In the ongoing fight against ecommerce fraud, many tools, tactics, and technologies have been used by merchants and card issuing banks to stem the losses from chargebacks while at the same time facilitating online shopping's explosive growth over the last two decades. One of those tools is the Address Verification System (AVS).
AVS is a tool implemented by US-based card issuing banks which enables merchants to verify that the shopper is in possession of the credit card or is making a legit order on behalf of the cardholder. AVS compares the numeric parts of the shopper-supplied billing address (i.e. house number and ZIP code) against the billing address the card issuer has on file. AVS then returns a code indicating whether those numbers match.
In a nutshell, AVS relies on two key assumptions:
- A fraudster wouldn't be able to guess or obtain a credit card's current billing address.
- The cardholder will always keep their billing address up to date.
What can cause an AVS mismatch?
One of the vexing problems of ecommerce fraud prevention is that both of these assumptions are often false in online orders. First, fraudsters can buy the billing address along with the cardholder name, card number, expiration date, and CVV code on carder forums. The second assumption is also commonly false in a variety of scenarios: college students using their parents' credit cards to place online orders, people who move frequently and don't update their credit card billing info, and people who may have moved a while back but haven't felt the need to update their billing address because they've opted to stop receiving paper billing statements.
Even when those assumptions are true for a given shopper, the order process itself might throw a wrench into an AVS check. Shoppers may think the "billing address" requested during checkout is for the billing of the order itself (i.e. for an official invoice) instead of the billing address of the credit card used to pay for the order. Also, consumers placing an order from a mobile device might skip inputting the billing address or incompletely fill it out, due to the time and effort hurdles of textual input on small smartphone screens. Incidentally, the continued growth in mobile commerce is forcing the industry to realize that asking shoppers to enter the billing address for AVS checking is a high-friction chargeback prevention measure.
In short, there are plenty of reasons why a legitimate order will return a complete or partial AVS mismatch. This is why orders shouldn't be declined solely on the basis of an AVS mismatch. While it's a useful tool for helping determine whether a transaction is fraudulent or legitimate, an AVS match doesn't guarantee that an order is legitimate, nor does a mismatch mean it's a fraudulent order.
The best way to leverage AVS
It's best to think of AVS match results as the Yelp reviews of ecommerce fraud prevention: they're great as supplemental or for corroborating evidence, but not as the sole or even key data point for making a decision.
Among the other data points that need to be considered along with the AVS results are:
- behavioral analytics: What was the browsing history of the shopper leading up to the order? Which pages were viewed and for how long?
- IP address owner and geolocation data: Can a link be established between either the shipping or billing address and the company or institution which owns the IP address from which the order was placed? Does the physical location of the IP address match either of those two addresses?
- device fingerprinting: What device-specific attributes can be used to uniquely identify this shopper? If this device can be identified, have previous legitimate or fraudulent orders been placed from it?
- Corroboration of order details from other data sources: Social media profiles including Facebook and LinkedIn, email address age data from Emailage, public listings of names and phone numbers, etc. These sources can help independently verify any information supplied by the shopper and thus provide clear evidence whether behind a given transaction is a real customer or a fraudster.
When AVS mismatches occur, it's important for merchants to take a closer look at possible reasons for the mismatch and thus avoid false declines and unnecessary chargebacks. Often, a story of a legitimate order emerges if the AVS mismatch is analyzed in the context of the other relevant data points listed above. By adopting a more holistic view of fraud prevention, ecommerce companies can more effectively thwart fraudsters while turning down fewer good orders, growing revenue in the process.