Addressing the 3 Shortcomings of AVS

AVS Address Verification Service System Services

Address verification services (AVS) have fallen behind modern fraudsters’ tactics. Once a familiar frontline tool for card-not-present fraud detection, AVS today bloats review queues and may even increase risk of fraud loss for many online merchants. Don’t hold your breath for a system update. The potential for extra friction in the buyer’s journey, not to mention the variability of address formatting from one country to the next, makes that unlikely. To compensate, incorporate other fraud prevention solutions like identity fraud risk management, a chargeback management service or a full-service cloud platform.

If it’s so flawed, why use AVS at all? It is a low barrier, but one that may still deter unsophisticated fraudsters. More importantly for merchants, banks use AVS as a qualifier for lower cost interchange categories. Skipping AVS may incur a 1% transaction surcharge on interchange fees and forfeit a merchant’s representment rights.

Despite the incentives, merchants have several reasons to distrust AVS: it offers fraudsters loopholes of varying complexity, its susceptibility to human error drives false positives, and it’s ill-equipped for global commerce. Before we explore those shortcomings and our fraud solution providers’ remedies, let’s review how AVS works.

How AVS Works

  1. The customer submits billing information along with their card-not-present order.
  2. The payment gateway passes the customer’s street number (e.g. 220) and zip code to the customer’s credit card brand, which forwards the information to the issuer.
  3. The issuer compares the supplied numbers against those stored on the customer’s file.
  4. The payment gateway forwards the issuer’s AVS response code to the merchant.
  5. The merchant decides whether to approve, reject or review the customer’s order.

Dozens of possible response codes could return, from a ‘complete match’ to ‘no match’ to many possible partial matches (e.g. ‘ZIP matches, address not verified’). Merchants who hold out for complete matches may encounter less fraud, but they’re sure to miss out on more sales from legitimate customers. Doesn’t sound like much of a deal, does it?

How to compensate for AVS’s shortcomings

Frustrations with AVS vary from merchant to merchant. Loopholes may cause the most pain for some. False positives may cut deeper into others. No one’s happy that geographical coverage has remained static while e-commerce has expanded around the world. Three fraud solution providers–Signifyd, ID Analytics and Chargebacks911–explain how their respective categories of technology help to compensate for AVS’s shortcomings.

Shortcoming #1: Loopholes that fraudsters exploit

AVS’s dependence on information in the cardholder’s account makes it susceptible to several schemes. First, correct answers to AVS’s challenge question are readily available on the dark web. Experian estimated that credit card information with a consumer’s fullz, i.e. a package of their entire personal identifying information, cost just US$30 in December, 2017. Second, sophisticated criminals can sidestep AVS by ordering a new credit card to a drop address. Third, for less patient criminals, there is also the option to take advantage of AVS’s ‘blindness’ to duplicate address numbers. In an urban zip code, two or more (or many more) addresses may share the same street number (e.g. 220). AVS won’t detect that kind of ambiguity.

How providers close these loopholes

“At Signifyd, we say that there are three personas in any CNP transaction: the buyer, the cardholder and the receiver of the purchase,” says Tim Davis, Signifyd’s Director of Risk Consulting. “The more connections you can confirm between those three personas, the more confident you can be in the legitimacy of the purchase.”

A positive match from AVS provides one such connection: between the cardholder and the receiver. But fraud professionals need to establish more connections between the personas. So, full-service cloud platforms like Signifyd combine proprietary and third-party data sources that can, for example, integrate the history of a buyer’s transactions. More purchasing histories drawn from more merchants gives these providers more material with which to establish connections between the personas involved in the purchase.

Kevin King, Director of Product Marketing at ID Analytics adds: “We scan for anomalies associated with the physical address–for example, ‘How many people have used the address in the last hour, day, week and so on?’ and ‘What is their history with that address?’–but also other anomalies associated with a consumer’s identity.”

If fraudsters use a consistent email address across several stolen identities, King says, then associating anomalies in the physical address with that email could help prevent fraud in the future.

