By Chandan Mukherjee
While Address Verification Service (AVS) has been available for most networks and processors for a long time now, there are still significant pitfalls to integrating AVS into a payment gateway. As a result, many implementers have ignored AVS. But a carefully implemented AVS can reduce transaction fraud to a great extent.
AVS varies from network to network and between processors. There are also variations in AVS in the United States as opposed to international AVS. This article addresses basics that a gateway provider must be familiar with to implement a robust AVS.
Keep in mind that this is a general discussion; it is strongly urged that developers reference processor specifications.
Furthermore, please note there may be differences in processor support for AVS. Hence, if a gateway supports multiple processors, it is conceivable the AVS must be tailored to each processor.
Conceptually, AVS validates that the individual holding a payment card and conducting a transaction - in either a card-not-present environment, such as online, or in a brick-and-mortar location - is indeed the person issued the card. It is assumed that if someone stole a card or card number, it is unlikely the thief would know the actual billing address tied to the cardholder's stolen card.
So, the billing address, or part of the billing address information, is sent along with the card authorization request for the network and the card issuer to validate. If the billing address information matches the billing address on file for the card, then a match is returned. Otherwise error codes are returned.
Fundamentally, three kinds of address verification services are available:
In some markets where the postal code contains alphanumeric characters, some issuers and networks implement matching for numeric components only. In such cases, the alphanumeric characteristics are removed before matching is done. This may result in matching of fewer than five digits, depending on the postal code format.
The matching is done for the first five numeric digits before the first alphanumeric character is encountered in the address, going from left to right. Though it is a better matching option than Postal Code Only, the compressed form of Street Address Matching does not take into account the street name, etc., especially for street names that are character-based. (Please see comments in best practices below).
The first 20 characters, read from left to right, are taken into account for matching of the address. Address lines that are fewer than 20 characters are padded with spaces on the right.
Address lines that are longer than the maximum character length are truncated at the maximum character amount. (Generally the maximum is 40 characters, but refer to processor specs for exact numbers.)
Here are high-level best practices for implementing AVS at the gateway's application protocol interface or card entry web page.
Given the amount of fraud associated with credit and debit cards, it is imperative that AVS be implemented by all reputable gateway operators. While the implementation of AVS can be time consuming, it can be successfully implemented if basic rules are followed. The benefits of implementing AVS are huge and go a long way toward reducing fraud.
Chandan Mukherjee is the co-founder of PayCube Inc., a San Francisco Bay Area-based payment consulting and IT services company providing custom software solutions and custom gateways for acquirers, ISOs, retailers and varied organizations in the world of payments and consumer transactions, including prepaid and gift card program, loyalty and promotion, payment start-up, POS solution, mobile payment and e-commerce players. PayCube uses a blend of on-site and offshore delivery capabilities, with a staff of retail and payments-focused software engineers, systems architects, project managers, tech leads and systems analysts. For more information, email firstname.lastname@example.org, call 510-545-6854 or visit www.paycubeinc.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next