You absolutely should have AVS and CVV, without them you're running huge risks.

Your payment gateway backend should show you the AVS codes for declined transaction which should give you clues if it's AVS errors or just bad credit cards in general.

Having AVS cranked up to the highest level of security definitely results in lost sales because millions of years of evolution still hasn't improved the average intelligence of your basic beer drinking, lazy-boy reclining, football watching human. Nobody knows their entire 9 digit postal code and a lot of people dont enter their address exactly as the credit card company has it on file which is a real pain. To solve these issues I run my AVS on a lower security level for "Either Address or Postal Code must match" which also allows 5 digit postal codes.

CVV will require a little more explantion on your web site and a picture of where these numbers are located on the credit card. We people in ecommerce know what CVV is, but a lot of online shoppers still seem to be oblivious.

BTW, if you captured the customer information about the declined sales I would call them and
a) find out what went wrong during checkout and,
b) try to recapture the sale and enter the transation yourself to see if it works or,
c) offer the customer a different method of payment (check by mail?).

Some people think a decline is a lost sale, I look at it as a sales opportunity for someone that just had issues making a payment and get about a 30% recovery rate.

I use AVS with most of the strictest settings disabled - basically, I'm looking for a zip code match and that's about it.

I turned of CVV several months ago, for a number of reasons:

* There's no incentive to use CVV -- my discount rate is the same whether I use it or not. On the other hand, if I don't use AVS, my discount rate is considerably higher. That's all the reason I need to use AVS.

* Customers have a hard time entering the CVV correctly, and the gateway doesn't indicate that the CVV is the reason for a decline. There's no telling how many sales we lost due to customers being unable or unwilling to enter the CVV. It doesn't seem to matter how many pretty pictures and explanations you put on the web site; customers are just incapable of finding those 3 (or 4) little digits.

* You CANNOT store CVV anywhere on your system without being in violation of the credit card company regulations. So unless you're doing realtime authorization and capture, you have a problem.

* My particular niche is basically fraud-free -- thousands of orders so far and not a fraudulent one in the bunch. My products are attractive to fraudsters (other than those morons in Nigeria who just won't go away), so it's not a big deal.

>> You CANNOT store CVV anywhere on your system without being in violation of the credit card company regulations. So unless you're doing realtime authorization and capture, you have a problem.

I once thought that too, I've been corrected by the credit card company with the following:

"CVV may only be retained until the transaction is completed, then must be removed"

I interpret that to mean I can store it until I charge the card, then zap it.

Regardless, it doesn't matter as the banks are starting to require CVV to cut fraud and one customer told me the other day they wouldn't even process his online charges without it. I told him to find another merchant account provider but he nixed that idea, his nickel........

We use AVS all the time. During the 2002 Christmas season we lost about $4,000 in fraud.

We do the things incredibill suggested..When we call the customer we first try to confirm that the billing address they submitted is actually the address where their credit card statement is mailed. If they say yes, we ask for the 800 number of the credit card and call to verify the address. Typically it will come up as a match. Sometimes the payment gateway is just too sensitive, especially with PO boxes or rural addresses.

My problem is running the strict AVS requirements, I may have 75 successful sales out of 200 AVS processes (of course there are many repeat attempts of the same card when declined). So calling customers, banks, etc for 75-100 orders a day to verify isn't really logistically possible. This is all in a attempt to reduce fraudelant related chargebacks. By the way, what are your merchant account chargeback % limits?

I'd highly recommend Address Verification. It's becoming much more common for people so they generally don't have a problem with it. When I wasn't running it for a while on one site I had more fraud problems.

Here's a better question...

How is tomld2 getting 200 orders per day?!

Please share some tips!:)

Without sharing secrets: 1) A strong affiliate program 2) PPC

Spend big = Earn big

I tried that theory once...

SPEND BIG = OVERFLOWING CREDIT CARD

COMPELTELY dependant on your market. I have projects running almost NO verification doing 100+ transactions per day for 'multiple years', and also projects running extremely high verification doing 100+ transactions per day for 'multiple years'. All without fraud issues. You have to research your market well, A/B test where possible, and then refine as you go.. Bottom line is that it's impossible just speak in general on this. It's 100% market specific.

AVS is only good if you are ONLY selling to the same country you are operating from, CVV2 is a bit hit or miss.
For example we operate out of the UK, AVS & CVV2 are perfect if someone in the UK orders BUT if anyone outside the UK orders then AVS doesnt work because it can only check in the same country as company who you get your merchant ID from (in our case natwest streamline) so we have to allow in our rules for it to be accepeted if the result comes back as "not checked".
I've been complaining to Streamline about CVV2 because we were getting a lot of orders from asia (where we have a large market) that although they were entering their CVV2 number it was comeing back as not checked as well, now I was under the assumption that if they enter a CVV2 number then the checking is supported ( I mean whats the point of having a CVV2 number if it's not checked) BUT according to streamline the answer is no, not all countries have adopted and use it (i even get some results for the USA coming back as not checked).