchased.
   • Total amount of the transaction (including sales tax and / or tip).
   • Transaction date.

   
   Merchants should retain the transaction information, along with the shipping date, for at least six months and provide it per request in case of a chargeback or a customer dispute.

3. Transmission of transaction information. Merchants are required to transmit their Discover card transaction data daily. For all MO / TO transactions, the sales data should not be transmitted until the merchandise or services have been shipped, delivered or provided. MO / TO merchants are allowed, however, to accept deposits on their sales and can send to Discover transaction data related to such deposits before the shipping or delivery date.
4. Delivery requirements. MO / TO merchants are required to provide the cardholder, at the time of delivery of the products or services, with an invoice or other documentation that includes the information listed in section 2 above. Merchants should consider using shipping services that allow them to obtain the cardholder’s signature as proof of delivery, which can later be used in case of a customer dispute or a chargeback. If a cardholder comes to the merchant’s location to pick up a product ordered by mail or telephone, the merchant is required to obtain an imprint of the card and the cardholder’s signature.

Most MO / TO merchants now use virtual terminals for processing their card transactions. Virtual terminals are typically set up to automatically provide Discover, as well as the other card networks and companies, with the information they require, in the manner they have prescribed. You should not take this for granted, however, and double check with your processor. Additionally, and this is entirely within your own control, you need to ensure that, for all MO / TO sales, transaction data are not transmitted to your processing bank until the merchandise or service have been shipped or provided.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Authentication of an e-commerce credit card transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process involves the verification of both the cardholder’s identity and the card’s authenticity. The Credit Card Associations of Visa and MasterCard have developed several authentication services that are all available to e-commerce merchants and it is recommended that they use them all to reduce the number of fraudulent transactions and chargebacks.

• Address Verification Service (AVS). AVS enables merchants who accept credit card payments in a non-face-to-face setting to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer to the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing one of the AVS Response code listed in the table below.
  
  

  AVS Response Code	Explanation and Recommended Action
  X – exact match	Address and nine-digit ZIP code match – if the other fraud services raise no suspicions, you should process the transaction.
  Y – match	Address and five-digit ZIP code match – follow the instructions above.
  A – partial match	Address matches but ZIP code does not – a sign of a potential fraud. You may want to investigate further before making a decision.
  Z – partial match	ZIP code matches but address does not – a sign of a potential fraud. Follow the above instructions.
  N – no match	Neither address nor ZIP code match – a strong sign of a fraud. You should take additional steps to investigate the transaction.
  U – unavailable	The card issuer system is unavailable and the address cannot be verified. You need to make a decision whether to process the transaction without AVS or not.
  R – retry	The card issuer system is unavailable – you should try again later.
  U – no AVS support	If the card issuer does not support AVS you will have to make a decision whether to process the transaction or not based on other criteria.
  G – global	The address is outside of the U.S. – AVS cannot be used. You should take further steps to verify the authenticity of the transaction.

  
  Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, as listed in the table below:
  
  

  Response Code	Explanation and Recommended Action
  M – match	The code is valid. Complete the transaction, taking into account all other transaction characteristics.
  N – no match	The code is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the code request.
  P – request not processed	You should resubmit the request.
  S – the cardholder has stated that the code is not on the card	The security code should be on all valid cards. Consider following up with your customer to verify that he or she has checked the correct card location.
  U – the issuer does not support the card security codes	In this case you should evaluate all other available information and decide whether to proceed with the transaction or investigate further.




• Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are authentication systems that validate a cardholder’s ownership of an account in real-time during an e-commerce transaction. When the cardholder clicks “Buy” at the checkout page of a participating merchant’s website, a new screen automatically appears in the cardholder’s browser. The cardholder enters a password that allows the card issuer to verify his or her identity.

These services are free to cardholders who can register their credit card accounts online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates the password he or she will use later during the authentication process. Once the card is registered and activated with Verified by Visa or MasterCard SecureCode, the card number will be automatically recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Fraud is a much bigger concern for e-commerce merchants than it is for their brick-and-mortar counterparts. The challenges of verifying the validity of both the card and the cardholder in a non-face-to-face environment are much greater than they are in a card-present setting. Still, there are plenty of third-party tools that can help you screen fraudulent transactions. But perhaps the better way to prevent fraud from happening is to develop and implement an internal mechanism for screening transactions, which would, if certain predefined high-risk characteristics are found, suspend the processing of the transactions at issue.

If you decide to build your own, proprietary, fraud screening mechanism, consider implementing the following elements to serve as trigger points for suspending the processing of a transaction:

• Transaction data that matches information stored in your internal negative file. Internal negative files should include account information from previous transactions that have been proved to be compromised or fraudulent.
• Transactions that exceed your internal velocity limits and controls.
• Generates an Address Verification Service (AVS) mismatch. Implementing this fraud screening element is based on the assumption that you are employing AVS, which you should do! AVS verifies whether or not the billing address that your customer provides during a card-not-present transaction matches the one the card issuer has on file for the cardholder. The AVS verification process provides merchants with a response code for each transaction. A “No Match” response is a strong sign of a potential fraud and can be used as a trigger point in your fraud screening mechanism. The AVS can also generate a “Partial Match” response which, at the very least, should prompt an additional investigation.
• Generates a Card Security Code mismatch. As with the AVS element above, the assumption again is that you are using the security codes for every transaction, which you should do! These are the three-digit codes on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit codes on the front of American Express (CID) cards were introduced as an additional tool to help merchants verify that the cardholder is in a physical possession of the card at the time of the transaction. The Card Security Code verification process, just as the AVS verification process, generates response codes and the same procedures should be followed as with the AVS responses. You should never store these codes in your system.
• International shipping addresses. If your business is shipping abroad, perhaps you should screen international addresses for fraud as well. If you decide to do that, you should take into account the fact that some countries present a much higher risk than others. You may also want to consider not shipping to certain countries at all. Make sure that your processor supports the international AVS.
• Identify international IP addresses as high-risk. Statistical data show that international IP addresses have a substantially higher fraud rate than domestic addresses, particularly when merchants require a U.S. billing address.
• The shipping address is different from the billing address. You may want to require that these two addresses match, especially for big-ticket transactions and transactions for specific merchandise types.
• Screen for high-risk shipping addresses. Apart from international addresses, there are certain addresses that require special attention, such as P.O. boxes, prisons, hospitals and addresses with documented fraudulent activity. There are third-party databases of high-risk shipping addresses that you can use to compare to shipping addresses provided by your customers.
• Previous cardholder purchases should be a favorable factor in your fraud assessment procedures.

You should incorporate into your card processing procedures a mechanism for separating high-risk from low-risk transactions. By doing so you will be able to reduce costs by not having to screen every single transaction and concentrate your resources on the most likely offenders instead. Fraud scoring is a system of predictive fraud detection models or technologies that will help you do just that

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).