The idea behind the Address Verification System (AVS) is fairly simple: If the billing address entered by the shopper doesn’t match the billing address the bank has on file, it will trigger an AVS mismatch. From there, the transaction might be flagged and even declined.
In a simpler world, address verification services (AVS) would be the only method merchants would need to stop fraudulent transactions cold. Unfortunately, ecommerce doesn’t operate in a simple world.
Declining all transactions that show a mismatch between the shopper’s address and the one the bank has on file might stop fraud cold, but it can also freeze out legitimate transactions.
So, should you ignore AVS mismatches? No. But nor should you stake the entire transaction on them: Our own data reveals we’ve safely approved more than 95% of transactions with an AVS mismatch. And more than half of the fraudulent orders we see have a full or partial AVS match.
Ultimately, walking the line between combatting fraud and preventing AVS mismatches from derailing transactions can be tricky for ecommerce merchants.
In this guide, we explain everything merchants need to know about AVS, the most common reasons transactions get flagged by AVS tools, how fraudsters attempt to circumvent AVS protections, and what steps merchants can take to walk that fine line and ensure a shopping experience that is both safe and frictionless.
How Merchants Benefit From AVS
The Address Verification Service (AVS) concept was originally introduced by Mastercard but is now a service provided by all major credit card payment processors — and with good reason. Card-not-present fraud losses are projected to increase to $7.2 billion in 2020, according to Aite Group.
The primary goal of AVS is to allow merchants to verify that the person placing a card-not-present (CNP) order is actually the card holder. Although it is not fool-proof, AVS is one of the most commonly used fraud prevention tools.
If the AVS indicates a match, the merchant can be more confident their customer is who they say they are — or that they’re at least an authorized user of the credit card being used. In the case of an AVS mismatch, the merchant might consider declining the transaction.
As a security feature, AVS can automatically reject potentially fraudulent transactions — an appealing option for ecommerce merchants looking to reduce their fraud and chargeback ratios.
An added bonus? Even if merchants approve a transaction with full AVS match that later turns out to be fraudulent, they’re better equipped to fight any chargeback disputes: Showing the positive address match with proof the order was shipped to the cardholder’s address on file with the bank will strengthen a merchant’s case.
How Does AVS Work?
AVS automatically compares the billing address a customer enters in a credit card transaction against the address the bank has on file by comparing numeric values: In most cases the street number and the zip code. For example, if the customer’s address is 123 Main Street, Anytown, 55555, the AVS will validate only 123 and 55555.
The AVS process takes just seconds to complete and is invisible to customers. Once the shopper has entered their address and submitted their purchase, the following occurs:
- The payment gateway automatically sends the address entered to one of the major credit card networks (Visa, Discover, MasterCard, American Express).
- The credit card network transmits the information to the cardholder’s bank. The bank verifies the address against the address that is stored on their system.
- The cardholder’s bank transmits an authorization AVS code and authorization status to the payment gateway that the merchant is using.
If the cardholder’s bank or credit card company do not get a match, the system sends an AVS code that indicates the results of the address verification to the merchant. The code reveals how well the numbers entered by the purchaser match those in the issuer’s file. The code that is transmitted may be a complete match, a partial match or it may not match at all.
AVS Codes and What They Mean
The AVS codes are not binary; there are levels of match that can inform the steps the merchant takes next.
Here are the common AVS codes that a cardholder’s bank may transmit to a merchant:
- Y – There is a full match. For example, the apartment or suite number and the 6-digit zip code match.
- X – There is a full match with the apartment address and the 9-digit zip code provided.
- W – Indicates a partial match. For example, the 9-digit zip code matches but the apartment, street or suit number provided do not match.
- Z – This code indicates a partial match. For example, the 5-digit zip code matched but the apartment, street or suit number do not match.
- A – A partial match. The provided street address matches that on the issuers system but the zip code differs.
- G – The merchant that the card being used for purchase is from a non-U.S. issuer.
- N – No match was made on the street address or the zip code provided.
- R – The purchaser has to retry entering their information due to a system timeout or error.
- U – The card issuer does not support AVS or that the information is not available at the time of the purchase.
What Should Merchants Do with AVS Mismatch Codes?
Depending on the AVS code returned, a merchant’s next step is either a cancellation of the order, further investigation or simply approval to ship, based on their discretion.
It is up to the merchant to weigh the pros and cons and decide if they should trust the purchaser. In most cases, a partial-match code will signify a red flag that the person performing the transaction is not the card holder. However, the merchant may still allow the purchase to go through based on automatic rules that they’ve set up.
Setting Up AVS Rules
When setting up their AVS, a merchant should bear in mind that issues like data entry errors may result in a partial AVS code being transmitted. For example, if someone is entering in their billing address on their mobile device and transposes two digits of their zip code – an easy enough mistake to make – it may result in an AVS mismatch.
Also, depending on the volume of transactions the merchant processes, it may be impossible to review each transaction manually to determine if it’s fraudulent.
As such, merchants should set up automatic rules for AVS code handling based on their individual level of risk aversion and their ability to evaluate an order and determine if it’s worth accepting. While the payment processor will present a set of rules to the merchant for them to decide which ones to filter out, it’s up to the merchant to decide which of the AVS codes they want to approve or decline.
