Skip to main content

AVS & CVV

Prerequisites

Before configuring AVS/CVV rules, understand:

TL;DR
  • AVS: Checks billing address vs. issuer records—Y=full match (accept), N=no match (review/decline), U/G=unavailable (use other signals)
  • CVV: Verifies card code—M=match (accept), N=no match (decline); proves physical card possession
  • Neither shifts liability—for liability shift, use 3D Secure
  • Don't hard-decline AVS mismatches blindly: 20-30% of legitimate customers fail AVS (formatting, moves, issuer quirks)
  • Test first: Shadow mode 2 weeks, enforce only if over 30% of flagged transactions were fraud

AVS checks if billing address matches what the issuer has. CVV verifies the 3-4 digit code on the physical card.

Neither is foolproof. Neither shifts liability. Both help you make better authorization decisions about which transactions to accept. For liability shift, see 3D Secure.

Don't Hard-Decline on AVS Mismatch Until You've Measured

Legitimate customers fail AVS surprisingly often (20-30% for some merchants) due to formatting differences, recent moves, or issuer quirks. Being too strict kills good orders.

Experiment to Run

Before enforcing any AVS rule:

  1. Run in shadow mode for 2 weeks (flag but don't block)
  2. For every transaction you WOULD have declined, check: was it actually fraud?
  3. Calculate your false positive rate

Decision rule: Only enforce if more than 30% of flagged transactions were fraud AND fewer than 1% of total transactions would be blocked.

Address Verification Service (AVS)

How AVS Works

  1. Customer enters billing address at checkout
  2. Your processor sends address data to card network
  3. Issuer compares submitted address to their records
  4. AVS response code returned in the authorization response
  5. You decide: accept, decline, or review

AVS Response Codes

CodeMeaningRisk LevelRecommendation
YFull match (address + zip)LowAccept
XFull match (9-digit zip)LowAccept
AAddress matches, zip doesn'tMediumReview or accept with CVV match
ZZip matches, address doesn'tMediumReview or accept with CVV match
NNo matchHighDecline or manual review
UIssuer doesn't support AVSUnknownUse other signals
RRetry (system unavailable)UnknownRetry or use other signals
SAVS not supported for card typeUnknownUse other signals
GInternational card (non-US issuer)UnknownUse other signals

AVS Limitations

Geographic coverage:

Formatting issues:

  • "123 Oak St" vs "123 Oak Street" may not match
  • Apartment numbers handled inconsistently
  • PO boxes may fail
  • Recent moves not yet updated with issuer

International AVS: What Works Outside the US

AVS was designed for US addresses. International transactions require a different approach.

AVS Support by Region

RegionAVS SupportNotes
United StatesFullStreet number + zip
CanadaFullStreet number + postal code
United KingdomFullNumeric portion of address + postcode
Western EuropePartialVaries by country and issuer
Latin AmericaLimitedMost return U/G
Asia PacificLimitedJapan/Australia have some support
OtherMinimalExpect U/G responses

Response Code Reality for International

ResponseWhat It MeansFrequency (International)
GGlobal/international card40-60% of non-US
UUnavailable20-30%
SService not supported10-20%
Y/A/ZActual match data10-30% (varies by country)

International AVS Strategy

Don't: Decline all G/U responses (you'll reject 50%+ of international orders)

Do: Layer additional verification for international transactions

SignalUse For International
CVVAlways require (still works internationally)
3DSStrongly recommended (liability shift)
Email verificationCheck for free/disposable emails (see identity verification)
Phone verificationConsider SMS verification for high-value
Shipping address analysisFreight forwarders, PO boxes, known fraud addresses
Device fingerprintWorks regardless of location

UK-Specific AVS

UK AVS checks:

  • Numeric part of building number/name
  • Numeric part of postcode

Example: "Flat 42, 15 High Street, London SW1A 2AA"

  • Checks: 42, 15, 1, 2 (numerics extracted)
  • Different from US format

International Risk Framework

Transaction ValueG/U ResponseRecommended Action
Low (<$50)G or UAccept with CVV match
Medium ($50-200)G or UAccept with CVV + 3DS
High ($200+)G or U3DS required + manual review

Country-Specific Considerations

CountryNotes
GermanyPrivacy laws limit AVS; use 3DS
FranceAVS rarely supported; 3DS common
JapanLimited AVS; 3DS well-adopted
AustraliaModerate AVS support
BrazilCPF (tax ID) more useful than AVS
International Best Practice

For international transactions, treat CVV + 3DS as your primary fraud prevention. AVS is a bonus signal, not a gatekeeper.

Finding Your AVS Thresholds

Those generic "decline on N" recommendations are someone else's guess. Here's how to find yours:

Backtest experiment:

  1. Pull last 30 days of transactions
  2. Apply proposed rule in shadow mode
  3. Calculate: What % would have been blocked? What % of those were actually fraud?

