AVS (Address Verification System) was designed to combat CNP (Card Not Present) fraud. The idea behind AVS is simple: cross-referencing the numeric elements of the billing address provided by the buyer with the numeric portions of the billing address on file at the credit card issuer will enable merchants to verify that the buyer is the rightful cardholder.

Payment processors encourage merchants to set automatic AVS mismatch filters as an anti-fraud measure. However, many merchants who use these filters do not realize that a full AVS match does not ensure a transaction isn’t fraudulent. On the flip side, orders with AVS mismatches are often legitimate. In this post, we will show why rejecting orders solely based on AVS information is a bad idea.

How AVS filters work

When a customer places an order, a request for AVS verification is usually submitted to the credit card issuer along with the payment authorization request. The issuer’s system checks the order details against the information they have on record for the card holder, and returns one of the following codes to the merchant–the meaning can vary slightly depending on the card type:

Code

Match?

Visa

MasterCard

Discover

American Express

Y

Match

Address & 5-digit or 9-digit ZIP match

Address & 5-digit ZIP match

Address only matches

Address & ZIP match

A

Partial Match

Address matches, ZIP does not

Address matches, ZIP does not

Address & 5-digit ZIP match

Address only matches

Z

Partial Match

Either 5-digit or 9-digit ZIP match, address does not

5-digit ZIP matches, address does not

5-digit ZIP matches, address does not

ZIP code only matches

N

Mismatch

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match

S

Not Supported

AVS not supported

AVS not supported

AVS not supported

AVS not supported

R

N/A

System unavailable, retry

System unavailable, retry

Not applicable

System unavailable, retry

U

N/A

Information not available

Information not available

System unavailable, retry

Information not available

G

N/A

Address not verified for International transaction (International only)

Not applicable

Not applicable

Not applicable

I

N/A

Address not verified (International only)

Not applicable

Not applicable

Not applicable

W

Depends on Card Type

Not applicable

For U.S., 9-digit ZIP matches, address does not. For non-U.S., ZIP matches, address does not

Information not available

Not applicable

X

Depends on Card Type

Not applicable

For U.S., all digits match. For non-U.S., ZIP and address match.

Address & 9-digit ZIP match

Not applicable

B

Depends on Card Type

Address matches, ZIP not verified

Not applicable

Not applicable

Not applicable

T

Depends on Card Type

Not applicable

Not applicable

9-digit ZIP matches, address does not

Not applicable

P

Depends on Card Type

ZIP matches, address not verified

Not applicable

Not applicable

Not applicable

C

Depends on Card Type

Address and ZIP not verified

Not applicable

Not applicable

Not applicable

D

Depends on Card Type

Address & ZIP match (International only)

Not applicable

Not applicable

Not applicable

M

Depends on Card Type

Address & ZIP match (International only)

Not applicable

Not applicable

Not applicable

F

Depends on Card Type

Address & ZIP match (UK only)

Not applicable

Not applicable

Not applicable

 

Then, depending on their level of risk aversion and their capabilities to review orders internally, the merchant decides what kind of codes they want to reject outright. Their payment processor might provide them with a checklist like this, to decide which orders to filter out:

However, these filters are too broad of brushes with which to process orders, and enacting these rules results in lost revenue and costly chargebacks.

AVS Match ≠ Legitimate Order

In online fraud forums and dark web carding stores, a card’s AVS numbers (the cardholder’s house number and ZIP code) are sold along with the credit card details. Fraudsters know AVS takes into consideration only the numeric values of the billing address. But they also know merchants often flag a significant distance between billing and shipping address.

For this reason, we often see cases where the fraudster provides a billing address that’s close to the shipping address but which has a house number and ZIP code that match those on file at the credit card issuer. For example, let’s consider a case where the billing address is: 10 Astor Place, New York, 10003, NY.
A savvy fraudster will search for a drop-point that is nearby and has the matching AVS details (house number = 10, ZIP code = 10003). A quick online search provides the following address: 10 Irving Pl, New York, 10003, NY.

