Online merchants, including colleges and universities, face a rising tide of online payment fraud, especially “card testing” or carding attacks that exploit card-not-present transactions.
CampusGuard has recently learned of a popular higher education third-party platform that was targeted for fraudulent transactions after it failed to implement and require basic verification data.
To date, the vendor has notified only the directly affected institutions, leaving others unaware of the vulnerability. Upon further investigation, the institution also learned that neither AVS nor CVV verification tools had been deployed by the third party.
These simple fraud prevention tools provide an essential layer of defense by confirming a customer’s identity and can dramatically reduce unauthorized card use.
Understanding CVV and AVS
CVV and AVS are fundamental fraud prevention tools designed for card-not-present transactions. The Card Verification Value (CVV) is the 3- or 4-digit code on a credit card (not embossed on the card number) used to demonstrate physical possession of the card. Thieves often lack this information, depending on the source of the stolen cards.
Requiring the CVV at checkout helps verify the customer actually has the physical card in hand, blocking many fraudulent attempts. In fact, merchants require the CVV for online transactions and avoid costly chargebacks. Importantly, CVV codes must never be stored after authorization by merchants so that, even if card numbers are breached, the stolen data is less useful without the CVV.
The Address Verification System (AVS) checks the numeric portions of the buyer’s billing address (like zip code and street number) against the issuing bank’s records. This tool helps confirm that the person using the card knows the legitimate cardholder’s billing address. When paired with CVV, AVS adds another layer of assurance that a transaction is legitimate, creating a more secure, verified purchase.
While AVS isn’t foolproof (it only matches numbers and can be bypassed if fraudsters have the correct address), it is widely supported by Visa, MasterCard, Discover, and Amex and is considered a best practice for all online and mail/telephone orders.
To summarize these tools and how to use them effectively, see the table below:
| Tool | Purpose/Function | Implementation Tips |
|---|---|---|
|
Card Verification Value (CVV) |
|
|
|
Address Verification (AVS) |
|
|
|
CAPTCHA / Bot Detection |
|
|
Implementing CVV and AVS is one of the primary defenses against unauthorized card use. Accepting only transactions with verified CVV and AVS data provides the best protection for merchants.
Likewise, security professionals recommend using both tools together for every card-not-present transaction, even though it might add a slight cost (AVS) because the fraud prevention benefits far outweigh the minimal expense.
By following the recommendations above, enabling CVV/AVS, working closely with third-party providers, monitoring suspicious activity, and enforcing accountability with your vendors, your organization can significantly reduce the risk of fraud and maintain a secure online payment environment.
In the fight against cybercriminals, a few extra verification steps for users translates into a major safeguard for you. Don’t wait for a fraud event to spotlight their importance; take action now to verify that CVV and AVS are in place everywhere they should be. Your diligence will pay off in peace of mind and trust from your constituents.
CampusGuard’s Treasury Solutions team is ready to help you safeguard your data with confidence. Reach out today to learn more and take the first step toward stronger security.
