General
-------

Pungle uses a number of APIs provided by the networks to perform fraud prevention checks, including CVV, AVS, Watchlist and 3DS.

Process Flow
------------

The following describes the steps and the decision flows for the tokenization service.

1.  Card token requested
2.  Pungle calls the networks' Fraud API services
3.  Pungle receives AVS and CVV result data and stores it.
4.  Pungle runs logic to decide the risk level based on the AVS and CVV data. Store risk level.
5.  Pungle runs logic to decide which Fraud Rule (allow, review or block) is triggered by the assigned risk level.

References
----------

Legend:  (A = Accept, D = Decline)

### Address Verification (AVS)

|     |     |     |     |     |     |
| --- | --- | --- | --- | --- | --- |
| **Code** | **Result** | **Description** | **Code** | **Description** | **Result** |
| A   | Pass | The street addresses match but the postal/ZIP codes do not, or the request does not include the postal/ZIP code. | P   | Postal/ZIP codes match. Acquirer sent both postal/ZIP code and street address, but street address not verified due to incompatible formats. | Pass |
| B   | Pass | Street addresses match, but postal/ZIP code not verified due to incompatible formats. (Acquirer sent both street address and postal/ZIP code.) | R   | Retry: System unavailable or timed out. Issuer ordinarily performs address verification but was unavailable.  <br>V.I.P. uses code R when issuers are unavailable. Issuers should refrain from using this code. | Fail |
| C   | Fail | Street address and postal/ZIP code not verified due to incompatible formats. (Acquirer sent both street address and postal/ZIP code.) | S   | Not applicable. If present, V.I.P. replaces it with U or with G. | Unchecked |
| D   | Pass | Street addresses and postal/ZIP codes match. | U   | Address not verified for domestic transaction. Address not verified for international transaction. Issuer is not an AVS participant, or AVS data was present in the request but issuer did not return an AVS result, or V.I.P. performed address verification on behalf of the issuer and there was no address record on file for this account. | Unchecked |
| F   | Pass | Street addresses and postal codes match. Applies to U.K.-domestic transactions only. | W   | Not applicable. If present, V.I.P. replaces it with Z. Available for U.S. issuers only. | Pass |
| G   | Fail | Address not verified for international transaction. Issuer is not an Address Verification Service (AVS) participant, or AVS data was present in the request but issuer did not return an AVS result, or V.I.P. performed address verification on behalf of the issuer and there was no address record on file for this account. | X   | Not applicable. If present, V.I.P. replaces it with Y. Available for U.S. issuers only. | Pass |
| I   | Fail | Address information not verified. | Y   | Street address and postal/ZIP match. | Pass |
| M   | Pass | Street addresses and postal/ZIP codes match. | Z   | Postal/ZIP match, street addresses do not match or street address not included in request. | Pass |

### CVV

|     |     |     |   
| --- | --- | --- | 
| **Code** | **Result** | **Description** |     
| M   | Pass | CVV2 Match. Indicates that the Funds Transfer API or the issuer was able to verify the CVV2 value provided by the merchant. |     
| N   | Fail | CVV2 No Match. Indicates that the Funds Transfer API or the issuer was not able to verify the CVV2 value provided by the merchant. |     
| P   | Fail | Not processed. Indicates that the Funds Transfer API or the issuer was unable to verify the CVV2 value provided by the merchant because either their verification system was not functioning, or not all of the information needed to verify the CVV2 value (such as the expiration date) was included in the request. |     
| S   | Fail | CVV2 should be on the card. Indicates that the Funds Transfer API or the issuer was unable to perform CVV2 verification, and notifies the merchant that the card should contain a CVV2 value. |     
| U   | Unchecked | Issuer does not participate in CVV2 service, or participates but has not provided Visa with encryption keys, or both. Indicates that the issuer is not participating in the CVV2 service, or has not provided Visa with encryption keys needed to perform verification, or that STIP has responded to an issuer-unavailable response. |     
|     |     |     | 

|     |
| --- |
| **AVS and CVV rules only apply to first time transactions and will not be applied to recurring payments or any transactions created using credit cards stored in the Vault.** |