Address Verification Service

Table of Contents

1. What is AVS?
2. How Does AVS Work?
3. What are AVS's Strengths and Weaknesses?
4. Does AVS Ever Block Real Customers?
5. Conclusion
6. Frequently Asked Questions

The only effective way to stop true fraud chargebacks is to prevent fraud in the first place, and one of the most often recommended anti-fraud tools is Address Verification Service, or AVS. It works by matching the address provided by the customer against the cardholder’s address on file with the card issuer, where a discrepancy would indicate possible fraud. This can work well as a front line defense against stolen cards, but it won’t catch every fraudster, and using it too restrictively could block out some legitimate transactions. How should merchants use AVS in their strategy to fight fraud and chargebacks?

What is AVS?

AVS is a system that checks address information provided by the customer during a transaction with information on file with the bank. This adds an additional obstacle to fraud and identity theft.

This system was initially developed by Mastercard, but has long been in place with all of the major credit card networks, including Visa, American Express, and Discover. These days it's almost always used in card-not-present transactions such as self-serve gas pumps and online purchases.

Merchants and customers are quite accustomed to various degrees of AVS matching. We’re used to entering our full billing address at the online store, but the gas pump just gets our ZIP code. Who decides how much address needs to be verified? The merchant—although the banks may try to influence things in a “safer” direction with higher processing fees for unverified transactions.

If you’re dealing with a high rate of chargebacks resulting from true fraud, it’s worth taking a look at how your AVS is set up to see if it could be doing a better job of filtering out the fraudsters.

How Does AVS Work?

AVS is activated when the transaction is being authorized. The cardholder provides an address which is entered into the merchant’s payment gateway, and AVS compares the numeric parts of the address—the street number and ZIP or postal code—to the address on file, and generates a code. This code indicates whether there is a complete or partial match, or if matching is impossible due to lack of support from the issuing bank or some other error.

The merchant can then use this code to decide whether or not to proceed with the transaction. Usually, this decision is made automatically according to rules the merchant set in their payment gateway. Merchants with a lot of international customers, for example, might want to allow the response code that indicates no AVS support from the issuer, since AVS isn’t widely available outside of the United States, Canada, and the United Kingdom. This process occurs during the standard authorization communications and does not delay or disrupt successful transactions at all.

What are AVS’s Strengths and Weaknesses?

What AVS is very good at is stopping what you might call “traditional” credit card fraud: a fraudster who has stolen somebody else’s physical payment card, or one who has made a copy of the visible card information—the cardholder’s name, card number, and expiration date.

In most cases, the fraudster will have no idea what the cardholder’s billing address is. They might be able to make an educated guess as to the ZIP code, but there’s not much chance they’ll get the street number right. AVS will come back with a mismatch code, the merchant will decline the transaction, and fraud is averted.

Unfortunately, there are plenty of scenarios in which a fraudster will have access to the card’s billing address. Data breaches can often include full customer payment credentials, since unfortunately many businesses still store this information unencrypted. Even when customer information is secured, a password leak from an unsecure site can compromise customer information when fraudsters enter leaked credentials into other sites to check for password re-use.

Even when the payment information doesn't include a billing address, determined fraudsters can often find the cardholder through social media to get more information about them, then search public records for the cardholder's address. In addition to online fraudsters, some people steal cards from people they know, and therefore already know the information they need to pass an AVS check.

Still, it presents fraudsters with an obstacle to get past, and without it, a lot more fraud would surely occur.

Does AVS Ever Block Real Customers?

Most customers will never have an issue with AVS. If they enter their address incorrectly and the transaction is declined, the merchant can simply allow them to correct it and try again. However, there are some circumstances where, depending on how restrictive you’ve made the settings in your payment gateway, some legitimate customers might not be able to get past AVS:

• They don’t know their billing address. Maybe they signed up for the card a long time ago under an old address and haven’t used it until now. They’ll have to sort this out with their bank before they can proceed.
  
  
• Their bank doesn’t support AVS. This might be the case for many of your international customers, or customers using pre-paid debit cards. You can adjust your AVS setting to allow the response code that is causing these customers to be declined.
  
  
• AVS can’t recognize the numbers provided because of an apartment number or non-standard address in the information on file. In rare cases, the customer may be entering a “correct” address, but it doesn’t match because the issuer has it entered differently in their database. Again, the customer may need to talk to their bank to get this fixed.

For every merchant, the decision as to how permissive or restrictive to set their AVS matching requirements depends largely on their customer base, but also on how much risk they’re willing to take on. Accepting mismatched or AVS-unsupported transactions can not only cause you to incur higher interchange fees, it also greatly increases your exposure to fraud and chargebacks. On the other hand, few merchants require the highest level of matching—the full nine-digit ZIP code.

Conclusion

AVS is only meant to be one of many tools in your arsenal against fraud. You can’t rely on it to stop sophisticated forms of fraud, but at the right settings, it can effectively screen out the low-effort fraudsters.

AVS is best used in combination with other methods of fraud detection, such as IP address verification, device fingerprinting, and 3-D Secure. The more layers of protection you have, the lower the chances that a given fraud attempt will contain all the right information to succeed.

The right AVS settings will vary from merchant to merchant. For most eCommerce merchants who aren’t part of high-risk industries, requiring a close match will pose no problem for the vast majority of their customers. When you’re fighting a friendly fraud chargeback, proof of an AVS match an serve as compelling evidence in your favor—especially if the purchase was shipped to that same address.

In fact, when a chargeback is initiated, a merchant may not have representment rights if they can't provide information showing that they made a good-faith attempt to ensure the transaction was valid. There are many anti-fraud measures that can fulfill this requirement, but AVS is the simplest and easiest to implement.

In terms of chargeback management, deep data analysis can show you the AVS response codes that are causing you the most trouble, as well as which ones you might be blocking unnecessarily. An experienced chargeback management firm can help you integrate your AVS polices and processes into an overall strategy of stopping fraud and maximizing revenue.

FAQ