Online Fraud Prevention
Protecting revenue is vital to your business. The increase in fraudulent payment activity is one of the most critical issues facing business owners today.
There are general methods to help you prevent fraud as well as more specific tips based on how and where you accept credit card payments.
In addition to our own tips, the individual payment brands may have best practices and guidelines that may benefit your business.
Tips to Avoid Fraud in Online Transactions
Keep your transactions flowing smoothly and assist in protecting against card-not-present fraud with the help of the following products and services:
Address Verification System (AVS)
Card Security Verification (CSV)
Payment Brand Data Security (PBDS)
Reduces the risk of accepting fraudulent transactions by verifying the cardholder's billing address, which is on file with the card issuer.
Address Verification Service (AVS) is a service provided by the payment brands that determines the match or partial match of the consumer's address information. The responses are returned to you during the authorization process via your transaction processing software/hardware, and can help determine your next action — approval, exception or decline.
Code |
Visa® |
Mastercard® |
Discover® |
American Express® |
Y |
Address & 5-digit or 9-digit ZIP match |
Address & 5-digit ZIP match |
Address only matches |
Address & ZIP match |
A |
Address matches, ZIP does not |
Address matches, ZIP does not |
Address & 5-digit ZIP match |
Address only matches |
S |
AVS not supported |
AVS not supported |
AVS not supported |
AVS not supported |
R |
System unavailable, retry |
System unavailable, retry |
Not applicable |
System unavailable, retry |
U |
Information not available |
Information not available |
System unavailable, retry |
Information not available |
Z |
Either 5-digit or 9-digit ZIP match, address does not |
5-digit ZIP matches, address does not |
5-digit ZIP matches, address does not |
ZIP code only matches |
N |
Neither ZIP nor address match |
Neither ZIP nor address match |
Neither ZIP nor address match |
Neither ZIP nor address match |
W |
Not applicable |
For U.S., 9-digit ZIP matches, address does not. For non-U.S., ZIP matches, address does not |
Information not available |
Not applicable |
X |
Not applicable |
For U.S., all digits match. For non-U.S., ZIP and address match. |
Address & 9-digit ZIP match |
Not applicable |
B |
Address matches, ZIP not verified |
Not applicable |
Not applicable |
Not applicable |
T |
Not applicable |
Not applicable |
9-digit ZIP matches, address does not |
Not applicable |
P |
ZIP matches, address not verified |
Not applicable |
Not applicable |
Not applicable |
C |
Address and ZIP not verified |
Not applicable |
Not applicable |
Not applicable |
D |
Address & ZIP match (International only) |
Not applicable |
Not applicable |
Not applicable |
G |
Address not verified for International transaction (International only) |
Not applicable |
Not applicable |
Not applicable |
I |
Address not verified (International only) |
Not applicable |
Not applicable |
Not applicable |
M |
Address & ZIP match (International only) |
Not applicable |
Not applicable |
Not applicable |
F |
Address & ZIP match (UK only) |
Not applicable |
Not applicable |
Not applicable |
Compares the card security value, non-embossed 3- or 4-digit numeric code on the credit card, with the issuer's value on file. Credit card verification programs are offered by the major payment brands and known as CVV2 (Visa), CVC2 (Mastercard), CID (American Express) and CID (Discover Card).
Card Verification Data (CVD) codes are the 3- or 4-digit codes on the back of the payment card that are used to further authenticate the consumer during a card-not-present transaction. The following are the response messages sent back to you during the authorization process, and can help determine your next action — approval, exception or decline.
Code |
Visa CVV2 |
Mastercard CVC2 |
Discover CVD |
American Express CID |
M |
Match |
Match |
Match |
Not applicable |
N |
No match |
No match |
No match |
No match |
P |
Not processed |
Not processed |
Not processed |
Not applicable |
S |
Should have been present |
Should have been present |
Should have been present |
Not applicable |
U |
Issuer unable to process |
Issuer unable to process |
Issuer unable to process |
Issuer unable to process |
Y |
Not applicable |
Not applicable |
Not applicable |
Match |
CVV2/CVC2/CVD/CID codes may vary based on processing network or equipment. If the response codes displayed on your equipment or software are not listed above, please call the technical support number provided with your processing equipment or software.
Support for your business to assist you in complying with Visa and Mastercard data security programs (CISP and SDP).
Protecting cardholder data is good for business – and it's required.
Providing customers with secure payment options not only provides them with more incentives to patronize your business – but is also your responsibility. In fact, failure to protect cardholder data could cost your company thousands of dollars in fines, in addition to loss of business.
Rest assured, as a Chase merchant, you have a team of data security experts ready to advise you, keep you informed of data security requirements and offer suggestions on how our solutions can help you meet them.
Payment Card Industry Data Security Standards
All merchants that accept electronic payment cards are required to follow the payment brands' rules to protect cardholder data, using their adopted common requirements, referred to as the Payment Card Industry Data Security Standard (PCI DSS). These provide merchants with a unified approach to safeguarding sensitive data.
These requirements range from removing sensitive card data from your payment terminals and processing systems, to implementing data security policies for your employees.
Individual Payment Brand Requirements
In addition, Visa, Mastercard and other payment brands have their own data security programs that require merchants to safeguard credit card processing data. You'll want to visit their websites to learn more about each payment brand's requirements.
Compliance Validation
Not all compliance reporting requirements are the same – they can differ based on the merchant's level, which is determined by your processing volume. Depending on your level, you may be required to validate and report your PCI DSS compliance to your acquirer. For example, merchants with higher volumes are required to work with qualified security assessors (QSAs), internal security assessors (ISAs) and approved scan vendors (ASVs). The chart below provides an overview of each reporting level.
PCI DSS Compliance Reporting
Depending on your merchant level, you may be required to submit the relevant documentation to validate and report your PCI DSS compliance to Chase and the payment brands.
It's important to keep these points in mind:
- Chase annually assigns a merchant level to each of our merchants, as is required by the payment brands. These levels are based on the number of transactions a merchant processes in a one-year period within a single payment brand.
- The payment brands set their own levels. For example, while Visa and Mastercard levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements.
- Each payment brand establishes their own criteria to determine merchant validation deadlines.
Merchant Level |
Criteria |
Requirements |
1 |
Over 6 million Visa or Mastercard transactions in a 12-month period |
|
2 |
Between 1 and 6 million Visa or Mastercard transactions in a 12-month period |
|
3 |
Between 20,000 and 1 million Visa or Mastercard e-commerce transactions in a 12-month period |
|
4 |
Less than 20,000 e-commerce or less than 1 million transactions with one card brand in a 12-month period |
|
