|What approval settings do you have set for AVS/CVV?|
I'm pretty sure all payment gateways/merchant accounts have similar settings for AVS and CVV. The settings below are the choices I currently have on my payment gateway for AVS and CVV.
What do you have these settings set as on your payment gateway to allow an order to be APPROVED successfully?
AVS: Accept Transaction When...
- Address and 5 Digit Match (T)
- Exact Address and 9 Digit Match (T)
- Address Match, No Zip Match (T)
- 5 Digit Zip Match, No Address Match (T)
- 9 Digit Zip Match, No Address Match (T)
- No Match (F)
- Address Information Not Available (T)
- Retry System Unavailable (F)
- Service Not Available (T)
CVV: Accept Transaction When...
- CVV2 Match (T)
- CVV2 No Match (F)
- CVV2 Not Processed (T)
- CVV2 Not Present on Card (T)
- CVV2 Issuer Not Certified (T)
- CVV2 Server Did Not Respond (T)
I put a (T) for the ones I have checked ON and an (F) for the ones that I have checked OFF.
I'm wondering if I should set any of my current (T) settings to (F) so the order is "DECLINED" instead of "APPROVED" for those settings?
For example; on settings like "Service Not Available", "Address Information Not Available", "5 Digit Zip Match, No Address Match", "CVV2 Not Processed", etc...
I let everything get authorized, because otherwise there is no way to account for a lot of foreign cards, gift cards, people who moved and forgot to tell their bank, people who use PO boxes for a billing address, billing addresses on a numbered street, and other things that make AVS hork up a furball. I look at the AVS/CVV info before I even make an invoice for the order. I look at that information and put it together with what they ordered. If there is anything weird, I look further, like Google their name or email addy, check the ip address, or occasionally, if it is a big order, look at Google maps and see what is at that address. If the CVV doesn't match, I don't bother, just void it. But the stuff I sell does not attract a lot of fraud. The biggest nonpayment problems I have had are people using gift cards where I don't capture fast enough and so they overspend the card; I now capture right away, regardless of when the order will be shipped. I just got sick of being stiffed on those things. With foreign orders, I have more problems with the order actually arriving due to undependable postal service in other countries than I do with fraudulent charges.
I'm located in the US, and I require valid AVS address and postal code, and also valid CVV. I do the bulk of my business in the US, but also do brisk business with EU countries, Canada, as well as smaller areas such as Malta, and the Virgin Islands.
I don't worry about the fringe foreign cases that get declined because their country is stuck on 1990's technology; that is trouble-avoidance.
I do have occasional problems with corporate cards, where the cardholder doesn't know the billing address of their accounting department, but it also weeds out teenagers playing with dad's corporate AmEx.
When a card is declined for AVS or CVV, the customer gets a *very* detailed error message, explaining precisely why it was declined; ZIP non-match, address non-match, or whatever.
In 95+% of cases, people know their billing address and can read their CVV. The other 5% are not worth the headaches. With these settings, I haven't had a fraudulent transaction in over 3 years.
|When a card is declined for AVS or CVV, the customer gets a *very* detailed error message, explaining precisely why it was declined; ZIP non-match, address non-match, or whatever. |
I believe that's against VISA/Mastercard policies. Our provider warned us against disclosing that kind of information, as fraudsters can exploit that to test stolen credit card information. So ya, I think that could be considered a violation of the merchant agreement.
OT, sorry to say this but
>>I don't worry about the fringe foreign cases that get declined because their country is stuck on 1990's technology; that is trouble-avoidance.
erm, you mean usa is far ahead? in europe we are nearly all chip and pin for face to face sales and i make many retail face to face sales with americans using american cards - and they are always sign rather than pin ... you guys are way behind europe.
[admitadly i'm talking about face to face not online sales here]
|Our provider warned us against disclosing that kind of information, as fraudsters can exploit that to test stolen credit card information. |
These same credit card companies regularly approve transactions that contain incorrect billing addresses.
Oh the irony...
|These same credit card companies regularly approve transactions that contain incorrect billing addresses. |
Oh the irony...
Where's the irony? An AVS mismatch isn't a crime, and 99.x% of the time, the cause is superficial or harmless. Even VISA says that AVS check is OPTIONAL.
The irony is that you decry credit card companies that don't slavishly abide by a flawed AVS system, yet have no compunctions about better enabling criminals to test their stolen credit card information.
"Better enabling criminals to test their stolen credit card information"? Where are you getting that? Do you think that criminals don't KNOW that the billing address they are pulling out of their behind is bogus? Or what? Do you think they are going to be able to figure out what the correct billing address by a merchant saying "The billing address you entered does not match the billing address the bank has on file for this card"? Let's get real, here.
|Where are you getting that? Do you think that criminals don't KNOW that the billing address they are pulling out of their behind is bogus? |
Not all will concoct a fake billing address. Some fraudsters will have the billing address too from the stolen database and/or they have physically stolen the credit card from someone they know and can guess at the billing address.
|Or what? Do you think they are going to be able to figure out what the correct billing address by a merchant saying "The billing address you entered does not match the billing address the bank has on file for this card"? |
Someone with a stolen credit card goes to a website and they get a general decline -- they don't know whether the credit card number was already cancelled by the bank or if they just got the wrong CVS number or whether they just have the wrong billing address or whatever. If they have the wrong billing info but the credit card number is still good, they still have a chance to use their stolen credit card info at another website that does not employ AVS. So when any online checkout explains exactly what's wrong with the credit card information (CVS failure, AVS street address mismatch, AVS postal code mismatch) vs a general decline, then this enables fraudsters to test what's wrong (or right) with their stolen credit card information.
Getting real, AFAIK but I don't know if/where it is expressly written, disclosing the exact reason for the decline is a violation of all or most credit card merchant agreements.
I think you are really stretching it in terms of how a thief can figure out what is the correct billing address based on a decline.
A mismatch on billing address is not necessarily a reason for a decline. You can have your settings such that mismatches are still authorized. It is the merchant's decision to authorize or not with a mismatch. At least, it is in on authorize.net and with my cc processor. Yes, the discount rate is higher, but there are a lot of reasons for mismatches that are completely innocent.
I did used to tell people with a boilerplate message that I could not fill their order because the billing address they gave did not match the billing address the bank had on file for the card and that they should contact the issuing bank about the problem; then I would void the transaction. Now I just decide whether I want to send the order or not based on other factors. If I think it's fraud, I just void the transaction without any contact. Pretty much never do I ever hear from the would-be customer. In this whole process, there is never any decline issued, just an authorization and/or a void.
To be fair we were told the same thing - we use a system in the UK called Commidea and were going to map their very detailed reponses to message to the customer. They told us that was frowned upon, exactly for the reason that people will test cards - for every bogus order we get the same card / info is tried in 20 more places - so whilst the detailed response might not matter to us, because we already smelled the rat, it gives them that little extra to get their order passed elsewhere.