The idea behind the Address Verification System (AVS) is fairly simple: If the billing address entered by the shopper doesn’t match the billing address the bank has on file, it will trigger an AVS mismatch. From there, the transaction might be flagged and even declined.
In a simpler world, AVS would be the only method businesses would need to stop fraudulent transactions in their tracks. Unfortunately, ecommerce doesn’t operate in a simple world.
Declining all transactions that show a mismatch between the shopper’s address and the one the bank has on file might stop fraud cold, but it can also freeze out legitimate transactions.
So, should you ignore AVS mismatches? No. But nor should you stake the entire transaction on them: Our own data reveals we’ve safely approved more than 95% of transactions with an AVS mismatch. And more than half of the fraudulent orders we see have a full or partial AVS match.
Ultimately, walking the line between combatting fraud and preventing AVS mismatches from derailing transactions can be tricky for ecommerce businesses.
In this guide, we explain everything businesses need to know about AVS, the most common reasons transactions get flagged by AVS tools, how fraudsters attempt to circumvent AVS protections, and what steps businesses can take to walk that fine line and ensure a shopping experience that is both safe and frictionless.
The AVS concept was originally introduced by Mastercard but is now a service provided by all payment processors, from card-present to card-not-present (CNP) to digital wallets and beyond. There’s a good reason. A Juniper Research report estimates that global ecommerce fraud losses will reach $48 billion in 2023, with North American businesses suffering 42% of those losses, Western Europe accounting for 26%, and Asia being hit with 22%.
The primary goal of AVS is to allow businesses to verify that the person placing a CNP order is actually the cardholder. Although it isn’t foolproof, AVS is one of the most commonly used fraud prevention tools.
If the AVS indicates a match, the business can be more confident their customer is who they say they are — or that they’re at least an authorized user of the credit card being used. In the case of an AVS mismatch, the business might consider declining the transaction.
Match |
Mismatch |
As a security feature, AVS can automatically reject potentially fraudulent transactions — an appealing option for ecommerce businesses looking to reduce their fraud and chargeback ratios.
An added bonus? Even if businesses approve a transaction with full AVS match that later turns out to be fraudulent, they’re better equipped to fight any chargeback disputes: Showing the positive address match with proof the order was shipped to the cardholder’s address on file with the bank will strengthen a business’s case.
AVS automatically compares the billing address a customer enters in a credit card transaction against the address the bank has on file by comparing numeric values: In most cases, the street number and the ZIP code. For example, if the customer’s address is 123 Main Street, Anytown, 55555, the AVS will validate only 123 and 55555.
The AVS process takes just seconds to complete and is invisible to customers. Once the shopper has entered their address and submitted their purchase, the following occurs:
If the cardholder’s bank or credit card company do not get a match, the system sends an AVS code that indicates the results of the address verification to the merchant. The code reveals how well the numbers entered by the purchaser match those in the issuer’s file. The code that is transmitted may be a complete match, a partial match or it may not match at all.
The AVS codes are not binary; there are levels of match that can inform the steps the merchant takes next.
Y |
There’s a full match. For example, the apartment or suite number and the six-digit ZIP code match.
|
X |
There’s a full match with the apartment address and the nine-digit ZIP code provided.
|
W |
Indicates a partial match. For example, the nine-digit ZIP code matches but the apartment, street or suite number provided doesn’t match.
|
||
Z |
This code indicates a partial match. For example, the five-digit ZIP code matched but the apartment, street or suite number provided doesn’t match.
|
A |
A partial match. The provided street address matches that on the issuer’s system, but the ZIP code differs.
|
|
G |
The business that the card being used for purchase is from a non-U.S. issuer.
|
|
N |
No match was made on the street address or the ZIP code provided.
|
R |
The purchaser has to retry entering their information due to a system timeout or error.
|
|
U |
The card issuer doesn’t support AVS, or the information isn’t available at the time of the purchase.
|
|
|
Depending on the AVS code returned, a business’s next step is a cancellation of the order, further investigation or simply approval to ship, based on their discretion.
It’s up to the business to weigh the pros and cons and decide if they should trust the purchaser. In most cases, a partial-match code will signify a red flag that the person performing the transaction is not the cardholder. However, the business may still allow the purchase to go through based on automatic rules that they’ve set up.
It’s also important to note that AVS mismatch may not automatically signal fraud. With the pandemic, many consumers were forced online for the first time, and they stumbled quite a bit – making them appear to be fraudsters. While those novice customers may be more comfortable with ecommerce shopping, there’s no guarantee that they aren’t still miskeying information.