ZIP code 10003 in New York, arrows point to 10 Astor pl and 10 Irving pl

This fraud MO is more likely to be used in densely populated areas, such as Manhattan. Because many people live within a single ZIP code area and there are a lot of residents at each address (e.g. some buildings have over 50 apartments), there’s a higher chance fraudsters will be able to find someone willing to receive the item on their behalf (serve as the drop-point).

In other words, full or partial AVS match does not mean an order is legitimate. Case in point: 80% of AVS-supported orders that were declined by Riskified had full or partial AVS match.

AVS Mismatch ≠ Fraudulent Order

Most credit cards issued outside the US, Canada, and the UK do not support AVS, meaning the billing address supplied by the buyer cannot be used to verify the card. Online fashion boutique RSVP Gallery was using AVS filters before moving to Riskified. Due to the filters, the merchant was not able to accept orders from Australia and New Zealand – because most payment cards issued there do not support AVS. Since moving to Riskified, the shop has removed all AVS filters, allowing it to expand its international sales.

Even if the credit card used in the transaction does support AVS, there are many explanations for AVS mismatch besides fraud. Some common examples are:

  1. College student enters her new dorm as the billing address, but the credit card company still has her parents’ address on file (this is true for anyone who moves apartments).
  2. Buyer has multiple credit cards, and doesn’t remember which address is associated with every card.
  3. A young adult places an order on his parents’ credit card but forgets to provide his parents’ billing address.
  4. Customer doesn’t understand what they’re being asked to provide, and enters the shipping address twice (as both ‘billing address’ and ‘shipping address’).

Below is an example of a transaction with AVS mismatch which we approved:
$81 apparel order placed by a college student at Benedictine University at Lisle, IL.

Reason for AVS mismatch: Buyer listed same address (of the university) as both the billing and the shipping address. In this case, it seems the buyer didn’t understand what they were being asked to provide, and the reason for AVS mismatch is a misunderstanding.

Indicators that support order approval:

  • Email address *********@ben.edu → University email domain
  • IP range → Belongs to Benedictine University
  • Shipping address → Verified university location

Hypothetically, it is possible that the buyer is not the legitimate cardholder. To ensure the order is legitimate, we could validate the buyer’s identity using external data sources. However, when the order amount is below $10,000, we feel confident approving transactions where there’s a match between the email domain, the IP range, and the shipping address.

In short, AVS mismatch does not mean an order is fraudulent. Merchants who automatically reject orders based on AVS mismatch are turning away legitimate customers. In the case of RSVP Gallery, 50% of the orders we approve on a regular basis would have been rejected by their AVS filters.

What The Future Doesn’t Hold for AVS

The growing presence of mobile devices and digital goods are two factors that further diminish the reliability of AVS filters.

Completing forms on a small screen is error prone. On top of that, many of the consumers making mobile purchases are younger shoppers, who move houses frequently and often neglect to update their credit card issuers regarding the new billing address. Riskified data corroborates this trend. More than 94% of mobile orders with a partial AVS match, and over 70% of mobile purchases with no AVS match can, and should be safely approved.

As for digital goods, they are delivered using an email address, so fraudsters can enter all the credit card holder’s actual information, including the physical address, and just use their own email address. This trick is often quite effective in outsmarting merchants who use AVS to screen orders. These orders will show up with an AVS match, because all of the physical address points will match those of the card holder – but the digital goods are emailed directly to the fraudster.

So what is AVS good for?

To summarize – do NOT filter orders based on AVS mismatch. Automatically rejecting orders is the quickest way to lose revenue and turn away good customers. That being said, AVS information is not altogether irrelevant; there is a correlation between full AVS match and order legitimacy. The important takeaway is that like most factors in risk management, AVS information is useful when taken in context, as one of many data points that help determine whether a transaction is fraudulent or legitimate.

Author’s Note: This post was originally published in December 2014, and has been updated to reflect current data.