Should you require CVV or AVS for phone orders?

Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.

MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.

Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. BEWARE IF YOUR form asks for the CVV2 or CID code, this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant MUST PROTECT THIS DATA AND MUST NOT STORE IT. You can also choose to find a way to process the order that does not require a CVV2 code, but still protects the merchant from fraud. The AVS or address verification then becomes essential to prevent fraud. If using a virtual terminal, the terminal should require an AVS check.

If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the security code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the security data. A secure method such as a virtual terminal can prompt for the CVV2 code and also perform an address check. There is still some risk by taking CVV2 over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should be avoid writing down CVV2 whenever possible; if they are written down, follow special PCI Compliance standards to protect the data temporarily until it is securely shredded.

The AVS response can be a full match, partial match, no match, unavailable, or retry.

Full match – both the zip code and address match.

partial match– only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.

no match– zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.

Unavailable– The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.

Retry – The card issuers system is anavailble- try again later.

For more details, please see the Visa Card Acceptance Guide.

If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.

CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.

In conclusion,  whether you require CVV2 or not is a business decision for MOTO transactions. You must factor in the risk of not taking the CVV and of having data exposed until you’ve used it and then shredded it vs possible credit card fraud. For small ticket orders, you might wish to skip it to reduce risk. For large value orders, you may not want to risk your product going out the door. In that case, be sure to have a PCI Compliance program in place, and train employees. AVS should be required to pass without exception.