When it comes to Address Verification Systems (AVS), you likely have questions. After all, AVS are supposed to be a way that your e-commerce website can make sure that customers are who they say they are. And yet you’ve likely heard that AVS is not foolproof, and that smart fraudsters can get around AVS easily.
So, here are answers to everything e-commerce merchants need to know about AVS.
An Address Verification System is a tool that is used to validate if the billing address entered by a customer on an ecommerce store matches the address on file at the bank or credit card company. AVS is used primarily to prevent fraudulent purchases that are made online to reduce chargebacks to merchants.
The primary goal of AVS is to allow merchants to verify the person placing an order is the card holder. Although it is not full proof, AVS is a useful tool for verifying transactions because in most cases if the address provided by the purchaser and the card matches, it is likely it is the same person. Due to the benefits involved, AVS is a useful tool for merchants.
While the purchaser is required to provide a complete address when making an online purchase, only the numeric values that are provided are verified by the cardholder’s bank. In most cases only the street number and the zip code are compared to what is on the issue system. Therefore, there can be an error when purchasers enter a similar street, suit or apartment address.
For example, if the customer’s address is 123 Main Street, Anytown, 55555, the AVS will validate only 123 and 55555. Savvy fraudsters know they only need to get the street number and zip codes right in order to fool the system!
An AVS can verify if the billing address that is used for a transaction matches the address of the cardholder’s issuing bank or credit card company by checking if the numeric information and zip code that are provided by the purchaser.
Once the purchaser has entered their address and completed a purchase, the following occurs:
If the cardholder’s bank or credit card company do not get a match, the system sends an AVS code that indicates the results of the address verification to the merchant. The code reveals how well the numbers entered by the purchaser match those on the issues file. The code that is transmitted may be a complete match, a partial match or it may not match at all.
AVS authentication generally requires only a few seconds to be completed and occurs without the purchaser being aware.
The common AVS codes that a cardholder’s bank may transmit to a merchant are the following:
Y – There is a full match. For example, the apartment or suit number and the 6-digit zip code match.
X – There is a full match with the apartment address and the 9-digit zip code provided.
W – Indicates a partial match. For example, the 9-digit zip code matches but the apartment, street or suit number provided do not match.
Z – This code indicates a partial match. For example, the 5-digit zip code matched but the apartment, street or suit number do not match.
A – A partial match. The provided street address matches that on the issuers system but the zip code differs.
G – The merchant that the card being used for purchase is from a non-U.S. issuer.
N – No match was made on the street address or the sip code provided.
R – The purchaser has to retry entering their information due to a system timeout or error.
U – The card issuer does not support AVS or that the information is not available at the time of the purchase. Depending on the AVS code returned, a merchant’s next step is either a cancellation of the order, further investigation or simply approval to ship.
An AVS code is not a direct indicator of whether an ecommerce store should process an online order. Once the response has been received, it is up to the merchant to decide whether to process or cancel the transaction.
Once the code has been received, the merchant can choose to process the transaction, override the payment system or cancel the transaction based on their discretion. It is up to the merchant to weigh the pros and cons and decide if they should trust the purchaser. In most cases, a partial-match code will signify a red flag that the person performing the transaction is not the card holder. However, the purchase may go through based on the automatic rules that the merchant has setup.
It may be impossible for a merchant to review each transaction manually to determine if it’s fraudulent, especially for large ecommerce stores. Therefore, it’s important for each merchant to have automatic rules in place to determine which transactions are approved and which are declined.
Ideally, each merchant should set up automatic rules for AVS based on their individual level of risk aversion and their abilities to evaluate an order and determine if it’s worth accepting. Generally, the payment processor will present a set of rules to the merchant for them to decide which ones to filter out. Therefore, the merchant will decide which of the AVS codes they want to approve or decline.
While setting up their AVS, a merchant should bear in mind that issues such as data entry errors made by the cardholder during the transaction or a change of address may result in a partial AVS code being transmitted.
