Many banks approve transactions even if the address information or Card Verification Value (CVV) included with the transaction doesn’t match what they have on file. We offer customizable Address Verification System (AVS) and CVV rules as part of our Basic Fraud Tools, so you can help ensure that only authorized users of a credit card are able to make purchases. See all of the available AVS and CVV rejection criteria.
- Log into the Control Panel
- Navigate to Settings > Processing > Fraud Tools
- Under AVS or CVV, click Options
- Select your desired AVS or CVV rejection criteria
- You have the option to apply the rules to all transactions or only to specific card types, amounts, or merchant accounts
- Click Save
When you submit a transaction or verification request for a new payment method, we pass the address and CVV information that you have provided to the issuing bank. If the bank approves, their approval response will also include AVS and CVV response codes; these codes indicate whether the numeric values in the address and CVV match their records.
If the issuing bank’s response triggers one of your AVS or CVV rules, we will reject the transaction or verification and send a void request to the issuing bank. Keep in mind that some banks don't recognize void requests immediately. If you do not have AVS or CVV rules enabled, we will ignore the response code.
AVS and CVV rules only apply to first time transactions and will not be applied to recurring payments or any transactions created using credit cards stored in the Vault. If you’d like to re-verify a customer’s address information for a card that is already stored in the Vault, you can do so via the API. Due to PCI compliance restrictions, we never store your customers’ CVVs; you’ll need to collect this from them again if you would like to re-verify a card.
A business offering subscription-based services in the UK has different needs than one that ships physical products in the US, so they’ll likely need different AVS and CVV rules to help mitigate fraud. That being said, there are some standard recommendations that apply to most merchants.
It's best practice for most merchants to collect CVV information—it helps lower the risk of fraudulent transactions and can be used as supporting evidence in your favor if the customer issues a dispute. Regardless of whether you choose to verify the CVV, selecting to reject transactions if CVV is not provided will ensure that your customer supplies this information.
Because AVS rules only check the numeric values of an address, we typically don't recommend enabling the Street Address does not match or Street address not verified rules. If your customer lives at 12345 6th Street, depending on how they enter the information, it could confuse the system and cause false rejections.
By default, AVS rules will only apply to transactions and verifications that:
- Have a billing address in the United States
- Don’t specify a country of origin
If you prefer to apply AVS rules to all transactions and verifications, set the Country Scope to Global when editing your AVS rules.
If your customers are located in a country where postal codes include both letters and numbers, the Postal Code AVS rules may not be enough to protect you from fraud. This is because our rules will only check the order of numbers in the postal code, and will not check letters or the placement of numbers.
For example, take the fictional postal code of 1ABCD2. The customer could provide any postal code that included the numbers 1 and 2 – as long as all other values were letters and the 1 always came before the 2 – and AVS rules would not reject the transaction. Successful postal codes could range from 1AB2CD to 12HIJK.
Still have questions?
If you can’t find an answer, contact our Support team.