Clearsale Blog | Insights on Ecommerce and fraud

Is an AVS Mismatch Fraud Filter Right for Your Business

Written by Bruno Farinelli | Mar 7, 2023

The idea behind the Address Verification System (AVS) is fairly simple: If the billing address entered by the shopper doesn’t match the billing address the bank has on file, it will trigger an AVS mismatch. From there, the transaction might be flagged and even declined.

In a simpler world, AVS would be the only method businesses would need to stop fraudulent transactions in their tracks. Unfortunately, ecommerce doesn’t operate in a simple world.

Declining all transactions that show a mismatch between the shopper’s address and the one the bank has on file might stop fraud cold, but it can also freeze out legitimate transactions.

So, should you ignore AVS mismatches? No. But nor should you stake the entire transaction on them: Our own data reveals we’ve safely approved more than 95% of transactions with an AVS mismatch. And more than half of the fraudulent orders we see have a full or partial AVS match.

Ultimately, walking the line between combatting fraud and preventing AVS mismatches from derailing transactions can be tricky for ecommerce businesses.

In this guide, we explain everything businesses need to know about AVS, the most common reasons transactions get flagged by AVS tools, how fraudsters attempt to circumvent AVS protections, and what steps businesses can take to walk that fine line and ensure a shopping experience that is both safe and frictionless.

How Businesses Benefit From AVS

The AVS concept was originally introduced by Mastercard but is now a service provided by all payment processors, from card-present to card-not-present (CNP) to digital wallets and beyond. There’s a good reason. A Juniper Research report estimates that global ecommerce fraud losses will reach $48 billion in 2023, with North American businesses suffering 42% of those losses, Western Europe accounting for 26%, and Asia being hit with 22%.

 

Global ecommerce fraud losses will reach $48 billion in 2023

 

The primary goal of AVS is to allow businesses to verify that the person placing a CNP order is actually the cardholder. Although it isn’t foolproof, AVS is one of the most commonly used fraud prevention tools.

If the AVS indicates a match, the business can be more confident their customer is who they say they are — or that they’re at least an authorized user of the credit card being used. In the case of an AVS mismatch, the business might consider declining the transaction.

Match

Mismatch

 

As a security feature, AVS can automatically reject potentially fraudulent transactions — an appealing option for ecommerce businesses looking to reduce their fraud and chargeback ratios.

An added bonus? Even if businesses approve a transaction with full AVS match that later turns out to be fraudulent, they’re better equipped to fight any chargeback disputes: Showing the positive address match with proof the order was shipped to the cardholder’s address on file with the bank will strengthen a business’s case.

How Does AVS Work?

AVS automatically compares the billing address a customer enters in a credit card transaction against the address the bank has on file by comparing numeric values: In most cases, the street number and the ZIP code. For example, if the customer’s address is 123 Main Street, Anytown, 55555, the AVS will validate only 123 and 55555.

The AVS process takes just seconds to complete and is invisible to customers. Once the shopper has entered their address and submitted their purchase, the following occurs:

 

  • The payment gateway automatically sends the address entered to one of the major credit card networks (Visa, Discover, MasterCard, American Express).

 

  • The credit card network transmits the information to the cardholder’s bank. The bank verifies the address against the address that is stored on their system.

 

  • The cardholder’s bank transmits an authorization AVS code and authorization status to the payment gateway that the merchant is using.

 

If the cardholder’s bank or credit card company do not get a match, the system sends an AVS code that indicates the results of the address verification to the merchant. The code reveals how well the numbers entered by the purchaser match those in the issuer’s file. The code that is transmitted may be a complete match, a partial match or it may not match at all.

 

AVS Codes and What They Mean

The AVS codes are not binary; there are levels of match that can inform the steps the merchant takes next.

Here are the common AVS codes that a cardholder’s bank may transmit to a business:

Y

There’s a full match. For example, the apartment or suite number and the six-digit ZIP code match.
 

X

There’s a full match with the apartment address and the nine-digit ZIP code provided.
 

W

Indicates a partial match. For example, the nine-digit ZIP code matches but the apartment, street or suite number provided doesn’t match.

Z

This code indicates a partial match. For example, the five-digit ZIP code matched but the apartment, street or suite number provided doesn’t match.
 

