With card-not-present fraud on the rise, there’s been an industry-wide push to find innovative ways to differentiate between legitimate and fraudulent purchases. This is where the Address Verification System (AVS) comes into play.
An AVS mismatch is when the billing address provided at checkout does not match the billing address or payment credentials on file with the card issuer. Since fraudsters often have the cardholder’s address information, they’ll often be able to push a transaction through, but will then change the shipping address to their own. AVS codes are used to flag suspicious activity and cut down on CNP fraud.
Table of Contents
How an AVS Mismatch Relates to Card Fraud
To cut down on credit card fraud, card issuers and banks have implemented more sophisticated measures that can flag suspicious transactions before they occur. It’s much harder to mediate the problem after fraud occurs, which is why AVS filters are useful.
To do so, an AVS validates the numbers in the billing address with the card address on file to ensure the cardholder is making the purchase. This system helps merchants, payment processors and card issuers proactively fight fraud. By automatically setting AVS mismatch filters, merchants can flag suspicious transactions before they occur. This helps increase the chance that fraud will be stopped, but unfortunately, it also increases the chance that a legitimate purchase won’t go through. In managing AVS codes, merchants must find a happy balance.
AVS acts as a fraud-prevention measure to help verify CNP transaction both online or on the phone. Since the buyer must provide all personal details, including address and zip code and CVV, this allows for a cross-check system to determine if the cardholder has the physical card in their possession, or is the legitimate owner of that card. When one of those details doesn’t match up, that signals to an issuer that the card, or card details, may have been stolen.
How do AVS Mismatch Filters Work?
When a merchant receives an AVS mismatch alert, that doesn’t always mean the purchase is fraudulent. These filters are complicated to understand as they vary by issuer and card type. With each order placed online, the payment processor sends a request for an AVS approval to determine if there is an address match. If authorized, an issuer will approve the processor to authorize the transaction request.
To complete the transaction request, an issuer’s system has to be able to quickly and adequately verify the order details against the payment details they have on file with that specific cardholder. Once the transaction gets initiated, the merchant receives a particular AVS code signaling the type of match. This can include three options: Match, partial match and mismatch (see the chart below for an explanation of each AVS mismatch code).
Typically, depending on the level of risk for each transaction, a merchant can decide on which type of AVS code they want to accept or reject. This helps merchants control their risk levels while maintaining positive relationships with their processors and issuers. Traditionally, a payment processor will provide basic checklists to merchants so they can quickly decide which order to reject and which to accept. These rejection checklists often suggest rejecting a request based on the following:
- The postal code does not match, is not verified or is not provided
- Issuing bank does not support AVS
- Street address does not match, is not verified or is not provided
- Issuing bank does not support AVE, or this is an AVS system error
Fixing An AVS Mismatch Problem
For merchants who want to ensure they aren’t turning away legitimate customers, there are some quick tips they can rely on to avoid managing an AVS mismatch. For merchants who recognize a recurring customer, they should trust the customer and allow payments to continue. For new customers, merchants must weigh the benefits versus the risks with each transaction. When a transaction is flagged, be prepared to provide an immediate reason to the customer so they can remediate the situation without losing that customer.
When a merchant receives an AVS mismatch, they can do one of three things:
- Try and process the transaction again
- Override the payment system
- Approve the transaction, or cancel the transaction.
Selecting which option all comes down to how well the merchant can manage risk, and how willing they are to trust a particular customer. If approved when the risk is higher, a merchant may pay a higher transaction rate to compensate for the risk. Rerunning the transaction can add more risk since it can keep a charge pending, which can cause friction with the potential customer.
When in doubt about a transaction, it may be worth taking the extra effort to personally reach out to the customer to verify details and determine if they accidentally entered the wrong information — or haven’t updated their card address on file. Managing these issues personally without immediately rejecting a purchase can show a customer you are just trying to protect your business, and themselves, from fraud.
To maintain smooth customer relationships, managing AVS codes are all about knowing your customer, determining the level of risk with each transaction and being able to quickly respond to AVS rejections. Staying ahead of fraud management, particularly in the CNP environment, matters for merchants being able to proactively manage risk, keep their customers happy and allow legitimate transactions to be properly approved.
Why Legitimate Charges Get Flagged by an AVS Mismatch Filter
Merchants need to be prepared for receiving an AVS mismatch code for an order that is, in fact, legitimate. Merchants should not get in the habit of rejecting all orders that get an AVS mismatch since they could be turning down legitimate customers. Instead, merchants should ensure they are working with payment processors that have stronger AVS filters to ensure they are properly screening orders.
For example, credit cards from outside the U.S., Canada and the UK do not support AVS, which means that buyers with cards from countries outside those regions could get immediately flagged for no real reason. This is just one of many scenarios where issues can occur.
