Collecting and Storing AVS, While Staying Within the PCI DSS Requirements
The Address Verification System (AVS) is another system used to verify the identity and validity of the person claiming to own the credit card. This security measure can be reviewed in addition to the CVC/CVV2 card information as we discussed in last week’s blog article.
On all manually entered/card-not-present transactions, merchants are encouraged to collect the AVS information in order to achieve the best processing rate. If AVS information is not provided, the issuing bank may downgrade the transaction requiring the merchant to pay a higher interchange rate. This is contrary to the Security Code (CVV2/CVC2) information, which has no impact interchange fees.
For merchants using business management software applications with integrated processing modules, the software application will prompt for AVS information such as billing address and ZIP code. This information allows merchants to verify it against the cardholder information on record at the issuing bank. There are three potential outcomes as a result during the verification process: a match, partial match or no match. A “no match,” is a strong indicator of credit card fraud. Based on this information, it is up to the merchant to decide whether to accept or reject the transaction or request additional identity verification.
Merchants can still stay within the requirements of the PCI DSS while storing AVS information. This information is not considered sensitive cardholder information; therefore storage is not prohibited by the PCI DSS.
For more information on how to meet PCI DSS requirements, please take a look at our PCI Compliance Guide.