Does an AVS Mismatch Always Indicate Fraud?
Address verification systems (AVS) serve to confirm which transactions are legitimate and which ones are fraudulent.
Think of AVS like a bouncer for a company’s transaction party, deciding who’s allowed in and who’s not. But unlike your local nightclub’s bouncer, AVS strictly analyzes numbers, and there’s a lot of room for error.
Just how reliable is this system?
Here’s how AVS works – the process starts with a comparison of the numeric portions of the billing address with those of the billing address on file with the credit card issuer. The closer the match, the more confident an e-commerce merchant can be that the customer is the true cardholder.
But address verification systems are prone to hiccups. Do customers remember the address they used when signing up for a card? Did they include their apartment number or not? Their five-digit ZIP code or ZIP+4? Thanks to all these variations, an AVS mismatch might be due to a simple customer input error, while a full match might actually be the result of a savvy fraudster working the system. And that can wreak havoc on a merchant’s ability to confidently screen transactions.
So when it comes to using AVS and protecting e-commerce businesses against card-not-present fraud, here’s what merchants need to know.
Why Legitimate Charges Get Flagged
When a customer places an order online, the payment processor requests confirmation through AVS that the numeric parts of the billing and shipping addresses match. If they do, the order is considered to be legitimate and the processor will authorize the transaction.
But even when the two don’t match, it doesn’t mean the transaction is necessarily fraudulent. Here’s why.
When the payment processor initiates the AVS request, there are three possible results: match, partial match and mismatch. Each merchant has its own level of risk they’re willing to accept for each transaction. Some will accept only full matches; others may accept partial matches as well. To control their risk, merchants will need to decide which of the more than 15 AVS codes they’re willing to accept and reject.
Unfortunately, those codes aren’t foolproof in separating the legitimate transactions from the fraudulent ones. Here are just a few scenarios in which a legitimate transaction will be flagged as an AVS mismatch and will likely be rejected:
- The customer is from outside the United States, Canada or the United Kingdom, which means the buyer’s billing address can’t be used for card verification.
- The customer has recently moved and hasn’t updated their billing address with their credit card company.
- The customer is purchasing a gift and having it shipped directly to the recipient.
- A college student makes a purchase on their parents’ credit card and has the order shipped to school.
Before automatically declining every AVS mismatch, merchants may want to consider looking at other transaction details and external data sources — like email address, IP address and order history — to get a clearer picture of the customer and the reason for the mismatch.
Not All AVS Matches Are Legitimate
To make it even more challenging for merchants, not every AVS match on a transaction means the purchase is legitimate.
Because AVS matches only the numeric portions of addresses — and not the full addresses — fraudsters have learned ways to circumvent the system. When fraudsters buy credit card data on the dark web, they’re receiving more than just a credit card number. They’re also frequently receiving a card’s CVV and AVS details (i.e., house number and ZIP code).
Today’s fraudsters are savvy enough to know how merchants use AVS to flag purchases. So to pass their transactions through, fraudsters will pick a shipping address that’s close in proximity to the billing address and that uses the same AVS number. So if the billing address is 123 Main Street, Anytown, NY, 12345, the fraudster may use 123 Maple Street, Anytown, NY, 12345 as the shipping destination and intercept the package there. The AVS details are similar enough to not raise suspicion, and the fraudster simply picks up the package at the new location.
Managed Services Can Complement AVS
Automated solutions to protect your business against fraud have come a long way, but they’re still not foolproof. AVS matches are a perfect example. Alone, they’re simply not strong enough to guarantee merchants are approving legitimate transactions and declining fraudulent ones. Plus, they just don’t give merchants the opportunity to look beyond superficial transaction details for the broader patterns at play. And that puts every merchant at an increased risk of missing evolving fraud patterns.
Instead, merchants can add filters like AVS to a robust fraud prevention solution that includes advanced artificial intelligence and skilled human review. A managed services solution is perfect for this detail-oriented approach — letting merchants make educated decisions about questionable transactions, control their fraud risk and reduce expensive chargebacks.
Interested in learning how a managed services solution can protect your business and customers against credit card fraud? Download your free copy of ClearSale’s “Is a Fraud Managed Services Solution Right for Your Business?” e-book today.