AVS & CVV Filters: Help Prevent Fraud on Your Merchant Account

Accepting credit cards to increase sales for your business to increase profits increases the risk of receiving fraudulent transactions; there is simply no easy way around it. In fact, we’ll go so far as to say that most if not all merchants will take an occasional loss due to a chargeback liability shift away from customers and towards the merchant; the system is not setup to favor merchants. However, merchants should realize that even with an occasional loss from a chargeback, without credit card processing their sales would be reduced 50-200%, and a (small) percentage of chargebacks is sometimes the cost of doing business.

That however doesn’t mean caution should be thrown to the wind; merchants should utilize the basic tools provided by the card associations including AVS & CVV filters to help protect themselves from fraud & chargebacks, especially if the merchant operates in an online environment where they do not have a direct relationship with the customer. Let’s explore AVS & CVV settings in more detail:

AVS: Address Verification System: A system used to match the billing address provided by the customer to the billing address the customer’s card issuing bank has on file.

AVS CVV Credit Card Merchant Account Fraud RuleLet’s dig deeper into understanding the AVS system; this system only verifies 2 fields of information: 1) the street address and 2) the zipcode. If you are dealing with a valid customer, they should be able to provide the correct billing address that they have on file with their card issuing bank (Capital One, CITI, MBNA, BofA, etc). The billing address is the same address that the customer receives their monthly statements from their credit card issuing bank at.

An interesting fact to note is that the AVS system was built several decades ago, and ONLY “reads” numbers, it does not read letters. So if a customer enters 123 Maine St, instead of 123 Main St, it does not matter; all that the computer reads is “123.”

On any individual transaction, your payment gateway (or POS terminal) sends the Street Address and Zip Code that the customer provided to your processing bank, who routes the transaction through Visa/MC/Discover/AmEx’s network, to the actual card issuing bank. It is the actual card issuing bank that responds and provides the AVS response, and confirms whether or not the billing address supplied by the customer matches or not. Therefore, if a customer calls you upset that you declined a transaction due to an AVS mismatch, there is no one for them to complain to except their own card issuing bank; neither the merchant nor the payment gateway has ANY control in determining if AVS or CVV matches or not, the card issuing bank alone dictates if AVS matches or mismatches. Read here for additional details on understanding AVS & CVV declines & authorizations.

Now that you have a better understanding of AVS, let’s review setting up your AVS rules inside your payment gateway, which can be more confusing than building a rocket ship, so have a 2nd cup of coffee before diving in. Below is a typical listing of the AVS responses (most gateways use these same codes):

Reject a U.S. Transaction If…
Street Address Matches AND…
Street Address Does Not Match AND…

By default Durango recommends to check the (B), (E), (R), (S), (U), & (N) boxes. Please note, this is not a “Full” AVS match, it is a “Partial” AVS match where ONLY the street address OR the zip code must match. This does NOT guard against fraud as much as requiring BOTH the street address & the zip to match would, and depending on your business model you may need to enable full AVS requirements (for example, merchants with digital downloads or high ticket items). The reason most merchants decide to go with a “partial” AVS match (only “N” checked from the bottom options) is that going with a “full” AVS requirement (“A, “W,” “Z,” “N” checked) will typically result in a higher percentage of declines from otherwise valid customers, due to customers using incorrect addresses or not having their current address on file with their card issuing bank. Fighting fraud while allowing in valid sales is a balancing act; each merchant will need to assess their risks and employ fraud filters as appropriate to perfect this balance.

CVV: Card Verification Value (or also sometiems called CVC: Card Verification Code): the 3 digit security code on the back of all Visa, MasterCard, and Discover cards, and the 4 digit security code on the front of AmEx cards (although AmEx calls their code a “CID”).

Next up for review is the CVV rule set, and thankfully this one is less confusing (there are only 4 options), and by default, Durango recommends to mark the top THREE check boxes (unless if you have recurring billing, then only mark the two middle boxes):

Reject a U.S. Transaction If…
Is NOT Processed or CVV was not Provided(P)
Does NOT Match (N)
Should be on card, but is not indicated (S)
Issuer is not certified or has not provided encryption key (U)

 

For merchants that have B2B transactions, or that have direct relationships with their customers, obtaining an AVS or CVV match is not as important as for merchants that do not know their customer beforehand, however, all merchants should understand that their ability to fight & win any chargeback will be diminished if the original transaction did not have a full AVS & CVV match. If a chargeback is received, and you have no AVS match nor CVV match, you will have a difficult time successfully disputing that chargeback. Also, it should be noted, that if you receive a “Y” AVS “match,” but ship to a non-AVS verified address, you are unlikely to win that chargeback . Merchants are supposed to ship ONLY to the AVS verified address to protect against fraud and to increase their chances of being able to win a chargeback. Clearly, this is not practical for some merchants, and remember, fighting fraud, protecting against chargebacks and accepting valid sales is a balancing act; perhaps on 1st time customers you require shipping to the AVS verified address, but not on existing customers, or, on 1st time customers with non-matching shipping/billing addresses, you perform additional customer verification before shipping, knowing that you have increased chargeback liability shipping to the non-AVS verified address.

Requiring a CVV and at least a partial AVS match from your customers are two of the most basic tools that merchants have at their disposal to guard against credit card fraud (be it true fraud or “friendly fraud” from customers abusing the chargeback system). It should be noted that obtaining a full AVS & CVV match in NO WAY protects merchants fully against fraud; there is no “magic bullet” to protect against chargebacks. A similar analogy can be borrowed from protecting online systems against hackers: as we’ve seen from Hollywood movies and media stories lately, there is no 100% protection against hackers, there is simply providing “more or less” deterrents against hackers. Preventing fraud is NOT a “set-it-and-forget-it” strategy, it requires an ongoing management of evolving threats, and there is no 100% one-size-fits-all protection against chargebacks.

Obviously just because a customer can provide both a matching billing address & CVV, doesn’t mean that a credit card sale is not fraudulent. Simple tools such as the White Pages or Google searches could provide a billing address for a stolen card if the fraudster has the customer’s name. As well, recent articles in the press have also high-lighted the black market for stolen credit card numbers, where fraudsters can purchase stolen credit card details (and for additional money, the matching AVS & CVV information).

If a merchant is unable to curtail fraud with AVS & CVV fraud filters, we would recommend they consider enrolling in Verified by Visa & MasterCard’s SecureCode.

If you have any questions about protecting your profits from fraud, please contact Durango today! We have the experience you need to deal with today’s evolving marketplace.