Aside from their level of risk aversion and their ability to examine and decide if a transaction is fraudulent, there are some factors that merchants can assess to determine if they should complete a purchase.
For instance, one common factor for merchants to examine is whether the shipping address should match the billing address when setting up AVS rules. A different shipping address may indicate that the purchaser is not the cardholder, though not in all cases – such as when the consumer is purchasing a gift that will be shipped to the gift recipient.
Because of this ambiguity, merchants must be very careful not to act too quickly when declining transactions. Approving a fraudulent transaction is obviously problematic, but declining a legitimate transaction is equally a problem. False declines can leave good customers frustrated and upset, and these unhappy customers may choose to shop with a competitor. In fact, false declines can cost merchants more in lost sales than the cost of e-commerce fraud!
If the billing and shipping address do not match, the merchant should evaluate other factors to help validate the cardholder’s identity. Quick options include identifying whether the package is being shipped in the cardholder’s name and if the cardholder is affiliated with the address that the package is being shipped to.
There are other security tools that a merchant can use to receive this information. In some instances, the merchant may decide to verify the residency at the delivery address that is provided to determine if the cardholder had a change of address.
If this information cannot be retrieved through manual or automatic investigation, the merchant may look at other factors to determine if they should process the transaction. This may include whether previous orders have been shipped to the address and if the purchaser has an online history that reveals the cardholder’s association with the address. If the merchant can determine that the cardholder has had a change of address through investigation, they may decide to process the order.
In cases where the package is being shipped to a family member, concerns about whether it is being shipped to a different address may disappear if the last name of the family member matches the card holder’s last name. If the family member’s last name and the cardholder's last name do not match, the merchant may have difficulty establishing a familial connection. In this case, it is imperative that the merchant conduct further checks to establish a connection prior to processing the order. This can be done by contacting the purchaser. If no relationship can be established after doing so, this may be an indicator of a fraudulent transaction.
The main problem that larger ecommerce stores have with AVS is that there are no markers outside of Canada, the United States and the United Kingdom. Purchasers using a payment method that was issued by a credit card company outside of these countries will receive an AVS decline when they perform a transaction in most cases. This might not be so if the merchant has a rule in place to accept these transactions at the risk of a chargeback.
Large ecommerce stores who wish to accept international transactions should rely on other tools that allow them to avoid incurring great losses when fraudulent transactions are made. But most anti-fraud tools, such as 3-D Secure, which are used as an additional layer of security, have their own weaknesses.
More often than not, a merchant’s representment rights hinge on their efforts to confirm the validity of disputed transactions. An AVS check is one of the most powerful tools that a merchant has in chargeback disputes—especially those that are fraud related.
But AVS is not an outright-win condition. There can be scenarios where there is a full AVS match but chargeback disputes still have to remain ongoing. Still, AVS is an effective and efficient means of easily filtering out most cases of fraud.
Many savvy merchants that actively try to avoid chargebacks will only accept orders from sources that have a full AVS match. This is a smart tactic to employ if you’re trying to avoid fraud. However, it is not an infallible safety net.
This is because some fraudulent transactions get approved by mistake. Plus, employing this tactic does not mean that you cannot be held liable for chargebacks (fraud-related or otherwise) that have a full AVS match.
The short answer to this question is cardholder rights. Under US federal law, cardholders have limited liability for unauthorized charges. Unless there are major reforms to these laws, this is an enduring fact that all merchants have to deal with.
Clearly, implementing AVS in your online store according to best practices is not always as straightforward as it might seem! But with the right strategy, and by leveraging AVS as just one part of a comprehensive fraud prevention strategy, you can protect not only your business but the security of your valued customers as well – ensuring that everyone involves has a positive, productive online experience.
For more information about the e-commerce fraud prevention strategies that are best for your online store, connect with a ClearSale representative today!