Protecting revenue is vital to your business. The increase in fraudulent payment activity is one of the most critical issues facing business owners today.

There are general methods to help you prevent fraud as well as more specific tips based on how and where you accept credit card payments.

In addition to our own tips, the individual payment brands may have best practices and guidelines that may benefit your business.

Tips to Avoid Fraud in Online Transactions

Keep your transactions flowing smoothly and assist in protecting against card-not-present fraud with the help of the following products and services:

Address Verification Service (AVS)

Reduces the risk of accepting fraudulent transactions by verifying the cardholder's billing address, which is on file with the card issuer.

Address Verification Service (AVS) is a service provided by the payment brands that determines the match or partial match of the consumer's address information. The responses are returned to you during the authorization process via your transaction processing software/hardware, and can help determine your next action—approval, exception or decline.

Code

Visa

MasterCard

Discover

American Express

Y

Address & 5-digit or 9-digit ZIP match

Address & 5-digit ZIP match

Address only matches

Address & ZIP match

 

A

Address matches, ZIP does not

Address matches, ZIP does not

Address & 5-digit ZIP match

Address only matches

 

S

AVS not supported

AVS not supported

AVS not supported

AVS not supported

 

R

System unavailable, retry

System unavailable, retry

Not applicable

System unavailable, retry

 

U

Information not available

Information not available

System unavailable, retry

Information not available

 

Z

Either 5-digit or 9-digit ZIP match, address does not

5-digit ZIP matches, address does not

5-digit ZIP matches, address does not

ZIP code only matches

 

N

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match

Neither ZIP nor address match

 

W

Not applicable

For U.S., 9-digit ZIP matches, address does not. For non-U.S., ZIP matches, address does not

Information not available

Not applicable

 

X

Not applicable

For U.S., all digits match. For non-U.S., ZIP and address match.

Address & 9-digit ZIP match

Not applicable

 

B

Address matches, ZIP not verified

Not applicable

Not applicable

Not applicable

 

T

Not applicable

Not applicable

9-digit ZIP matches, address does not

Not applicable

 

P

ZIP matches, address not verified

Not applicable

Not applicable

Not applicable

 

C

Address and ZIP not verified

Not applicable

Not applicable

Not applicable

 

D

Address & ZIP match (International only)

Not applicable

Not applicable

Not applicable

 

G

Address not verified for International transaction (International only)

Not applicable

Not applicable

Not applicable

 

I

Address not verified (International only)

Not applicable

Not applicable

Not applicable

 

M

Address & ZIP match (International only)

Not applicable

Not applicable

Not applicable

 

F

Address & ZIP match (UK only)

Not applicable

Not applicable

Not applicable

 

Icon-credit-card

Card Security Verification (CSV) 

Compares the card security value, non-embossed 3- or 4-digit numeric code on the credit card, with the issuer's value on file. Credit card verification programs are offered by the major payment brands and known as CVV2 (Visa), CVC2 (MasterCard), CID (American Express) and CID (Discover Card).

Card Verification Data (CVD) codes are the three or four-digit codes on the back of the payment card that are used to further authenticate the consumer during a card-not-present transaction. The following are the response messages sent back to you during the authorization process, and can help determine your next action—approval, exception or decline.

Code

Visa CVV2

MasterCard CVC2

Discover CVD

American Express CID

M

Match

Match

Match

Not applicable

         

N

No match

No match

No match

No match

P

Not processed

Not processed

Not processed

Not applicable

S

Should have been present

Should have been present

Should have been present

Not applicable

U

Issuer unable to process

Issuer unable to process

Issuer unable to process

Issuer unable to process

Y

Not applicable

Not applicable

Not applicable

Match

CVV2/CVC2/CVD/CID codes may vary based on processing network or equipment. If the response codes displayed on your equipment or software are not listed above, please call the technical support number provided with your processing equipment or software.

Payment Brand Data Security (PBDS)

Support for your business to assist you in complying with Visa® and MasterCard® data security programs (CISP and SDP).

Learn more about Payment Brand Data Security (PBDS)

Protecting Cardholder Data is Good for Business – and It's Required

Providing customers with secure payment options not only provides them with more incentives to patronize your business – but is also your responsibility. In fact, failure to protect cardholder data could cost your company thousands of dollars in fines, in addition to loss of business.

Rest assured, as a Chase merchant, you have a team of data security experts ready to advise you, keep you informed of data security requirements and offer suggestions on how our solutions can help you meet them.

Payment Card Industry Data Security Standards

All merchants that accept electronic payment cards are required to follow the payment brands' rules to protect cardholder data, using their adopted common requirements, referred to as the Payment Card Industry Data Security Standards (PCI DSS). These provide merchants with a unified approach to safeguarding sensitive data.

These requirements range from removing sensitive card data from your payment terminals and processing systems, to implementing data security policies for your employees.

Individual Payment Brand Requirements

In addition, Visa®, MasterCard® and other payment brands have their own data security programs that require merchants to safeguard credit card processing data. You'll want to visit their websites to learn more about each payment brand's requirements.

Compliance Validation

Not all compliance reporting requirements are the same – they can differ based on the merchant's level, which is determined by your processing volume. Depending on your level, you may be required to validate and report your PCI DSS compliance to your acquirer. For example, merchants with higher volumes are required to work with qualified security assessors (QSAs), internal security assessors (ISAs) and approved scan vendors (ASVs). The chart below provides an overview of each reporting level.

PCI DSS Compliance Reporting

Depending on your merchant level, you may be required to submit the relevant documentation to validate and report your PCI DSS compliance to Chase and the payment brands.

It's important to keep these points in mind:

  • Chase annually assigns a merchant level to each of our merchants, as is required by the payment brands. These levels are based on the number of transactions a merchant processes in a one-year period within a single payment brand.
  • The payment brands set their own levels. For example, while Visa and MasterCard levels are generally the same, American Express uses a separate set of criteria for establishing merchant levels and has different reporting requirements.
  • Each payment brand establishes their own criteria to determine merchant validation deadlines.

Merchant Level

Criteria

Requirements

1

Over 6 million Visa or MasterCard transactions in a 12-month period

  • Onsite Assessment and Report on Compliance (ROC) performed by QSA or ISA
  • Quarterly network scans by ASV

2

Between 1 and 6 million Visa or MasterCard transactions in a 12-month period

  • Onsite Assessment and either a ROC or Self-Assessment Questionnaire (SAQ) completed by QSA or ISA
  • Quarterly network scans by ASV

3

Between 20,000 and 1 million Visa or MasterCard ecommerce transactions in a 12-month period

  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans

4

Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12-month period

  • Self-Assessment Questionnaire (SAQ)
  • Quarterly network scans
  • Submission to acquirer not mandatory