When processing credit card transactions a credit card number, the customer's name, address and the amount to process are sent to the issuing bank. Over the past few years credit card companies have added extra numbers to their cards for security called "security codes" or "CVV codes." The CVV code is different on every card issued even if the account number is the same. Because of the new code, banks are requesting that information is sent with transactions.

The bank sends a response message with a generic Sucess/Failure and then some more detailed information. Two of those additional fields are the Address Verification (AVS) response and CVV response. This tells the requesting program if the address matches the one on file (and how closely) and if the CVV code was correct.

However, the current processing standard does not decline transactions if the address and CVV code aren't correct. The responses are only information for the requesting application. Some credit card gateways like Authorize.net can automatically send a Failure response to applications based on CVV settings but the transaction at the bank is not automatically cancelled. Smart gateways will send a "VOID" transaction to cancel any charges if they are failing on CVV codes but not all do. Also, the gateway may not be able to cancel authorizations/holds on the card. This can cause trouble when a customer tries several times to process a card that fails. They may end up with duplicate holds on their account even though no actual charges have been made. Very confusing!