Giving the right response – AVS and declined card messages

When you integrate a website with a payment gateway, you have to decide what to show your customer when a transaction is declined, or if their card received an AVS or CVV mismatch response. As simple as this may sound, doing it wrong can drastically impact a customer’s desire to change their information and try again.

In the past, I have supported giving a visitor a single response for any decline, AVS mismatch, error or otherwise because it eliminated one of the lesser-known types of online fraud. Card testing is not something that should be overlooked, because it can have severe consequences that many business owners are not aware of.

After some long-term observation, I think that there is a better way to handle card testing while increasing the chances of a prospect becoming a customer. Depending on how your customers react to their transaction not going through as planned, it’s possible to lose a measurable amount of sales by not displaying the correct message.

1.) The first step is blocking the IP’s that card testing often comes from. In almost every situation I can think of, blocking IP addresses is ineffective at best, but in this one, it works fairly well. I’ve analyzed a lot of card testing attempts on many websites over the past five years, and nearly every one of them has come from an address that falls in one of these IP addresses.

2.) The next step is to develop an error message for different responses that you get from your payment gateway. These should be broad, but specific enough for your customer to understand what they need to do to correct the situation. Too broad and your customer doesn’t know what they need to do. Too detailed and the card testing thing may become an issue again.

Example:

General decline: We’re sorry but your credit card was declined. Please use an alternative credit card and try submitting again. If you experience further problems, please call us at 555-555-5555 to complete your transaction over the phone.

AVS mismatch, error, unavailable: We’re sorry but it appears that the billing address that you entered does not match the billing address registered with your card. Please verify that the billing address and zip code you entered are the ones registered with your card issuer and try again. If you experience further problems, please call us at 555-555-5555 to complete your transaction over the phone.

AVS tips:
I do not recommend full street address matching with AVS. Your customer’s don’t need to know exactly what you match with regards to AVS. While the system works in theory, it is prone to errors, and more often than not street address errors are something other that the person entering the wrong street address. The zip code should most definitely be matched, but only the first 5 digits should be required. Very few people know the second 4 digits of their zip code.

Card Verification (CVV2, CVC, CVV, etc…) Tips:
Card code verification should be processed on every transaction. It costs nothing extra, and not using it is a poor practice at the expense of you and your customers. However, actually requiring a positive card code match is something that many would debate. Personally, I would require it on the website, validate that a card code is entered, process it, but don’t decline on a card code mismatch. It’s best to flag transactions for further review if a card code mismatch occurs. Card codes get worn off, the system often returns errors or not-available responses, and the number of declines is usually more than an acceptable or actual amount.

With either AVS or CVV, if you sell products that carry a high risk of fraud and chargebacks, have high dollar sales, or you have had problems in the past with fraud, then I would definitely require a positive match in both areas. This would include any custom products, electronics, and high dollar merchandise (>$1000), etc. Also, your processor may require a positive card code match for online transactions, and you should definitely abide in this case.

Finally:
You should always be on the lookout for card testing if you decide to show different responses for declines and errors. Blocking those IP addresses will do nothing if the person doing the testing is not in one of those ranges. If it ever becomes a problem, the numerous fraud prevention options that payment gateways have are designed to curb card testing. Whatever the case, action needs to be taken quickly to minimize the negative effects that can come from card testing.