A

A partial match. The provided street address matches that on the issuer’s system, but the ZIP code differs.

 

G

The business that the card being used for purchase is from a non-U.S. issuer.

N

No match was made on the street address or the ZIP code provided.
 

R

The purchaser has to retry entering their information due to a system timeout or error.

 

U

The card issuer doesn’t support AVS, or the information isn’t available at the time of the purchase.
             

 

 

What Should Merchants Do with AVS Mismatch Codes?

Depending on the AVS code returned, a business’s next step is a cancellation of the order, further investigation or simply approval to ship, based on their discretion.

It’s up to the business to weigh the pros and cons and decide if they should trust the purchaser. In most cases, a partial-match code will signify a red flag that the person performing the transaction is not the cardholder. However, the business may still allow the purchase to go through based on automatic rules that they’ve set up.

It’s also important to note that AVS mismatch may not automatically signal fraud. With the pandemic, many consumers were forced online for the first time, and they stumbled quite a bit – making them appear to be fraudsters. While those novice customers may be more comfortable with ecommerce shopping, there’s no guarantee that they aren’t still miskeying information.

It’s for this reason that we often recommend including fraud filters like AVS Mismatch as one component of a comprehensive fraud prevention strategy instead of it serving as the entire strategy.

 

Setting Up AVS Rules

When setting up their AVS Mismatch rules, a business should bear in mind that those data entry errors we mentioned above will happen. For example, if someone is entering in their billing address on their mobile device and they transpose two digits of their ZIP code – an easy enough mistake to make – it may result in an AVS mismatch.

Also, depending on the volume of transactions the business processes, it may be impossible to review each transaction manually to determine if it’s fraudulent.

As such, businesses should set up automatic rules for AVS code handling based on their individual level of risk aversion and to flag orders for contextual review based on their ability to determine if it’s worth accepting. While the payment processor will present a set of rules to the business for them to decide which ones to filter out, it’s up to the business to decide which of the AVS codes they want to approve or decline.

A different shipping address may indicate that the purchaser is not the cardholder, or it may not. Because of this ambiguity, businesses must be careful not to act too quickly when declining transactions. Sometimes, more investigation is necessary.

Further Investigative Steps for Businesses and AVS

Because the codes aren’t foolproof and AVS rules can’t account for every scenario, some transactions may require additional investigation by the business to determine validity. We call this contextual review. Here are some of the scenarios to consider in this review

 

Scenario

 

Transaction Type

The customer is from outside the United States, Canada or the United Kingdom, which means the buyer’s billing address can’t be used for card verification.

 

Purchasers using a payment method that was issued by a credit card company outside of these countries will receive an AVS decline when they perform a transaction in most cases. Merchants can elect to put a rule in place to accept these transactions if they are willing to take the risk of a chargeback.

The customer has recently moved and hasn’t updated their billing address with their credit card company.

 

If the package is being shipped in the cardholder’s name and the cardholder is affiliated with the address that the package is being shipped (e.g., by a shipment to that address by another family member with the same last name), the merchant may approve the transaction.

The customer is purchasing a gift and having it shipped directly to the recipient.

 

The merchant can assess if previous orders have been shipped to the address and if the purchaser has an online history that reveals an association with the address.

A college student makes a purchase on their parents’ credit card and has the order shipped to school.

 

The recipient’s last name matching the card holder’s last name, and a college address, are good indicators of a valid transaction, make cardholder’s one word.

 

If all these measures have been exhausted and no positive association can be made, it may be an indicator of a fraudulent transaction and grounds for an order cancellation. While all this investigating may sound like a lot of work, for businesses, the benefits outweigh the effort.

Without this type of review, companies run the risk of too many false declines, which can be more costly than fraud.

 

AVS Mismatch and the Costs of False Declines

A false decline happens when a valid customer purchase is declined, and the impact of false declines is significant. Today’s customers – especially millennial and Gen Z customers – expect their transactions to be approved. So, a false decline creates embarrassment, frustration and anger that can hurt a business’s reputation. In fact, false declines can cost businesses more in lost sales than the cost of ecommerce fraud:

  • A customer is 4x more likely to go to your competitor if a problem is service-related, rather than price- or product-related. (Bain & Company)
  • If a business declines their payment, 40% of consumers will never place an order with that business again. (ClearSale/Sapio Research)

If a business declines their payment, 40% of consumers will never place an order with that business again.

