The following standard transaction security settings are recommended for all payment gateway accounts as a general way to identify and prevent suspicious transactions.
Address Verification Service (AVS) Filter
Credit Card Verification (CCV) Filter
Address Verification Service (AVS) Filter
Bankcard processors implemented the Address Verification Service (AVS) to aid merchants in the detection of suspicious transaction activity. The payment processing network compares the billing address provided in the transaction with the cardholder’s address on file at the credit card issuing bank. The processing network returns an AVS response code that indicates the results of this comparison to the payment gateway. You can configure your account to reject certain transactions based on the AVS code returned. For example, the AVS code “A” indicates that the street address matched, but the first five digits of the ZIP Code did not.
The following result codes are possible.
AVS CODE |
DESCRIPTION |
A |
The street address matches, but the 5-digit ZIP code does not |
B |
Address information was not submitted in the transaction information, so AVS check could not be performed |
E |
The AVS data provided is invalid, or AVS is not allowed for the card type submitted |
G |
The credit card issuing bank is of non-U.S. origin and does not support AVS |
N |
Neither the street address nor the 5-digit ZIP code matches the address and ZIP code on file for the card |
P |
AVS is not applicable for this transaction |
R |
AVS was unavailable at the time the transaction was processed. Retry transaction |
S |
The U.S. card issuing bank does not support AVS |
U |
Address information is not available for the customer's credit card |
W |
The 9-digit ZIP code matches, but the street address does not match |
Y |
The street address and the first 5 digits of the ZIP code match perfectly |
Z |
The first 5 digits of the ZIP code matches, but the street address does not match |
Note: AVS responses B, E, R, G, U, S and N are the default payment gateway AVS transaction rejection settings, meaning that when these codes are returned, transactions are automatically rejected by the payment gateway. You can modify these default settings in the Merchant Interface.
To configure transaction rejection settings based on the AVS response code:
Log on to the Merchant Interface at https://secure.authorize.net
Select Settings under Account in the main menu on the left
Click Address Verification Service in the Security Settings section
Click to select the check box(es) next to the AVS codes for which the payment gateway should reject transactions
Click Submit
Transactions will be processed against your rejection criteria immediately.
Note: In order to use the AVS filter, you need to require the billing address and ZIP code fields when collecting payment information from your customers. Please communicate these requirements to your Web developer.
Tips for using AVS:
AVS response code N (neither the street address nor the ZIP code matches the address and ZIP code on file for the card) is the most fundamental AVS check. Select N to implement the most basic AVS protection from suspicious transaction activity.
If you choose not to select N, then there is no need to select the following response codes: B, E, R, G, U, and S. These codes indicate that the address could not be verified by the card issuer. If transactions are NOT being rejected when they are returned with an N response, then it is unnecessary to reject transactions that could not be verified with the issuer.
To avoid errors when accepting gift credit cards (stored-value cards with a Visa, MasterCard, Discover or American Express logo), you will need to deselect the U response code. For this type of transaction, the customer’s billing address will most likely not be associated with the gift card, or will not exist on file at the issuing bank.
Not all banks outside the United States will return the G, U and S response codes. Therefore, this code is not absolutely effective for limiting suspicious transactions from outside of the United States.
If you want to accept International payments, you must deselect the G, U and S response codes.
The desired response code in most cases is Y (the street address and the first 5 digits of the ZIP code match perfectly). Select this response code for rejecting transactions only after very careful consideration, because legitimate matches may be rejected when Y is selected.
The AVS filter is designed to provide a basic level of protection from suspicious transactions. However, the AVS filter is not intended for use as an absolute protection nor is it intended for use in all processing scenarios because there are many reasons why an address and ZIP code may not match. You are not required to reject a transaction due to an AVS mismatch, but it is recommended that you enable some level of address verification. However, most banks and Merchant Service Providers require use of the AVS system in order to avoid non-qualified transaction surcharges (typically an additional 1%). For this reason, it is recommended that you enable some level of address verification to avoid non-qualified transaction surcharges. Please note, however, that you are responsible for applicable transaction fees incurred for transactions declined due to an AVS mismatch (as with any other declined transaction).
If your business has a low risk factor, or potentially paying a non-qualified discount rate will not adversely affect your business, you may consider being lenient in your application of the AVS filter. Conversely, if you anticipate a high frequency of suspicious transaction activity or if you are incurring abnormally high discount rate charges, the AVS filter may be an appropriate method of protection.
Credit Card Verification (CCV) Filter
The Credit Card Verification Code, or Card Code, is a three- or four-digit security code that is printed on the back of credit cards (or on the front for American Express cards) in reverse italics in the card’s signature panel.
Figure 1. Finding the card code on a credit card
You can choose to collect this information from the customer and submit the data to the payment gateway as another method for authenticating credit card transactions submitted through your account. The payment gateway will pass this information to the credit card issuer along with the credit card number. The credit card issuer will determine if the value matches the value on file for the customer’s credit card and return a code to the payment gateway indicating whether the code matched, in addition to indicating whether the card was authorized. You can configure the payment gateway to reject transactions based on the code returned.
CARD CODE RESPONSE |
DESCRIPTION |
N |
The Card Code does not match |
P |
The Card Code was not processed |
S |
The Card Code was not indicated |
U |
Card Code is not supported by the card issuer |
Note: There are no default payment gateway settings for the Card Code filter. To use this feature, you will need to configure the appropriate rejection settings.
To configure transaction rejection settings based on the Card Code response:
Log on to the Merchant Interface at https://secure.authorize.net
Select Settings under Account in the main menu on the left
Click Card Code Verification in the Security Settings section
Click to select the check box(es) next to the Card Code responses for which the payment gateway should reject transactions
Click Submit
Note: In order to use the CCV filter, you need to require the Card Code field either on the payment gateway hosted payment form or your own custom payment form. Please communicate these requirements to your Web developer.
Password-Required Mode is a security setting that requires the account Transaction Key to be submitted with all transactions for authentication purposes. This setting is enabled for all payment gateway accounts by default and should always be on for SIM and AIM merchants.
To verify that Password-Required Mode is enabled for your account:
Log on to the Merchant Interface at https://secure.authorize.net
Click Settings under Account in the main menu on the left
Click Password-Required Mode in the Security Settings section
If it is unchecked, click to select the check box labeled Require Password for ALL Transactions
Click Submit
