PCI DSS Compliance Blog: Collecting and Storing AVS, While Staying Within the PCI DSS Requirements

« Staying within PCI DSS Requirements when Storing CVC/CVV2 Information | Main | No Sign of Data Breach Costs Leveling Off According to Reports »

03/25/2011

Collecting and Storing AVS, While Staying Within the PCI DSS Requirements

Credit-card-keyboardThe Address Verification System (AVS) is another system used to verify the identity and validity of the person claiming to own the credit card. This security measure can be reviewed in addition to the CVC/CVV2 card information as we discussed in last week’s blog article.

On all manually entered/card-not-present transactions, merchants are encouraged to collect the AVS information in order to achieve the best processing rate. If AVS information is not provided, the issuing bank may downgrade the transaction requiring the merchant to pay a higher interchange rate. This is contrary to the Security Code (CVV2/CVC2) information, which has no impact interchange fees.

For merchants using business management software applications with integrated processing modules, the software application will prompt for AVS information such as billing address and ZIP code. This information allows merchants to verify it against the cardholder information on record at the issuing bank. There are three potential outcomes as a result during the verification process: a match, partial match or no match. A “no match,” is a strong indicator of credit card fraud. Based on this information, it is up to the merchant to decide whether to accept or reject the transaction or request additional identity verification.

Merchants can still stay within the requirements of the PCI DSS while storing AVS information. This information is not considered sensitive cardholder information; therefore storage is not prohibited by the PCI DSS.

For more information on how to meet PCI DSS requirements, please take a look at our PCI Compliance Guide.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a010534b0dc03970c0147e3645242970b

Listed below are links to weblogs that reference Collecting and Storing AVS, While Staying Within the PCI DSS Requirements:

Comments

The comments to this entry are closed.

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on