Credit Card AVS Mismatch
At some point, every merchant wonders, “What is an AVS mismatch? And what can I do about it?”
The Address Verification System (AVS) is a system created by Mastercard.
It is meant to protect merchants against fraud (especially card-not-present fraud, or CNP) by comparing the address the card user submits against the billing address the issuing bank has on file for that customer.
The AVS checks the billing address submitted by the card user with the cardholder’s billing address on record at the issuing bank. This is done as part of the merchant’s request for authorization of the credit card transaction.
This verification step is meant to ensure that the person doing the buying is the actual cardholder.
Payment processors advise merchants to keep AVS filters on as one measure against fraud.
At the same time, though, these filters are only one part of a comprehensive set of anti-fraud tools. On its own, the AVS system is not robust enough to mitigate all fraud.
Use of the AVS system is mandated by some merchant account providers, in order to help prevent fraud on accounts that have a higher likelihood of chargebacks. In other words, if someone is considered to be in a “high risk” industry, or have a high risk business model, some of those business owners will have to turn on AVS — and that may affect overall conversion. Why? Because the more fields people have to fill out, the more likely they’ll abandon the whole process.
However, not all transactions that return AVS matches are legitimate, and not all that return AVS mismatches are fraudulent.
In this article, we’ll discuss what it means to get an AVS mismatch.
We’ll also discuss why declining transactions based only on AVS information is not the best idea.
Getting an AVS Error
The AVS system is a basic checkpoint that is meant to offer protection against fraud.
When a customer completes an online transaction, they provide an address for the product to be shipped to.
As part of the payment verification process, the AVS system checks the provided address with the customer’s billing address that the card issuing bank has on file.
The tricky part is that only the numeric portions of the address are checked. This means that “123 Anywhere Place, New York, NY 10021” is turned into “123 10021.”
If that doesn’t match the numeric data that the bank has, an “AVS Mismatch” is returned.
Though AVS filters can be turned on and off by the merchant, payment processors encourage merchants to always keep AVS on.
What they don’t tell merchants, though, is that the AVS filter alone doesn’t prove that a transaction is valid — or if it is fraudulent.
For maximum effectiveness, AVS filters should be considered to be just one part of a complete set of tools used to prohibit fraudulent transactions.
How the AVS System Works
After your customer places their order, a payment authorization request is sent to the issuing bank.
At the same time, an AVS verification request is made. The issuing bank checks the details of the order against the address information on record for that card holder, and one of several codes is returned.
All of the major card brands (Visa, Mastercard, Discover, American Express) use different codes. These codes have slightly different meanings.
Different codes are returned for full matches, partial matches, address match only, ZIP match only (both 5- and 9-digits), and no match. There are also codes for System Not Available and Information Not Available.
A business owner can then decide which codes will cause a rejected transaction. This will depend on how much they want to avoid potentially risky transactions, and their ability to internally review orders.
As useful as the AVS system is, though, the filters it provides are too broad.
Basing order legitimacy on AVS alone can easily result in costly chargebacks — and lost revenue.
“AVS Rejected” Doesn’t Always Mean Fraud
The AVS system is not used outside of the US, the UK, and Canada.
If your customer has a card issued outside those areas, their address cannot be verified.
Thus, the AVS system provides no fraud protection with regard to international orders.
There are other situations in which an AVS mismatch doesn’t suggest a fraudulent transaction.
For one, consider a customer who has been associated with their parents’ address for a long time, and they’ve moved recently.
It’s also possible that a customer might have several cards, and not remember the precise billing address used with each.
A customer might forget to provide a billing address.
Finally, sometimes a customer will have a different billing address from their shipping address, and they might not understand which is being asked for.
External data sources should be used to verify order legitimacy, whether AVS returns a match or not.
For example, consider Joe, a college student, who orders some clothing online.
AVS might return a mismatch because Joe didn’t understand what he was being asked to provide, and he put in the address of his college as both the shipping and the billing address.
In cases like these, it’s useful to consider external data sources.
- Does Joe’s email address indicate a college domain (****@somecollege.edu)?
- Does the IP range Joe’s order came from belong to a college?
- Does the shipping address belong to a college?
If there is an AVS mismatch for a smaller dollar transaction, if other variables seem legitimate ( a match between the IP range, the email domain, and the shipping address for example), some more advanced fraud prevention tools may still allow the transaction… as it is likely legitimate.
“AVS Match” Doesn’t Mean the Order is Legit
At the same time, not every AVS match is without fraud.
If a criminal is able to steal a credit card number, odds are they’ll get a house number and a zip code along with it.
This is all a fraudster needs to avoid an AVS mismatch.
They’ve learned that when a billing address is far away from a ship-to address, it throws up a red flag that can be seen as fraudulent.
Their workaround is for a fraudster to find someone willing to accept the package, and who lives in the same zip code, with the same house number.
This is easier to do in urban areas, where apartment buildings can house 100 people or more.
It’s easy for a person committing fraud to use a billing address that’s physically close to the shipping address — and which also has a ZIP code and house number that matches what’s in the issuing bank’s file.
For instance, let’s consider a situation where the billing address is 9400 Normandie Avenue, Los Angeles CA 90044.
A smart fraudster will look for a drop-off point that is both nearby and matches the AVS details they have (house number = 9400, ZIP code = 90044).
A simple search of that address turns up several others that would also match, for example 9400 Vermont Ave, Los Angeles CA 90044.
The Future of AVS Errors
There are two common situations that both amplify the significance of AVS errors.
These are the rise of mobile devices used as payment terminals, and the prevalence of digital goods.
For one, it’s difficult to accurately enter forms on a tiny mobile screen.
Not only that, but a significant portion of customers purchasing on mobile are younger people. They tend to move more often than established shoppers, and frequently forget to update their billing address with the issuing bank.
Digital goods are typically distributed to an email address, not a physical one.
A person intent on fraud can enter the actual card information, including the stolen physical address. They will simply replace the legitimate owner’s email address with their own.
If a merchant is known to use only AVS to screen their orders, the above trick can be used quite effectively.
The AVS system will return a match, as the physical address will match the legitimate card holder’s address. Only the email address (which is not checked) will be different, thus delivering the digital goods to the fraudster.
What Should We Do With AVS?
As a business owner, it’s not a good idea to filter your orders based only on AVS match or mismatch.
In fact, rejecting orders based solely on the AVS is a quick way to deprive yourself of perfectly good revenue.
Not only that, but these types of rejection can also cause you to lose perfectly good customers.
That said, the AVS system is not completely irrelevant.
A significant positive correlation can be observed between order legitimacy and a full AVS match.
The important thing is that like many other components of risk management, AVS information is valuable when taken in context.
It is useful when considered as one of several data points that when taken together, govern whether any given transaction is legitimate or fraudulent.