The address and Security Code Verification Service allows the Card Holders Statement Address and/or the Card Security Code provided by your customer to be compared with the information held by the issuer when the card payment is authorized.
For an AVSCV2 transaction to be classed as successful, it must pass a minimum level of checking. This minimum level of checking is called the policy, and you decide which level is acceptable for your business.
There are three stages to the check, these are outlined below.
Obtaining an Authorization Code and AVSCV2 Check
Once the payment details have been collected and sent to Mastercard Payment Gateway Services, they are immediately sent to your Acquiring Bank for authorization. Your Bank forwards the request to the Card Issuing Bank.
The Issuing bank authorizes the transaction and compares the CV2 number, postcode and address provided against the details stored in their own systems. Each of these three elements will receive one of five bank responses.
The five bank responses are:
- No information available
- Not checked
- Not matched
- Partial match1
The authorization code and the results of the AVSCV2 check are then both passed back to Mastercard Payment Gateway Services. If the Issuer is unable to authorize the transaction, the AVSCV2 information is not returned with the transaction.
1 Only returned if you use Barclays as an Acquirer. Does not apply to the CV2 number.
Comparing the Policy
When Mastercard Payment Gateway Services receive the transaction results, they are immediately compared against your policy for the transaction. When a transaction matches your policy, the transaction response including the results of the AVSCV2 check are returned to you.
Reversing a Failed Transaction
If a transaction does not match your policy, Mastercard Payment Gateway Services will re-contact your Acquirer to reverse the transaction. A successful reversal cancels the authorization code of the transaction, ensuring that there are no funds reserved against the card. Most Issuers will reverse authorization codes immediately, though others may take longer. The full transaction response is then returned to you, including the result of the AVSCV2 check and the reversal request. A transaction which does not match your policy cannot be settled.
If you are using any of the Mastercard Payment Gateway Services Credit and Debit Card Processing Services, the AVSCV2 Service can also be used. The Service requires no additional configuration of your account.
The level of checking and cards that can be checked will depend upon your Acquiring Bank.
Transaction Processing Models
There are three different ways in which the policy can be specified for card payments.
- Default Policy – a default policy can be configured on your account. The policy is chosen from a short list of options and can be over-ridden on a per transaction basis if required.
- Standard Policy – the policy information is sent through with each transaction, over-riding any default policy. The policy is chosen from a pre-defined short list of options.
- Extended Policy – the policy information is sent through with each transaction, over-riding any default policy. There is much greater flexibility than with the standard policy.
Each time a transaction is submitted to the Mastercard Payment Gateway, it contains the information that determines the model to be used for that transaction. This ensures you have the flexibility to mix and match policies as required on an individual transaction basis – for example, you may wish to have a higher level of checking on your larger value orders.
When choosing a policy, it is important to ensure that enough information is collected from the customer to pass the check. For example: if you only collect CV2data from your customer, choose a policy which does not require the AVS information to be matched.
If you are unsure which policy to use, you may wish to initially implement a policy which will accept all responses. This will allow you to receive and monitor the results of the checks without rejecting transactions before choosing.
The default policy is the simplest way to implement AVSCV2 checking. The policy is configured against your account here at Mastercard Payment Gateway Services. It treats the address and postcode as a single element.
|Places Priority on
|Accepts transaction if
|Accepts all transactions
|The AVS elements have been checked and the data matched
The CV2 element has been checked and the data matched
|AVS and CV2
|All elements have been checked and all the data matched
|Either the AVS elements have been checked and matched, or all elements returned not checked
|Either the CV2 element has been checked and matched or all elements returned not checked
|AVS and CV2
|Either all the elements have been checked and matched, or all elements returned not checked
When a AVSCV2 check is performed using the default policy, the results of each individual element of the check are converted into a single standard response for the entire transaction. This conversion is performed using a set of rules provided by your Acquiring Bank. Further information about the conversion is available in the Support Centre if required.
The five standard converted responses are:
- ALL MATCH
- SECURITY CODE MATCH ONLY
- ADDRESS MATCH ONLY
- DATA NOT CHECKED
- NO DATA MATCHES
If you choose to use the default policy, please contact Support to configure your chosen default policy on your account prior to sending transactions.
The standard policy is very similar to default policy. If a standard policy is used, this will be used in preference to any default policy configured on the account. This gives increased flexibility, as it allows you to alter the policy on a per transaction basis.
The differences between standard and default policies are:
- A policy value of 0 (zero) cannot be used as a standard policy, only as a default policy. The remaining policies are unchanged.
- The standard policy is submitted to the DPG along with the transaction details.
The extended policy has the most flexibility of all the models. Instead of choosing from a short list of pre-defined policies, the extended policy allows you to precisely define the results of each of the elements which are acceptable to you.
When choosing an extended policy for each of the CV2, Address and Postcode elements, a decision needs to be made on whether to accept or decline each of the five bank responses.
For example, you may wish to accept transactions if the CV2 number is either matched or not checked and both the postcode and address are matched – all other responses would be rejected.
When using the extended policies, the results of each individual element of the check are returned to you in the transaction response.
To incorporate the full AVSCV2 service into your payment process, the following information needs to be collected from the card holder:
- the CV2 number
- the customers statement address
- the customers statement postcode
In addition, you will also need to choose a policy, which should either be configured on your account for default policy, or submitted with the transaction for the standard and extended policies.
If you wish to perform only part of the AVSCV2 check, the full customer details do not need to be collected.
When using the AVSCV2 Service, the basic Responses for transactions become:
- CV2AVS Declined
In addition, there are various error codes that can be produced by this service. Examples of each response type available in the Developers Guide.
For all AVSCV2 checked transactions, the results of the check and the policy used will be returned to you.
An Accepted transaction has successfully passed the AVSCV2 check with the policy chosen, and the bank has authorized the transaction.
Once a transaction is accepted, your system can complete the normal ordering process. If you are using the Two Stage model, please remember that the second stage must be completed to debit / credit the card.
If a transaction is declined the result of the AVSCV2 check will not be available.
Some Issuers may decline a transaction if the data, they receive for the AVSCV2 check does not match their records. For example: American Express have advised that they may at some stage in the future require merchants to collect all three items of data to guarantee a successful transaction.
If a transaction is referred the result of the AVSCV2 check will still be returned. If the AVSCV2 check was successful using the selected policy, you will be able to complete the transaction using an authorize_referral_request transaction as for a normal Bank Card transaction.
If the AVSCV2 check was not successful using the selected policy, then any attempt to use an authorize_referral_request will result in a CV2AVS Declined response
CV2AVS Declined Transactions
If a transaction is CV2AVS declined, the data provided by your customer failed to match your chosen AVSCV2 policy. The result of the AVSCV2 check will be returned to you, together with the authorization code and the result of the request to reverse the authorization code.
A complete list of Response Codes for this service is available here. The Support Centre also contains extensive examples for most error codes. Illustrations are given to demonstrate on how they would appear in both Reporting and an XML Response. Suggestions are also given to help you prevent them from occurring.
When a transaction has been checked using the AVSCV2 service, the details of the check will be available for each transaction on the Bank Card Details page.