» Merchant Resources
» PCI Data Security
» Merchant Memos

AVS & CVV2

Merchants should use the AVS and CVV2 card features as part of a best practices policy to mitigate fraud.

How AVS and CVV2 work

AVS and CVV2 responses are displayed after the transaction is authorized. As long as the authorization request is approved (the card is in good standing and the purchase amount is available), then the transaction can be submitted for deposit regardless of the AVS or CVV2 result codes.

However, merchants can use AVS and CVV2 as tools to help make business decisions on whether to proceed with the sale and delivery of goods and services based on responses codes.

Each merchant will set their own AVS and CVV2 acceptance policies. If merchants don't gain a comfort level with the responses to these card security features then they should not proceed with the sale and should void the transaction.

Merchants can either make business decisions on individual transactions, or depending on the payment processing technology used, automatically filter out transactions when AVS and CVV2 responses are unacceptable.

AVS

Address Verification Service (AVS) is a fraud prevention service developed to help merchants who accept card payments in a card-not-present environment (non-swiped transactions). During a transaction, AVS compares the address information that the cardholder provides to what is on record for that credit card number at the issuing bank.

There are many possible AVS responses:

• Service not supported – In some instances, AVS is not supported. For example, Canada is a country that does not support AVS; therefore, the AVS response would indicate that AVS is not supported.
• Not a mail/phone order –the issuer responds that the transaction is not a MOTO (mail order/telephone order) transaction and is therefore ineligible for AVS check.
• Issuer system unavailable –when the issuer system is not available to make a comparison.
• Address unavailable –for transactions when the AVS system is unavailable for verification.
• No address or zip match –transactions that fail address and zip code matches.
• 5-digit zip match only –transactions that return a 5-digit zip code match (but not an address match).
• 9-digit zip match only –transactions that return a 9-digit zip code match (but not an address match).
• Address match only –transactions that return an address match (but not a zip code match).
• Exact match, 5-digit zip –transactions that return an exact 5-digit zip code match.
• Exact match, 9-digit zip –transactions that return an exact 9-digit zip code match.

CVV2

Card verification is typically used in card-not-present situations (like Mail Order/Telephone Order and eCommerce) to help verify that the customer actually has the card in their possession.

CVV2 (Visa's Card Validation Value), CVC2 (MasterCard's Card Verification Code), and CID (American Express' and Discover's Card Identification) are fraud prevention services for card-not-present environments. During a transaction, the 3- or 4-digit security code collect at the time of sale is compared to what is on record for that credit card.

For Visa, MasterCard, and Discover credit cards, look on the back of the card. The last three digits of the string of numbers below the magnetic strip are the numbers to use. For an American Express card, look on the front of the card for a four digit number.

There are many possible CVV2 responses:

• Issuer not certified / not provided encryption keys – the issuer has not certified for CVV2 or Issuer has not provided Visa with the CVV2 encryption keys
• Merchant indicated CVV2 not present on card – the issuer indicates that CVV2 data should be present on the card, but the merchant has indicated data is not present on the card.
• CVV2 No Match – the issuer indicates that CVV2 data on record does not match CVV2 data provided by merchant.
• CVV2 Match – the issuer indicates that CVV2 data on record matches CVV2 data provided by merchant.