Payment fraud is a complex challenge for merchants, and takes many forms. Knowing that the payer is genuine is a fundamental aspect of fighting fraud. But that's easier said than done. Credit and debit cards can be stolen or copied and used by fraudsters online. One way for merchants to check if the payer is genuine is via AVS (Address Verification Service). In this article we will explain what AVS is and how it works, and what happens when there is a mismatch between the address details associated with the card and the address the customer provides at the checkout.
What is AVS?
AVS stands for Address Verification Service. It is one of the most widely used fraud prevention tools for card-not-present payments. An AVS check compares the billing address provided by the customer at the checkout with the address associated with the card being used for payment. This information comes from the card network or issuing bank. The basic aim of AVS is to match the two records, so that the merchant can be confident that the person making the purchase is the same person who owns the card.
AVS is offered by four card networks—Visa, MasterCard, Discover and American Express— in the United States, Canada and the United Kingdom only.
An AVS check is performed during the authorisation stage of a payment. When the merchant sends the payment request to the card network or issuing bank, it will include a request to check the billing address provided by the payer. The card company or bank will report back to the merchant using various codes that communicate how closely the two addresses match. The merchant then decides whether to accept or decline the payment.
What is an AVS mismatch?
An AVS mismatch occurs when the address supplied by the customer does not match the address that the bank has on file for that card. There are various reasons why a mismatch can occur. To help a merchant understand these reasons, they are supplied with a mismatch code. The codes cover various scenarios, but broadly describe either a full match, a partial match or a mismatch. Depending on their risk appetite, the merchant decides which codes they will allow (meaning the payment can be processed) and which they will reject (meaning the payment will be cancelled.)
AVS mismatch codes
AVS codes vary between card networks. Here is a headline summary of the main AVS codes used and what each one means.
- A – Partial Match: The street addresses match but the zip codes don’t.
- G – International Card: The issuing bank is international.
- N – No Match: Neither the street address or zip code matches what the bank has on file.
- R – Retry: Something happened on the server end. You should just run it again if this error fires.
- U – Unavailable: Either the bank doesn’t have any information on file or doesn’t support AVS. Use your discretion and other order review processes to determine whether or not to accept the transaction.
- W – Partial Match: The street address doesn’t match but the 9-digit zip code does.
- X – Full Match: The 9-digit zip code and corresponding street address match.
- Y – Full Match: The 5-digit zip code and corresponding street address match.
- Z – Partial Match: The 5-digit zip code is right, but the street address isn’t. Ask the customer to try again.
Some payment processors will have a more extensive list of AVS codes, which are designed to give merchants more information to make better decisions. Here is a list of the AVS codes used by Checkout.com.
Why is rejecting orders based only on AVS information a bad idea?
AVS is not an exact science. So merchants should not see an AVS match as definitive proof of the legitimacy of a payer. Nor should they automatically conclude that an AVS mismatch is an attempt at payment fraud. AVS alone neither proves or disproves a customer’s identity. Instead, AVS should be used as just one element of an anti-fraud strategy alongside other tactics.
Not all AVS mismatches are fraudulent
There various reasons why an AVS mismatch could actually be a genuine payment. A single address can be written in multiple ways, especially when there are two numerical parts to a property, such as a flat within a block. People can change addresses without informing their bank until later. A payer may be located in a different country where AVS is not available. And it can be easy to incorrectly provide a shipping address as a billing address, especially where the website offers the ‘copy address’ feature.
So merchants should take an agile approach to AVS mismatches. As well as configuring the AVS filters on the payment processing gateway to favour returning and other low-risk customers, merchants can follow up with customers to verify their identity in a different way.
Not all AVS matches are legitimate
A fraudulent payment can still return a positive AVS match. This is because most of us do not consider our address as a sensitive piece of data. People freely provide their addresses for all sorts of reasons, and these can be scrapped from websites and sold on the dark web. It’s possible to buy whole sets of names, addresses and card details from corners of the internet, if you know where to look.
Fraudsters are cunning. They understand what will raise a red flag, such as a shopping address that is located far away from the billing address. To overcome this, they will often find a location that is in the same zip code as that of the genuine card owner.
AVS and chargebacks
Most payment processing software will let merchants set the influence that an AVS check has on the final authorisation decision, by classifying which mismatch codes should carry more weight than others. It is also possible to completely switch off AVS, but this has repercussions when disputing chargebacks, as the merchant may be judged as having an under-optimised approach to fraud prevention.
A merchant that only employs minimal preventive measures to protect their customers are not only likely to encounter more chargebacks, but will also find it harder to dispute them. Equally, a merchant that leverages AVS for every card-not-present transaction, and sets strong filters for AVS mismatches, has demonstrated a strong approach to combating fraud, which makes it easier to defend against chargeback requests.
Learn more: what is chargeback fraud?
How to customize your fraud rules to fit your risk strategy
An effective AVS strategy is about balancing the pros and cons of the protocol. As we've read, AVS can be a valuable tool in reducing fraudulent payments, but it can also stop genuine transactions being processed.
Part of the answer is to set AVS filters that align with your risk appetite, and continually adjust these based on the volume of mismatches, and who those mismatches are happening to. More broadly, a merchant should see AVS as just one element of a suite of preventive measures offered by more comprehensive fraud analytics tools. These include CVV (Card Verification Value), 3D Secure 2 (3DS2) protocols, IP fraud score and machine learning capabilities that use historical data to train the payment processing platform to identify and stop fraudulent payments.