The Address Verification System (AVS) and security code checks provide you with a further level of security to a transaction, allowing additional checks regarding the validity of the address and security code information supplied by the customer.
Introduction to AVS
A customer’s address is checked against the address that the card issuer holds for that card. The issuing bank will indicate to the acquiring bank whether there is a match between the entered address and the registered card address. The checks performed are focused on the house number and postcode (or ZIP code) provided by the customer.
Introduction to security code checks
The security code is a three or four-digit number printed on credit and debit cards. It is not stored by Trust Payments, and also must never be stored by merchants.
It is imperative that you never store the customer’s security code.
Please ensure that no log files or databases contain the security code information on your system.
The number is often printed on the back of the card, on the signature strip.
Alternatively, on American Express cards the security code can be found on the front of the card, on the right–hand side, above the embossed card number.
The security code that the customer has entered is checked against the security code that the card issuer holds for their card. The issuing bank will indicate to the acquiring bank whether there is a match between the entered security code and the correct security code associated with the card.
Here is how the AVS and security code checks fit into the standard payment process:
- The customer agrees to a payment on your website and you submit an AUTH request to Trust Payments. The address and card details are passed on to your bank.
- Your bank will then contact the customer’s bank to check whether the details entered by the customer matches the details held on their records.
- These results are returned to Trust Payments, which assigns response codes and returns this information to you in the AUTH response.
Depending on your account configuration, Trust Payments may perform certain actions on the transaction if the results of the AVS and security code checks do not meet a required standard. This behaviour is configured as part of your security policy (scroll down for further information on the security policy).
Some acquirers will use the results of the AVS or security code checks to decline the transaction, if either the address or security code entered by the customer is incorrect. Others will authorise the transaction and allow you to decide whether or not to continue with the transaction.
Supported cards and banks
The availability of the AVS and security code check facility is dependent on the acquiring bank and card issuer, although it should be noted that most cards support this functionality.
The ability to conduct address checks is dependent on the location of your acquiring bank in relation to the location of the issuing bank of the card being presented. Most acquirers do support the process but only on locally issued cards. All UK cards and a number of US cards are address checked by all UK acquirers.
Security code checks are performed on all Visa, Mastercard and American Express branded cards worldwide and the results are checked internationally by all acquirers.
Please contact our Support Team for further information on supported acquirers and card types.
For checks to be successfully performed on the customer’s details, the customer will need to provide their billing postcode (or ZIP code), billing premise and their card’s security code.
If this information is not present in the request to Trust Payments, we will return a “Not given” response.
There are four different possible responses following AVS and security code checks. Each response is assigned a distinct code, as shown in the following table:
|0||“Not given”||Your acquirer was not provided with the information required to perform this check.|
|1||“Not checked”||Your acquirer was unable to perform checks on the information provided.|
|2||“Matched”||The information provided by the customer matches that on the card issuer’s records.|
|4||“Not matched”||The information provided by the customer does NOT match that on the card issuer’s records.|
A “Not checked” response may be that the card issuer does not support address or security code checking for the card supplied or that the information was not provided. Most foreign cards issued will not be address checked.
Together, the AVS and security code checks consist of three total checks, and we assign a response code for each:
- Card security code
- Billing postcode (or ZIP code)
- Billing premise
Your account’s security policy consists of preferences on how we respond to instances where the address (premise & postcode / ZIP code) and security code entered by the customer does not directly match those found on the card issuer’s records. We can automatically suspend transactions that return certain response codes:
By default, we suspend all transactions where the security code check returns a “Not matched” response.
To discuss or make changes to your security policy, please contact the Support Team.
You can perform AVS and security code checks without debiting the customer. This is achieved by performing an Account Check. Click here to learn more about Account Checks.
Viewing the results
The response codes described above can be viewed in the single transaction view of MyST. If you already know the transaction reference, type this into the universal search box visible at the top of every page and submit to view the single transaction view:
Alternatively, if you do not know the transaction reference, you can search for transactions by clicking “Transactions” from the left side-bar, then “Transaction search” and using the filters available to you.
You will find the security response codes under the “Security response” heading, as shown in the screenshot below:
Notifications, Redirects and Emails
The security response code values can be returned in URL notifications, Payment Pages redirects and email notifications. These fields are not returned by default, so therefore must be specified as additional custom fields to be returned. The field names are securityresponseaddress, securityresponsepostcode and securityresponsesecuritycode.
Transaction query (using Webservices API)
Using the Webservices API, you can query a request to view the associated digital wallet fields. Click here for further information.
Please note that you cannot query a transaction by including any of the digital wallet fields in the filter.
We recommend that you thoroughly test your solution before processing live payments.
Click here for test card details that you can submit when testing.