AVS and CVV rules only apply to credit card transactions.

Many banks approve transactions even if the address information or Card Verification Value (CVV) included with the transaction doesn’t match what they have on file. We offer customizable Address Verification System (AVS) and CVV rules as part of our Basic Fraud Tools, so you can help ensure that only authorized users of a credit card are able to make purchases. See all of the available AVS and CVV rejection criteria.

Enabling AVS and CVV rules

  1. Log into the Control Panel
  2. Navigate to Settings > Processing > Fraud Tools
  3. Under AVS or CVV, click Options
  4. Select your desired AVS or CVV rejection criteria
    • You have the option to apply the rules to all transactions or only to specific card types, amounts, or merchant accounts
  5. Click Save

If you use our Drop-in UI and you enable CVV rules or AVS rules for postal codes in the Control Panel, the fields needed to collect that information will automatically appear on your checkout form.

How AVS and CVV rules work

When you submit a transaction or verification request for a new payment method, we pass the address and CVV information that you have provided to the issuing bank. If the bank approves, their approval response will also include AVS and CVV response codes; these codes indicate whether the numeric values in the address and CVV match their records.

If the issuing bank’s response triggers one of your AVS or CVV rules, we will reject the transaction or verification and send a void request to the issuing bank. Keep in mind that some banks don't recognize void requests immediately. If you do not have AVS or CVV rules enabled, we will ignore the response code.

AVS and CVV rules only apply to first time transactions and will not be applied to recurring payments or any transactions created using credit cards stored in the Vault. If you’d like to re-verify a customer’s address information for a card that is already stored in the Vault, you can do so via the API. Due to PCI compliance restrictions, we never store your customers’ CVVs; you’ll need to collect this from them again if you would like to re-verify a card.

Recommended setup options

A business offering subscription-based services in the UK has different needs than one that ships physical products in the US, so they’ll likely need different AVS and CVV rules to help mitigate fraud. That being said, there are some standard recommendations that apply to most merchants.

It's best practice for most merchants to collect CVV information—it helps lower the risk of fraudulent transactions and can be used as supporting evidence in your favor if the customer issues a dispute. Regardless of whether you choose to verify the CVV, selecting to reject transactions if CVV is not provided will ensure that your customer supplies this information.

Because AVS rules only check the numeric values of an address, we typically don't recommend enabling the Street Address does not match or Street address not verified rules. If your customer lives at 12345 6th Street, depending on how they enter the information, it could confuse the system and cause false rejections.

International AVS

By default, AVS rules will only apply to transactions and verifications that:

  • Have a billing address in the United States
  • Don’t specify a country of origin

If you prefer to apply AVS rules to all transactions and verifications, set the Country Scope to Global when editing your AVS rules.


Many card issuing banks outside of the US, UK, and Canada do not consistently support AVS. If you choose to enable Global AVS, you could see an increased decline rate for transactions and verifications originating in countries without AVS support. To avoid this, we recommend that you do not select the following as reasons to reject transactions:

  • Issuing bank does not support AVS
  • Postal Code not verified
  • Street Address not verified

Additionally, you can manually skip AVS checks when processing transactions via the API from countries other than the US, UK, and Canada; learn more in our developer docs.

International postal codes

If your customers are located in a country where postal codes include both letters and numbers, the Postal Code AVS rules may not be enough to protect you from fraud. This is because our rules will only check the order of numbers in the postal code, and will not check letters or the placement of numbers.

For example, take the fictional postal code of 1ABCD2. The customer could provide any postal code that included the numbers 1 and 2 – as long as all other values were letters and the 1 always came before the 2 – and AVS rules would not reject the transaction. Successful postal codes could range from 1AB2CD to 12HIJK.

Overriding rejections

When creating transactions via the API, you can selectively skip AVS and CVV checks. Alternatively, you can always ask the customer to provide a different payment method.

Still have questions?

If you can’t find an answer, contact our Support team.

← Back to Previous Page