A different shipping address may indicate that the purchaser is not the cardholder, or it may not. Because of this ambiguity, merchants must be careful not to act too quickly when declining transactions. Sometimes, more investigation is necessary.
Further Investigative Steps for Merchants and Address Verification Service (AVS)
Because the codes aren’t foolproof and AVS rules can’t account for every scenario, some transactions may require additional investigation by the merchant to determine validity:
If all these measures have been exhausted and no positive association can be made, it may be an indicator of a fraudulent transaction and grounds for an order cancellation. While all this investigating may sound like a lot of work, for merchants the benefits outweigh the effort.
AVS Mismatch and the Costs of False Declines
False declines can leave good customers frustrated and upset. In fact, false declines can cost merchants more in lost sales than the cost of ecommerce fraud:
- A customer is 4x more likely to go to your competitor if a problem is service-related, rather than price- or product-related. (Bain & Company)
- If a merchant declines their payment, 39% of consumers will never place an order with that merchant again. (ClearSale/Sapio Research)
- Repeat customers spend 2x more than new customers. (McKinsey)
- 96% of consumers classify customer service as an important factor in their choice of loyalty to a brand. (Microsoft)
- A promoter has a 1400% higher value than a detractor. (Bain & Company)
- Detractors are 2x as likely to talk about bad brand experiences. (TARP Research)
- For every customer who complains to the customer support department, there are 26 unhappy customers who don’t bother to contact the company. (TARP Research)
Triggering an AVS fraud code has another downside that customers won’t appreciate.
When a transaction is declined due to AVS mismatch the bank can put a hold on the authorized funds that will remain on the customer's card until the issuing bank lets it expire (typically seven days for most business types except hotels and car rentals that can keep the hold in place up to 30 days). The held funds may be subtracted from the customer's available balance and create havoc in their personal finances.
Fraud Types AVS Can’t Catch
AVS is an excellent first line of defense, but to make fraud prevention even more challenging for merchants, not every AVS match on a transaction means the purchase is legitimate.
Because AVS matches only the numeric portions of addresses — and not the full addresses — fraudsters have learned ways to circumvent the system:
- Mimicking Delivery Addresses
To have their transactions approved, fraudsters will pick a shipping address that’s close in proximity to the billing address and that uses the same AVS number. If the billing address is 123 Main Street, Anytown, NY, 12345, the fraudster may use 123 Maple Street, Anytown, NY, 12345 as the shipping destination. The AVS details are similar enough to not raise suspicion, and the fraudster simply picks up the package at the new location.
- Foreign Addresses
AVS can currently be used only with addresses in the United States, Canada and the United Kingdom. Fraudsters know that makes it ineffective for many international transactions.
- Alternate Payment Methods
Merchants must remember that not every payment method can take advantage of AVS. Prepaid debit cards rarely require customers to keep billing or shipping addresses on file, eliminating AVS as a useful screening tool.
- Digital Products
The challenge for fraudsters with physical goods is redirecting or intercepting the delivery. Not so with digital downloads. AVS doesn’t match email addresses to credit card or address information. The fraudster uses the victim’s details for the transaction then adds their own (burner) email address for digital delivery.
- Identity Theft
This occurs when someone uses personal information to open a credit card in the victim’s name. For example, a thief could a stolen Social Security number to apply for a credit card without the person’s knowledge. More than 270,000 cases of credit card fraud occurred in 2019 alone. (Motley Fool)
- Stolen Data
Just because AVS can confirm an address match, that doesn’t mean it’s the legitimate cardholder making the transaction.
Data Breaches and the Dark Net
The fact is today’s credit card holder is more likely to be a victim of fraud due to a data breach than a lost card or “shoulder surfer” memorizing card details. Data breaches may include full customer payment data including billing address or if not, once they have a victim’s card details, a determined fraudster may be willing to search public records for an address.
In 2019, the number of data breaches in the United States amounted to 1,473 with over 164.68 million sensitive records exposed. In the first half of 2020, there were 540 reported data breaches. (Statista)
When fraudsters buy credit card data on the dark net, they’re receiving more than just a credit card number. They’re also frequently receiving a card’s CVV and AVS at an affordable price.
Privacy Affairs’ Dark Web Price Index from October 2020 showed credit card details for sale for accounts with a balance up to $1000 priced at $12 and card details for an account balance up to $5000 available for sale for $20.
Is Address Verification Service Right for Your Business?
Many methods of fraud protection can be a double-edged sword: using it too aggressively can trigger a higher volume of false declines, which can cost the merchant revenue, future sales and customer loyalty. But being too lax can leave the merchant open to fraud and expensive chargeback disputes.
With all the possible avenues of fraud and inevitable data breaches, address verification service may not be strong enough on its own to allow merchants to confidently approve transactions. Instead, a multilayered fraud prevention system that may include 3-D Secure, IP address verification and multifactor authentication provides a robust fraud prevention strategy.
A managed services solution may be just the right approach for merchants who are looking to make smart transaction decisions, mitigate fraud risk and minimize chargebacks while keeping customers happy and willing to shop with them again.
Wondering if your ecommerce business is generating too many false declines? Our research shows that 58% of declined transactions are legitimate orders. Get your results with our Approval Rate Calculator.