Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.
MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.
Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. The form should not ask for the CVV or CID code as this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant needs a way to process the order that does not require a CVV code, but still protect the merchant from fraud. The AVS or address verification becomes essential to prevent fraud. If using a virtual terminal, the terminal should require an AVS check.
If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the CVV or CVV2 code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the CVV data. A secure method such as a virtual terminal can prompt for the CVV code and also perform an address check. There is still some risk by taking CVV over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should avoid requesting CVV whenever possible; if they are written down, there are few exceptions that allow this and special PCI Compliance standards need to be followed to protect the data temporarily until it is securely shredded.
The AVS response can be a full match, partial match, no match, unavailable, or retry.
Full match - both the zip code and address match.
partial match- only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.
no match- zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.
Unavailable- The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.
Retry - The card issuers system is anavailble- try again later.
For more details, please see the Visa Card Acceptance Guide.
If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.
CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.
