AVS, credit cards and name checks

General Questions
#1

In this thread furt blames the Obama campaign for not checking that the names in the credit cards belong to the people who make the payments. I posted that this is not possible with the system currently in place. AVS merely checks that the numerical parts of the address coincide with the ones in the bank’s database.

From furt’s cite:

The journalist suggests that there is such system. I am a partner in an internet retail company and even with internet security and fraud protection being at the forefront of the business, this is not something that can be done, AFAIK. A check usually consist in AVS and CVV2 check.
Am I wrong? Have I being misinformed by the biggest credit card processor in the US (which we use)? Is there such system, and where can I get hold of it?

#2

I used to be an assistant controller, so I am familiar with the CC schemes.

There are several types.

The first kind you just take the number. The problem with this is, it’s called a “not present.” What this means is if the charge is disputed, the company loses automatically. You have no recourse.

The second type requires you to verify the zip code and the EXACT name to the card. If the charge come back disputed you have a bit more room to fight the dispute. But it’s obvious you could charge this way if you found a bill, rather than the card

The third type verifies the EXACAT name, the zip code, and the CID (three or four digit number on the back of the card). This is the strongest verification they have. But it’s still a card not present.

Now you may ask why the levels? The levels are for cost. The higher the level the more the credit card company charges per transaction. So if you run a business and get one or two chargebacks a year, it won’t be worth the extra cost to get a third level verification. It’s cheaper to take the hit for one or two disputes than to pay the cost of the extra security.

Now what about the address, it’s kind of a trick question. The THIRD level verification REQUIRES that the seller takes down the address EXACATLY as it appears on the bill to be valid.

So while the third level verification doesn’t check the address, but in order to be covered in the event of a dispute that address HAS to match the address on the bill. If it doesn’t match and there is a dispute the credit card company can (but doesn’t have to) rule against the merchant for failing to get the correct information.

This is why unless you sign for a purchase, you will almost always win in a dispute. If you can’t produce that signature it’s tough luck for the merchant. This is why if you write “See ID” instead of signing the merchant will lose. When you report a card as lost or stolen, the first thing they ask is “Did you sign your name on the back of the card.” If the person says “no,” the credit card company is off the hook and the merchant bears the cost.

Of course if you fraud a merchant once, you’ll probably get away with it, but if you do it a lot, the credit card company will easily get wise.

But when you look at the cost of business, it often pays to take a hit. Like Walgreens doesn’t require a signature on a credit card less than $50.00. Why? Because the chargebacks aren’t enough to warrent the cost. It’s better to speed people through the lines and if someone disputes, just take the hit

#3

Can you provide a cite as to the system that checks the name entered against the name on the credit card, not that I think you are necessarily wrong, just that the cc processor told us that such thing did not exist. I have yet to find any info on it.

ETA: I am talking about card-not-present transactions (internet mostly).

#4

First off, to answer the OP, yes, some AVS setups can capture the billing name, but it’s certainly not the default in most online setups.

I’d like to see a cite for your various “levels” as it applies to online transactions. Last time I checked, the standard AVS matching method of the numeric values from street address and zip code were plenty to take penalties off the table. In fact, many times only one of those needs to match. Even if chargebacks occurred, as long as their were no penalties, it would cost the campaign nothing, and would prevent them from losing potential donations simply due to someone making a typo while entering their name.

In other words, since the campaign has nothing to lose, except potential donations, why throw completely unnecessary hurdles in front of the user? In today’s internet marketplace, requesting the bare minimum amount of information is an excellent way of improving conversion rates online. You want to know the name of my first born, my fax number, spouse’s name, work address, etc? I don’t give a damn what your privacy policy is, I’m not going to continue my transaction. Want an e-mail address so that you can respond to my request for more info, or maybe a weekly e-mail update that I can easily opt out of? No problem.

#5

I don’t doubt that, my question is if there is a system that can check the name entered against the name of the credit card and return a match/don’t match answer. AFAIK the system only check numeric parts.

#6

I managed billing and payment systems at a large online merchant for a few years ('98-'03) and we did not have the ability to match on names. We could submit CCV codes (or whatever you want to call them), zip codes and the numeric parts of the street address. That was it. We worked with Chase Merchant Services as the merchant acquirer. We also had a third-party fraud rating service that did use some of that information but it used heuristics to detect fraud, and this was totally unrelated to the bank’s authorization.

My experience was that this was not according to “levels.” We could send address and/or zip and/or CCV. The address/zip data would not give us any protection against chargebacks, but would help prevent fraud. Providing the CCV code *did *protect us against chargebacks if there was a claim that the cardholder did not authorize the transaction, as the associations considered it equivalent to getting a signature in a card-present transaction. They guaranteed we would be paid if we authorized with a CCV.

#7

Maybe there’s some intelligence in the system. I have no idea what my official address is, and I probably right it differently all the time. And it’s not a simple variation, but a combination.
For example, is my street “Sample North” or “North Sample”? Is it “Dr.” or “St.”? Heck, do I live in Clinton, Clinton Twp., or Clinton Township?
Honestly, I have no idea. My ZIP+4 is really all I need, I think, but my card is never rejected. I don’t know if it’s a smart algorithm, of if they just don’t check.

#8

What **CookingWithGas **wrote matches exactly with what I have been told by people that know more than me, namely the company that provides us with service and countless other business publications I subscribe to. I am open to consider that there is a flaw in my knowledge, but I am more inclined to disbelieve half-informed journalists (furt’s cites) than industry experts.

#9

Your “official” address is the one that your bank uses when they send your bills. Not all merchants validate addresses; IIRC there is an extra fee involved. And it’s only the numeric part. If your street address is

1234 Maple Ave.

and you give a merchant your address as

123 Pine St. Apt. 4

the merchant will get a match from the validation. I don’t know if I still have all my interface specs around but I saw a similar example in documentation from our acquirer.