Many banks approve transactions even if the address information or Card Verification Value (CVV) included with the transaction doesn’t match what they have on file. Braintree offers customizable Address Verification System (AVS) and CVV rules as part of our Basic Fraud Tools, so you can help ensure that only authorized users of a credit card are able to make purchases. See all of the available AVS and CVV rejection criteria.
- Log into the Control Panel
- Navigate to Settings > Processing > Basic Credit Card Fraud Tools > AVS or CVV
- Click Edit
- Select your desired AVS or CVV rejection criteria
- You have the option to apply the rules to all transactions or only to specific card types, amounts, or merchant accounts
- Click Save
When you submit a transaction or verification request for a new payment method, we pass the address and CVV information that you have provided to the issuing bank. If the bank approves, their approval response will also include AVS and CVV response codes; these codes indicate whether the numeric values in the address and CVV match their records.
If the issuing bank’s response triggers one of your AVS or CVV rules, we will reject the transaction or verification and send a void request to the issuing bank. Keep in mind that some banks don't recognize void requests immediately.
If you do not have AVS or CVV rules enabled, Braintree will ignore the response code. In addition, AVS and CVV rules won’t apply to recurring payments or any transactions created using credit cards stored in the Vault. If you’d like to re-verify a customer’s address information for a card that is already stored in the Vault, you can do so via the API. Due to PCI compliance restrictions, we never store your customers’ CVVs; you’ll need to collect this from them again if you would like to re-verify a card.
A business offering subscription-based services in the UK has different needs than one that ships physical products in the US, so they’ll likely need different AVS and CVV rules to help mitigate fraud. That being said, there are some standard recommendations that apply to most merchants.
It's best practice for most merchants to collect CVV information—it helps lower the risk of fraudulent transactions and can be used as supporting evidence in your favor if the customer issues a dispute. Regardless of whether you choose to verify the CVV, selecting to reject transactions if CVV is not provided will ensure that your customer supplies this information.
Because AVS rules only check the numeric values of an address, we typically don't recommend enabling Street Address Verification. If your customer lives at 12345 6th Street, depending on how they enter the information, it could confuse the system and cause false rejections.
By default, AVS rules will only apply to transactions and verifications with a billing address in the US and transactions that don’t specify a country.
While many countries do not consistently support AVS, addresses in the US, Canada, and the UK are standardized enough for AVS checks to be run. AVS rules are not enabled for Canada and the UK by default, but if you’d like this functionality, you can set the Country Scope to Global when editing your AVS rules.
When creating transactions via the API, you can override AVS and CVV checking by selectively disabling card verification. Alternatively, you can always ask the customer to provide a different payment method.