If the rule would block 2% of traffic but only 10% of those were fraud, you're blocking 1.8% of good customers. Probably too aggressive.

Decision rule: Only enforce if more than 30% of blocked transactions were fraud AND fewer than 0.5% of total traffic is blocked.

AVS Rules by Transaction Type

Transaction TypeSuggested Starting PointHow to Test
Physical goods, domesticRequire Y/A/Z, decline NShadow mode 2 weeks, measure FP rate
Physical goods, internationalAccept U/G with CVV matchCompare fraud rates U/G vs. Y
Digital goodsAccept with CVV match regardlessMonitor for abuse patterns
High-value ordersRequire Y + CVV + additional verificationLower threshold, more review
Recurring/saved cardsAVS not availableUse other signals

Card Verification Value (CVV)

How CVV Works

  1. Customer enters CVV at checkout
  2. Processor sends CVV to issuer
  3. Issuer verifies CVV matches card records
  4. Response: match/no match/not processed

CVV Response Codes

CodeMeaningAction
MMatchAccept (good signal)
NNo matchDecline
PNot processedUse other signals
SCVV should be on card but wasn't providedRequest CVV
UIssuer doesn't support CVVUse other signals

Why CVV Matters

Proves physical possession: The CVV is printed on the card, not encoded on the magnetic stripe or stored in most databases. A fraudster with a stolen card number may not have the CVV. This helps prevent third-party fraud and card testing.

Required for compelling evidence: In chargeback disputes, CVV match strengthens your representment case.

Cannot be stored: PCI DSS prohibits storing CVV after authorization. Recurring transactions can't re-verify CVV.

CVV Best Practices

Do:

  • Require CVV on all first-time transactions
  • Re-request CVV when shipping address changes
  • Re-request CVV from unrecognized devices
  • Decline CVV mismatches on CNP orders

Don't:

  • Store CVV (PCI violation)
  • Skip collection because "it's extra friction"
  • Assume CVV match = legitimate (can be compromised with card)

Combining AVS and CVV

AVS ResultCVV ResultRiskRecommendation
Y (full match)M (match)LowAccept
YNMedium-HighDecline or review
A or Z (partial)MMediumAccept with monitoring
A or ZNHighDecline
NMMedium-HighReview (fraudster may have CVV but not address)
NNVery HighDecline
U/G (unavailable)MMediumAccept with additional signals
U/GNHighDecline
This is a Bet

Every threshold you set is a tradeoff: blocking more fraud vs. blocking more good customers.

Your optimal thresholds depend on:

  • Your fraud rate (high fraud = tighter thresholds are worth it)
  • Your margin (low margin = false positives hurt more)
  • Your customer base (international customers hit AVS limits)

There's no universal right answer. Test and measure.

Beyond AVS/CVV

AVS and CVV are table stakes. They're necessary but not sufficient. Modern fraud prevention layers additional signals:

  • 3D Secure: Shifts liability to issuer for authenticated transactions
  • Device fingerprinting: Identifies returning devices, detects anomalies
  • Behavioral analytics: Analyzes how customers interact with your site
  • Velocity rules: Flags unusual patterns (many orders, same card, short time)
  • Risk scoring: ML models that combine all signals into a single score

See Risk Scoring for how these signals combine.

Processor Configuration

Most payment gateways let you configure AVS/CVV rules:

IF cvv_result = "N" THEN decline
IF avs_result = "N" AND amount > 100 THEN decline
IF avs_result IN ("A", "Z") AND cvv_result = "M" THEN accept
IF avs_result = "U" AND card_country != "US" AND cvv_result = "M" THEN accept
Where Experiments Lie to You
  • Selection bias: If you only look at declined transactions, you don't know how many good customers you blocked
  • Lag time: Fraud shows up as chargebacks 30-90 days later. Your 2-week test might look clean but fail later.
  • Fraudster adaptation: If you tighten AVS rules, sophisticated fraudsters will start using correct addresses. Measure total fraud, not just AVS-flagged fraud.

Impact on Chargebacks

For representment:

For Visa CE 3.0:

  • Historical transactions with matching data help prove customer relationship
  • AVS/CVV data from past orders supports compelling evidence

Next Steps

Just starting with AVS/CVV?

  1. Understand response codes - What each code means
  2. Test your thresholds - Backtest before enforcing
  3. Check CVV requirements - Always require on first purchase

Tuning existing rules?

  1. Run shadow mode test - 2 weeks minimum
  2. Review international strategy - Different rules needed
  3. Combine signals - AVS + CVV decision matrix

Fighting chargebacks with AVS/CVV?

  1. Check compelling evidence requirements - AVS/CVV for representment
  2. Review impact on disputes - What wins cases
  3. Layer with 3DS - For liability shift

See Also