AVS and CVV: When to use it and Why?

on Jan14

Sometimes when you’re processing a payment, the address verification and card code things might seem like an extra unnecessary step. Do you really need to use them?

 

First of all, what are AVS and CVV?

The address verification service (AVS) was created to help reduce fraudulent payments by comparing the address sent with the payment with the address on file for the cardholder at the card-issuing bank. If the two addresses don’t match, clearly there’s a higher probability of fraud. However, a non-match doesn’t necessarily mean it’s fraud. People move–and there’s usually a time lag in updating addresses with the issuing bank.

 

 The card code (also called CVV, CVC, CVV2, or CID) is a 3 or 4-digit code typically printed on the signature line on the back of the card. The idea is if a card number is stolen by electronic means, the thief would not have this code along with the card number–so if a transaction includes a card number along with a card code that matches the code on the back of the card, it’s less likely to be fraudulent. That is also the reason why you are not allowed to store the card code.

Do I need to use AVS and CVV?

It depends.  Whether you really need (or want) to use these fraud prevention tools depend on a few different factors:

  • How are you running the transaction? Did you swipe the card through a card-swipe device or type it in?
  • Is the customer standing in front of you? Or did you receive their payment information over the phone, via the mail, or over the Internet? Is this payment part of an e-commerce transaction?
  • How risky is your business? Is fraud a concern for your business? Do you get a lot of chargebacks–or is that a relatively once-in-a-blue-moon occurrence for you?
  • Are you selling within your own country, or internationally?
  • Will it make a difference in your transaction fees? 
  • How will you use these tools? What do you do with the AVS and CVV responses?

What type of order is it?

Some types of transactions benefit more from AVS and CVV than others. When you are running a retail store and swiping the customer’s credit card through your POS machine, there’s less of a need for address verification or card code. But when you’re typing the card number in, it becomes more important. Now the risk of fraud has gone up, so it behooves you to take the time to at least key in the customer’s zip code.

 

Now if the order is received via some remote method–like the phone or mail or Internet–the risk goes up even further, so that’s when AVS and CVV become really important.

Will it make a difference in my transaction fees?

When you don’t use AVS in a riskier situation, the card associations get nervous. It’s not just you as a a merchant that’s assuming risk in that situation, some of the responsibility falls on them, so when the risk level goes up, the card associations charge more by downgrading the transaction to what they call a non-qualified transaction. Transactions have three levels of qualification: qualified (lower risk), mid-qual (medium risk), and non-qual (high risk).

 

The merchant account blog shows a good example of what can happen to your fees for a keyed transaction that downgrades because AVS wasn’t used – fees can be pretty steep:

Depending on your merchant contract, a non-qualified transaction can cost as much as 2% and $.50 or more extra per transaction. What this can mean is that if you have a keyed merchant account setup at 2.3% with a transaction fee of $.25 per transaction, the downgrade to non-qualified can increase this to 4.3% and a $.75 transaction fee. Your costs to process the transaction nearly doubled …

 

Multiply that by 100 or 1,000 transactions and your costs for doing business just increased significantly. Let’s use the example above with a $100 average ticket and 100 transactions in a month. Say your processor charges you 5 cents per AVS request.

 

With AVS (so you get the qualified rate):

  • AVS costs: 100 x $0.05 = $5.00
  • Discount rate: $100 x 100 x 2% = $200.00
  • Transaction fees: 100 x $0.25 = $25.00
  • Total: $230.00 for $10,000 transaction volume.

Now, try it without AVS (transactions downgrade so you pay the non-qualified rate):

  •  AVS costs: $0.00 because you didn’t use it.
  • Discount rate: $100 x 100 x 4.3% = $430.00
  • Transaction fees: 100 x $0.75 = $75.00
  • Total: $505.00 for $10,000 transaction volume.

In a retail situation, it’s not this clear-cut because not ALL your transactions would downgrade (only your keyed transactions that didn’t have AVS, but for a mail order catalog or e-commerce situation, those extra fees can really add up. If you’re already accepting credit cards, check your processing agreement to see what your fees for qualified vs. non-qualified transactions are–and watch your monthly statement to see if your transactions are running as qualified, mid-qualified, or non-qualifed.

So besides extra fees, what good are AVS and card code?

The real purpose of AVS and CVV is not for giving your payment processor another opportunity to charge you more–they are intended to help YOU make better decisions on whether or not to accept certain orders. They’re not perfect tools and they can’t give you a yes/no answer on whether a transaction is fraudulent–that’s got to be your call. But AVS and card code can only help you if you use them as tools for screening out potential fraudulent orders.

 

If you decide AVS and CVV are helpful to your business, in your order fulfillment process, you should have a method for flagging orders that don’t match address or card code and at the very least manually review them. Some merchants take an extra step and contact the person who placed the order to inquire about the reason for the mismatch–others simply review the data and make a decision. Some others develop their own automated logic so they don’t have to think about it. Whatever you choose to do, make sure it fits your business.

How do I know what these cryptic response codes mean?

Depending on what system you’re using, the results may look different, but typically AVS responses are 3-letter codes that look something like this:

YYY

  1. The first letter indicates whether or not the address matched the address on file. A “Y” indicates that at least part of the address did match. If it starts with an “N”, it did not match.
  2. The second letter tells you how much of the address matched. A “YN” would mean that the numeric portion of the street address matched, but the zip code did not.
  3. The third letter is the response from the authorizing bank and it varies by card type.
  4. Sometimes all or part of the address verification isn’t available. When this is the case, you might see an “X” in the response–a “YX” means the address portion matched, but the zip code comparison was not available.

Responses that indicate AVS isn’t going to help in your decision:

  1. If you get an “E” in the response, it means there was an error occurred during the AVS check.
  2. A “G” or an “I” in the response means the card-issuing bank is outside the U.S. and does not support AVS. International transactions are iffy on whether or not they support AVS–if you do a lot of business outside the U.S., AVS probably won’t help you with fraud screening very much.
  3. An “S” in the response means the issuing bank doesn’t support AVS.
  4. A “U” in the response means that address information isn’t available for this card.

Card code responses are one letter only:

  1. “M” means it matched = lower probability of fraud
  2. “N” means it did not match (or it’s invalid), so there’s a higher probability of fraud.
  3. “P” means the card code check wasn’t processed,  and “U” means the card issuing bank isn’t registered. These two responses give you no information to help your decision.

Just make sure you understand the impacts of these tools on your business and your fees and you make an informed decision as to whether and how you use them.

in Category: AVS, Card code, e-commerce, fraud prevention, how-to, merchant fees, payments, small business, tips
1