In plenty of other cases, you may have a cardholder who has moved and forgotten to update the address of their credit card or a buyer with multiple credit cards who has numerous addresses In some cases customers have different billing and shipping addresses and forget to fill out both forms. Or, you may have a college kid using their parent’s credit card and sending items to their address, not realizing the problems this could cause for credit card issuer’s fraud flags. In each of these cases, an AVS mismatch can be easily triggered for legitimate purchases.
Why Illegitimate Charges Can Still Get an AVS Match
On the contrary, just because a merchant gets an AVS match, this doesn’t mean the purchase is legitimate. Fraudsters on the dark web are selling card credentials, including addresses, zip codes and CVVs cheaply and at mass scale. These same fraudsters are also sophisticated enough to understand how merchants flag purchases, and how AVS mismatch codes work.
This is often while fraudsters will enter a zip code or address that’s close to a shipping address, but the enter a house number that matches the zip code attached to that credit card account. By having AVs details that appear similar to each other, there is less of a chance that a merchant’s system flags the transaction. In high population areas where addresses are close to each other, fraudsters will often find another drop-off location to collect packages as to avoid raising suspicion over AVS details. When sophisticated fraudsters want to commit fraud, in today’s word, there’s a good chance they’ll find a way. Merchants must be aware of different schemes that can work to bypass processor and issuer AVS filters.
AVS Mismatch: What Merchants Need to Know
As explained above, legitimate orders can receive AVS mismatch codes, while illegitimate orders can receive AVS match codes. Like most things in fraud management, there is no black and white approach to flagging suspicious behavior. This is why merchants should not filter orders based on AVS mismatch codes. Rejecting customers based on AVS codes is one sure way to turn down good customers — which can lead to increased churn.
Still, in understanding AVS mismatch codes, merchants should remember there is a correlation between a full AVS match and a legitimate order. AVS codes are another piece of the fraud management puzzle that can help merchants make better, more informed decisions about the customer’s habits, which help control fraud and risk levels.
As more shoppers turn to online shopping, this also complicated the chance for AVS errors. Since people are less likely to complete forms properly due to the size difference and chance for glitches, merchants must keep this in mind when evaluating an AVS mismatch. Merchants must also consider that many people frequently move without updating their billing address on file. According to Riskified, a majority of mobile order that receive a partial AVS match, or no AVS match should still be approved. This will continue to be an ongoing challenge for merchants to manage as more spend shifts online, and CNP fraud continues to rise.
AVS Mismatch Code Chart
Code | Visa | Mastercard | Discover | American Express |
---|---|---|---|---|
A | Street address matches, ZIP does not | Street address and 5-digit ZIP match | Address only Matches | Address and ZIP match |
B | Street address matches, but ZIP not verified. | Not applicable | Not applicable | Not applicable |
C | Street address and ZIP not verified | Not applicable | Not applicable | Not applicable |
D | Street address and ZIP match (International Only) | Not applicable | Not applicable | Not applicable |
E | AVS data is invalid or AVS is not allowed for this card type. | Not applicable | Not applicable | Not applicable |
F | Street address and postal code match (UK Only) | Not applicable | Not applicable | Street address matches, card member name does not match |
G | Non-U.S. issuing bank does not support AVS. | Not applicable | Not applicable | Not applicable |
I | Address information not verified for international transaction | Not applicable | Not applicable | Not applicable |
K | Not applicable | Not applicable | Not applicable | Card member name matches |
L | Not applicable | Not applicable | Not applicable | Card member name and ZIP match |
M | Street address and postal code match (International Only) | Not applicable | Not applicable | Card member name, street address, and ZIP code match |
N | Street address and ZIP code do not match | Street address and ZIP code do not match | Street address and ZIP code do not match | Street address and ZIP code do not match |
O | Not applicable | Not applicable | Not applicable | Card member name and street address match |
P | Zip code matches, street address unverifiable due to incompatible formats (International Only) | Not applicable | Not applicable | Not applicable |
R | System unavailable, retry | System unavailable, retry | System unavailable, retry | System unavailable, retry |
S | AVS not supported | AVS not supported | AVS not supported | AVS not supported |
T | Not applicable | Not applicable | 9-Digit ZIP matches, street address does not | Not applicable |
U | Address information unavailable. Returned if the U.S. bank does not support non-U.S. AVS or if the AVS in a U.S. bank is not functioning properly. | Address information unavailable | Address information unavailable | Address information unavailable |
W | 9-Digit ZIP matches, street address does not | 9-Digit ZIP matches, street address does not | 9-Digit ZIP matches, street address does not | Card member name, ZIP, and street address do NOT match |
X | 9-Digit ZIP and street address match | 9-Digit ZIP and street address match | 9-Digit ZIP and street address match | Not applicable |
Y | 5-Digit ZIP and street address match | 5-Digit ZIP and street address match | 5-Digit ZIP and street address match | 5-Digit ZIP and street address match |
Z | 5-Digit ZIP matches, street address does not | 5-Digit ZIP matches, street address does not | 5-Digit ZIP matches, street address does not | 5-Digit ZIP matches, street address does not |