It’s for this reason that we often recommend including fraud filters like AVS Mismatch as one component of a comprehensive fraud prevention strategy instead of it serving as the entire strategy.
When setting up their AVS Mismatch rules, a business should bear in mind that those data entry errors we mentioned above will happen. For example, if someone is entering in their billing address on their mobile device and they transpose two digits of their ZIP code – an easy enough mistake to make – it may result in an AVS mismatch.
Also, depending on the volume of transactions the business processes, it may be impossible to review each transaction manually to determine if it’s fraudulent.
As such, businesses should set up automatic rules for AVS code handling based on their individual level of risk aversion and to flag orders for contextual review based on their ability to determine if it’s worth accepting. While the payment processor will present a set of rules to the business for them to decide which ones to filter out, it’s up to the business to decide which of the AVS codes they want to approve or decline.
A different shipping address may indicate that the purchaser is not the cardholder, or it may not. Because of this ambiguity, businesses must be careful not to act too quickly when declining transactions. Sometimes, more investigation is necessary.
Because the codes aren’t foolproof and AVS rules can’t account for every scenario, some transactions may require additional investigation by the business to determine validity. We call this contextual review. Here are some of the scenarios to consider in this review
Scenario |
|
Transaction Type |
The customer is from outside the United States, Canada or the United Kingdom, which means the buyer’s billing address can’t be used for card verification. |
Purchasers using a payment method that was issued by a credit card company outside of these countries will receive an AVS decline when they perform a transaction in most cases. Merchants can elect to put a rule in place to accept these transactions if they are willing to take the risk of a chargeback. |
||
The customer has recently moved and hasn’t updated their billing address with their credit card company. |
If the package is being shipped in the cardholder’s name and the cardholder is affiliated with the address that the package is being shipped (e.g., by a shipment to that address by another family member with the same last name), the merchant may approve the transaction. |
||
The customer is purchasing a gift and having it shipped directly to the recipient. |
The merchant can assess if previous orders have been shipped to the address and if the purchaser has an online history that reveals an association with the address. |
||
A college student makes a purchase on their parents’ credit card and has the order shipped to school. |
The recipient’s last name matching the card holder’s last name, and a college address, are good indicators of a valid transaction, make cardholder’s one word. |
If all these measures have been exhausted and no positive association can be made, it may be an indicator of a fraudulent transaction and grounds for an order cancellation. While all this investigating may sound like a lot of work, for businesses, the benefits outweigh the effort.
Without this type of review, companies run the risk of too many false declines, which can be more costly than fraud.
A false decline happens when a valid customer purchase is declined, and the impact of false declines is significant. Today’s customers – especially millennial and Gen Z customers – expect their transactions to be approved. So, a false decline creates embarrassment, frustration and anger that can hurt a business’s reputation. In fact, false declines can cost businesses more in lost sales than the cost of ecommerce fraud:
If a business declines their payment, 40% of consumers will never place an order with that business again. |
34% of customers who experience a false decline take their complaint to social media. (ClearSale/Sapio Research)
Triggering an AVS fraud code has another downside that customers won’t appreciate.
When a transaction is declined due to AVS mismatch, the bank can put a hold on the authorized funds that will remain on the customer's card until the issuing bank lets it expire (typically seven days for most business types except hotels and car rentals — they can keep the hold in place up to 30 days). The held funds may be subtracted from the customer's available balance and create havoc in their personal finances.
AVS is an excellent first line of defense, but to make fraud prevention even more challenging for businesses, not every AVS match on a transaction means the purchase is legitimate.
Because AVS matches only the numeric portions of addresses — and not the full addresses — fraudsters have learned ways to circumvent the system:
Many methods of fraud protection can be a double-edged sword: Using it too aggressively can trigger a higher volume of false declines, which can cost the business revenue, future sales and customer loyalty. But being too lax can leave the business open to fraud and expensive chargeback disputes.
With all the possible avenues of fraud and inevitable data breaches, AVS may not be strong enough on its own to allow businesses to confidently approve transactions. Instead, a multilayered fraud prevention system that may include 3-D Secure, IP address verification and multifactor authentication provides a robust fraud prevention strategy.
You want to approve as many orders as possible, and you should be able to. The question is, do you have the solution and/or resources to make that possible?
At ClearSale, we use a hybrid fraud prevention model that incorporates several elements:
Wondering if your ecommerce business is generating too many false declines? Our research shows that 58% of declined transactions are legitimate orders. Get your results with our Approval Rate Calculator.