The nexus between privacy and the functioning of the electronic transaction payment space continues to increase. This article will address the current state of the Address Verification Services (AVS) within the context of the electronic payment system and the impact of the California Supreme Court in the Pineda v Williams-Sonoma case.
On February 10, 2011, the California Supreme court ruled in the case of Pineda v Williams-Sonoma (CA Supreme Court S178241) that a zip code was considered personal identification information (PII). The court held that in this case, a violation of the Song-Beverly Credit Card Act of 1971 occurred. Violation of this act may lead to penalties of up to $1,000 per incident.
The Song Beverly Credit Card Act (California Civil Code section 1747
et seq.
) was designed to protect consumer privacy. The act places limits on retailers’ abilities to request or record personal information when dealing with credit card transactions. Civil Code § 1747.08 (a) provides in pertinent part that retailers shall NOT do any of the following:
(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association or corporation accepting the credit card writes, causes to be written or otherwise records upon the credit card transaction form or otherwise.
(3) Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.
There are exceptions to the above under Civil Code § 1747.08(c), however the California Supreme Court, in reversing the decision of both the trial court and the Court of Appeal, ruled that the zip codes are readily understood to be part of a person's address, therefore falling within the scope of the law. The court also specified that the zip code in this instance was unnecessary for the transaction and could be used with other information, such as the name, to locate the address of the individual.
The
Address Verification Services
offer a fast, efficient and economical way to validate Visa, MasterCard, American Express and Discover credit card transactions. The service works by electronically checking the numeric of the physical address associated with the authorized cardholder on file with the issuing financial institution. This physical address is inclusive of the five- or nine-digit zip code. The data check response helps merchants score and therefore decide whether to proceed with the electronic payment transaction both in the card-not-present and the card-present environments.
AVS matches by card type, e.g. MasterCard, Visa, American Express and Discover, vary. The presence of an AVS match also varies by the location of the issuing financial institution being in the United States or otherwise and, if in the United States, whether the issuing financial institution participates in the program. Therefore, AVS is not a 100-percent situation in any circumstance.
With the above said, the five-digit or nine-digit zip code plays an integral part in the ability of the system to report a match event. A full match for any of the brands includes the numerical match of both the street address and five-digit zip code—match return code “Y.” For MasterCard, a match of the numerical street address plus the nine-digit zip code results in a returned match code “X.”
Three types of partial match codes are present; these are known as match return codes “A,” “W” or “Z.” The “A” partial match code is defined as a street numerical match but a non-match with either the five-digit or nine-digit zip code under the rules of MasterCard, Visa, American Express or Discover. The “W” partial match has a failure of the street numerical address but a match of the nine-digit zip code under the rules of MasterCard and Discover. The “Z” partial match has a failure of the street numerical address but a match of the five-digit zip code under the rules of MasterCard, Visa, American Express and Discover.
The definition of a return code “N” for no match is defined as a failure of all of the three elements to match, e.g. the numerical street address, the five-digit zip code and the nine-digit zip code. There are also a number of return codes that are used for technical reasons, including a United States issuing bank not supporting the AVS.
In addition, each of the card brands being MasterCard, Visa, American Express and Discover offer an automated call-in authorization service to validate AVS. The merchant may call the automated system; it will ask the merchant for the credit card number, then the first four numbers of the cardholder’s address and the zip code. Then, it will give the merchant a response as to whether the address and zip code match the card number. Because this is an automated system, there is virtually no hold time. Again, this calls into question the entire process because of the need of the merchant to have the zip code.
The risk to the merchant and the financial system of not using AVS are real and significant
.
When a merchant accepts credit card transactions, the merchant also accepts financial liability for the transaction. This means that the dollar value of the transaction may be “charged back” to the merchant. Add to this the cost to process the transaction plus the loss of merchandise, and it’s easy to see the potential financial impact to a company’s bottom line. AVS helps the merchant avoid accepting potentially inappropriate transactions.
To understand the impact of AVS on chargeback rates, Visa analyzed the activities of two comparable merchants. Each processed several million Visa transactions annually and each had sophisticated risk-management systems in place, but with one key difference—one merchant had been using AVS for a year and the other had not. The chargeback rate for the merchant using AVS was six times lower than the merchant not using AVS and more than eight times lower than the industry average. Analysis of the merchant’s fraud and chargeback performance before and after the AVS revealed that, as a result of AVS, the merchant’s fraud losses were cut by more than half; its fraud-related chargebacks dropped by more than 60 percent, and its chargeback processing costs declined by more than 80 percent.
The implications of Pineda v Williams-Sonoma as it relates to the future functioning of the AVS system are draconian. It has already been suggested by various legal authorities that merchants should refrain from the acquisition of five- or nine-digit zip codes without specific notification and permission. In addition to the direct impact on the AVS system, it is not inconceivable that this ruling could affect various other security measures within the electronic payment space, including Card Verification Values (CVV).
One potential resolution to this could be using the available discretionary space on Track 1 and Track 2 of a magstripe to hold zip code information.