Monica Eaton-Cardone, COO at Chargebacks911 offers a different perspective. “Most chargebacks are friendly fraud, rather than criminal fraud,“ she says. “Merchants tend to assume that it’s the other way around, and so they base fraud strategies around inaccurate fraud data. They deploy anti-fraud tools like AVS ineffectively, creating a feedback loop that produces more fraud and more inaccurate data, without addressing the real problem of friendly fraud.”

If that’s the case, a chargeback management solution that brings machine learning into the merchant’s existing systems will produce better data about fraud and chargebacks. That feedback will add context to AVS’s results, fueling solutions like Signifyd’s and ID Analytics’s, and enabling fraud professionals to identify more fraud correctly.

While fraudsters work to take advantage of AVS’s loopholes, consumers just want to complete their purchases. Their honest mistakes could cause AVS to fire a mismatch response code and generate a false positive.

Shortcoming #2: Mistakes that drive false positives

A bank employee miskeys a customer’s data. An e-commerce customer provides address information at checkout that differs with the address on her bank account. A college student neglects to notify his card issuer for several weeks after he moves. With the vast possibilities for human error, a partial or complete mismatch from AVS could return for dozens of innocent reasons. Every one of them jeopardizes the transaction.

How providers account for human error

“False positives are a major problem for retailers, costing them an estimated $118 billion every year due to declined orders, resources invested in manual review, and additional overhead. The real problem is that merchants apply overly stringent standards out of a fear of fraud, and by extension, chargebacks,” says Chargebacks911’s Eaton-Cardone. “A good chargeback management service can help merchants review their compliance standards and fine-tune responses. This allows for more accurate use of AVS and other tools, reducing the risk of false positives.”

Signifyd overcomes the problem of AVS mismatches by enriching their transaction information with third-party data sources. In the case of the transient college student, they look for validators that, for example, a shipping address going to a college would cause a mismatch response. Links from social media or other sources could help tie the buyer to the correct address, or connect the billing and shipping addresses.

Whatever the solution, merchants need help reducing false positives. Of the 1,196 risk and fraud executives who replied to the 2017 LexisNexis® True Cost of Fraud Study, 21.5% of participants’ declined orders were false positives. That percentage could increase as more merchants begin selling to more parts of the world.

Shortcoming #3: Ill-equipped for global commerce

AVS operates in the United States, Canada and the United Kingdom. That’s problematic for merchants everywhere, especially in consideration of the $2.3 trillion that eMarketer estimates was spent in 2017 around the world on retail e-commerce (a 24.8% increase over 2016).

How providers offer global coverage

“Plenty of merchants refuse to operate in higher-risk markets where tools like AVS don’t work even though many of these locations are fast-growing and present opportunities,” says Chargebacks911’s Eaton-Cardone. “A chargeback management service that operates on a global scale can help that.” By outsourcing chargeback management, sellers can externalize the risk of operating without AVS.

To prevent the possibility of chargebacks in the first place, fraud professionals need geographically agnostic ways to make decisions. To make connections between the different personas and their transactions – regardless of geolocation – fraud professionals may incorporate device fingerprinting or behavioral biometrics.

“A number of quality technologies evaluate the risk of the device used to initiate the transaction,” adds ID Analytics’s King. “Does the device look compromised by a hacker? Is the device hiding its true location or IP address? Most of these technologies do not have geographical limitations, a big plus for international merchants. Also, many of these technologies assess the user behavior to get a sense of whether they may be a bot or a fraudster. Are they clicking through pages and typing with normal consumer behavior? Are they credential stuffing?”

AVS is no longer relevant

You get it. The address verification system is losing relevance. Even if it were updated to validate the entire address–street, city, state/province, and even country–it would still strain under its loopholes, it would invite even more human error, and it would need new flexibility to accommodate other countries’ address conventions. End your reliance on an outdated system chock full of loopholes. Find up-to-date solutions to protect your business in the curated list of fraud solution providers on this site.