AVS Check Failed: Is AVS for Fraud Detection Still Relevant?
The address verification system (AVS) has been one of the most relied upon forms of fraud detection for years. It checks the billing address submitted by the card user during checkout with the billing address on record at the issuing bank. The credit card processor indicates how much of a match there is to the merchant and then the transaction will either be accepted or rejected based on this information. But as we see more good orders get declined and more fraudulent orders passing through this system, is it time to do away with AVS? Just how relevant is AVS anymore?
Why It Doesn’t Work
AVS checks feel outdated because they are. It was introduced as a means to block fraudsters who were attempting to steal credit card numbers without a legitimate address. Now addresses are sold along with the other credit card details on the dark web to work around AVS. Another limitation of AVS is that it’s only valid in the US and Canada, and partially in the UK. At times, it feels like AVS causes more harm than good by over-declining good orders and limiting revenue potential. These are the reasons why AVS falls short when it comes to fraud detection:
There are plenty of legitimate reasons why someone’s billing address may not match the one listed with their issuing bank. Sometimes people forget which address they listed with the bank, especially if they own multiple homes. But oftentimes, people just forget to update their bank when they move. An AVS check would decline a customer who moved and entered their new address as a billing address just because they forgot to update that information with the bank.
In some cases, merchants also require a shipping address to match the billing address during an AVS check. When that happens, there are many legitimate orders that get declined due to a mismatch. Some of the most frequent cases include people who ship packages to their office instead of their home, college students who use a parent’s credit card to ship something to their dorm, or sending a gift to someone else. And for convenience, many merchants include a box that defaults to “shipping address is the same as billing address” and unless customers uncheck it and properly fill it out, they might get declined. Merchants risk losing good customers after getting declined for these common mistakes. If AVS is over-declining legitimate orders, it may be time to consider a different method.
AVS is only widely used in the US and Canada and partially in the UK. As a result, this can create issues for international customers that want to make a purchase from a US site. The AVS check is looking for a positive indicator of a match and if it can’t find one or it’s unsupported, like in China or France, it assigns a “no positive AVS” to the transaction and usually results in a decline. This closes off merchants to international customers placing legitimate orders because of a technicality. Additionally, many international customers may want to use a reshipper to receive the goods or will send items to a friend. Again, this poses a problem where the billing and shipping addresses will not align for a legitimate reason.
Easy for Fraudsters
AVS is not the most sophisticated verification system, and it’s easy for fraudsters to bypass the check. If a zip code match is enough to pass, all the fraudster needs is to find a credit card with the same zip code that they intend to ship to, which is readily available on the dark web. In other cases, the merchant only requires that the phone numbers under billing and shipping match, which can be even easier to deceive.
One of the more common and less sophisticated ways that AVS fails involves fraudsters picking an address with a street number that matches the victim’s in the same zip code. Since AVS is not very advanced, it sees 62 Grand Street in zip 10001 for billing and 62 Main Street in zip 10001 for shipping and approves the order.
As merchants have become more privy to these tactics, AVS checks have become stricter, but that hasn’t stopped fraudsters. They use more sophisticated data scrambling to trick the system. Address stuffing uses the victim’s billing address in the first address line so that it passes the check, but then leverages the second and third address lines to enter the address they actually want the package shipped to. Sometimes, this confuses the fulfillment system and the result is that the fraudster receives the package at their address of choice (entered in lines 2 and 3) while deceiving the AVS check.
Why We Still Need It
Yes, AVS is clearly flawed based on the reasons we’ve just outlined, but it’s still one of the most significant features used in detection models. A full AVS match is highly correlated with order legitimacy, which gives us more confidence to approve the order. For all its flaws, it still filters out fraud, so maybe we can’t fully do without AVS. But for AVS to remain relevant, it needs to be used in the right context and monitored closely. Partnering with a fraud prevention vendor can help merchants leverage AVS within the context of hundreds of other variables that determine order legitimacy. With this wider network of information, merchants will improve the customer experience and maximize revenue by avoiding false declines. AVS is still relevant, but not if it’s the only measure of fraud.