  • 34% of customers who experience a false decline take their complaint to social media. (ClearSale/Sapio Research)

  • Repeat customers spend 2x more than new customers. (McKinsey)
  • 96% of consumers classify customer service as an important factor in their choice of loyalty to a brand. (Microsoft)
  • A promoter has a 1,400% higher value than a detractor. (Bain & Company)
  • Detractors are 2x as likely to talk about bad brand experiences. (TARP Research)
  • For every customer who complains to the customer support department, there are 26 unhappy customers who don’t bother to contact the company. (TARP Research)
  • For every $1 in false declines, businesses lose $13 and the lifetime value of the customer.

Triggering an AVS fraud code has another downside that customers won’t appreciate.

When a transaction is declined due to AVS mismatch, the bank can put a hold on the authorized funds that will remain on the customer's card until the issuing bank lets it expire (typically seven days for most business types except hotels and car rentals — they can keep the hold in place up to 30 days). The held funds may be subtracted from the customer's available balance and create havoc in their personal finances.

Fraud Types AVS Can’t Catch

AVS is an excellent first line of defense, but to make fraud prevention even more challenging for businesses, not every AVS match on a transaction means the purchase is legitimate.

Because AVS matches only the numeric portions of addresses — and not the full addresses — fraudsters have learned ways to circumvent the system:

  • Mimicking Delivery Addresses
    To have their transactions approved, fraudsters will pick a shipping address that’s close in proximity to the billing address and that uses the same AVS number. If the billing address is 123 Main Street, Anytown, NY, 12345, the fraudster may use 123 Maple Street, Anytown, NY, 12345 as the shipping destination. The AVS details are similar enough to not raise suspicion, and the fraudster simply picks up the package at the new location.

  • Foreign Addresses
    AVS can currently be used only with addresses in the United States, Canada and the United Kingdom. Fraudsters know that AVS is ineffective for many international transactions.
  • Alternate Payment Methods
    Merchants must remember that not every payment method can take advantage of AVS. Prepaid debit cards rarely require customers to keep billing or shipping addresses on file, eliminating AVS as a useful screening tool.
  • Digital Products
    The challenge for fraudsters with physical goods is redirecting or intercepting the delivery. Not so with digital downloads. AVS doesn’t match email addresses to credit card or address information. The fraudster uses the victim’s details for the transaction then adds their own (burner) email address for digital delivery.
  • Identity Theft 
    This occurs when someone uses personal information to open a credit card in the victim’s name. For example, a thief could use a stolen Social Security number to apply for a credit card without the person’s knowledge. 
  • Stolen Data
    Just because AVS can confirm an address match, that doesn’t mean it’s the legitimate cardholder making the transaction.

 

Is AVS Right for Your Business?

Many methods of fraud protection can be a double-edged sword: Using it too aggressively can trigger a higher volume of false declines, which can cost the business revenue, future sales and customer loyalty. But being too lax can leave the business open to fraud and expensive chargeback disputes.

With all the possible avenues of fraud and inevitable data breaches, AVS may not be strong enough on its own to allow businesses to confidently approve transactions. Instead, a multilayered fraud prevention system that may include 3-D Secure, IP address verification and multifactor authentication provides a robust fraud prevention strategy.

You want to approve as many orders as possible, and you should be able to. The question is, do you have the solution and/or resources to make that possible?

At ClearSale, we use a hybrid fraud prevention model that incorporates several elements:

  • Fraud filters that include AVS Mismatch are set up to flag obviously questionable orders for processing.
  • AI-enabled automatic approval technology leverages data insights and analytics to then approve or decline as much as 97% of orders with precision. Orders that are still suspicious are flagged for review.
  • A team of more than 1,500 fraud analysts who have identified and prevented fraud in the most high-risk regions across the world perform secondary review of those flagged orders. In some cases, they may reach out to customers to offer “white-glove” fraud prevention service.
  • Once those orders are dispositioned, the data insights are fed back into the AI system to help it “learn” about the client’s industry, customers, regions and new fraud trends, which further improves auto-approval accuracy.

Wondering if your ecommerce business is generating too many false declines? Our research shows that 58% of declined transactions are legitimate orders. Get your results with our Approval Rate Calculator.