AVS and CVC Validation is a feature that is enabled with your payment processor. Givecloud receives AVS and CVC validation information from your payment processor and can display that information on your Givecloud reports and screens to help you make informed decisions.
What is AVS Validation?
AVS stands for Address Verification Service. At the time of payment, the bank will compare the address on file with the address being used to pay and return that status to your payment gateway and Givecloud. Depending on the settings you've configured with your payment gateway, the transaction may or may not be rejected.
What is CVC Validation?
CVC is that 3 digits (4 digits for Amex) security code on the back of your credit card. At the time of payment, the bank will compare the CVC it knows is on the back of the card with the CVC being used to pay and return that status to your payment gateway and Givecloud. Then, depending on the settings you've configured with your payment gateway, the transaction may or may not be rejected.
What is GeoIP?
Givecloud can compare the computer's IP address being used to make a payment against a database of IP address to determine its location. This can be useful in helping identify someone trying to use a card from a different country than the country the credit card is registered to.
Does AVS / CVC verification happen on every payment?
No. There are a handful of times where the AVS / CVC checks do not run.
When a recurring donation is set up with no initial payment, the AVS / CVC verification will not run because the card is not immediately charged. So, in this case, you won't get AVS feedback until the first recurring payment. Further, CVC will always fail because the donor's CVC is never stored (due to PCI Compliance).
There will be some instances where the bank will not be able to verify the address. In those scenarios, the AVS check will return 'Unavailable' or 'Unchecked' and display in Givecloud as either No Address or Not Available.
Why don't I force all AVS / CVC / GeoIP failures always to decline?
You have that option. Contact your payment processor if you'd like to enable that. However, it's relatively common for people to misspell their address which could cause big problems when your legitimate donors want to donate. Further, you can't process recurring donations with CVC codes (PCI compliance prohibits you from saving the CVC codes of your supporters). Therefore, requiring a valid CVC on all transactions isn't an option for those processing recurring donations, and it's not possible to require CVC for some payments and not others. It's all or nothing.
Using the Risk Indicators
AVS/CVC/GeoIP Indicators for Incoming Payments
Any contribution with a failed AVS/CVC/GeoIP check will be displayed in the yellow highlight in your contribution list.
Once you open the contribution, more information will display about the nature of the AVS/CVC failure. For example, if there was an AVS failure, you'd see that next to the address used to pay. If there was a CVC failure, you'd see that next to the payment method. In both cases, a clear warning displays, letting you know an AVS/CVC failure of some kind has taken place.
AVS/CVC Validation for Payments Report
The payments report (Contributions > Payments) has an additional column and filter for Verification. Use this to see the AVS/CVC status of any payment.
What do I do when I see AVS/CVC/GeoIP risk indicator?
It's entirely up to you. Use your best judgement to determine whether to let the donation remain or to refund the payment. Note - your ability to refund a potentially fraudulent payment may be limited depending on the processor you are using. Some processors require you to wait for 24-48hrs before you can refund.