AVS and PCI (ECHO Newsletter)

Electronic Clearing House, Inc.

R E V E R B E R A T I O N S R E V E R B E R AT I O N S

May 2007

Vol. XII No. 5

Fail to use AVS? Could be a Very Big Mess

We want you to be aware of the importance of

This situation highlights the importance of using AVS

using the AVS (Address Verification Service). AVS is

(and of using caution when choosing to ship foreign

a fraud prevention tool that validates a cardholder's

orders). AVS would have alerted this merchant of two

address that is provided in a transaction against

possibilities:

the information in the card issuer's records. This

1) The card was a U.S. issued card or,

service is usually required as part of the credit

2) The card was a foreign issued card (code G).

card authorization process for transactions that

If you get an AVS response code other than X or Y on a

take place via mail order, telephone order, and

domestically issued card, you need to cautiously proceed

the Internet.

with the transaction. If you get a code A, W, or Z, you have

We've had merchants who have learned painful

a partial address match and should call the customer to

and costly lessons about failing to use AVS. One in

resolve the discrepancy. When you get a code N, this is a

particular wrongly assumed that she didn't need to

warning that nothing in the address matches. If you get

bother with AVS since it does not work on foreign

a G (international customer) or a U, this tells you that the

orders. She learned, after it was too late, that the

issuing bank does not support AVS. (See chart below).

cards used in the transactions were all American

Please be aware that if the AVS shows a "no match,"

based and all fraudulent. With $90,000 in goods

it is up to you to decline the transaction. ECHO does not

already shipped to several foreign countries, this

automatically stop these types of transactions. Please use

merchant lost both the money and the products she

discretion, especially with foreign orders.

shipped.

AVS Return Codes

FULL MATCH:

X All digits of address and ZIP match (9-digit ZIP)

Y All digits of address and ZIP match (5-digit ZIP)

D Street address and postal code match

One More Month to

M Street address and postal code match

Share the Love.

PARTIAL MATCH:

Tell a Friend About ECHO

A Address matches, ZIP does not

and Earn $100!

B Street address match. Postal code not verified because

of incompatible formats

We are extending our April promotion and

P Postal code match. Street address not verified because

doubling our referral fee of $50 for one more

of incompatible formats

month. If you refer a merchant to us and that

W 9-digit ZIP matches; address does not

merchant activates an account for either credit

Z 5-digit ZIP matches, address does not

card or check processing, we will pay you $100.

NO SUPPORT:

C Street address and postal code could not be verified

You will receive $50 when the account is

due to incompatible formats

activated, and then $50 more after your referral's

G Issuer unavailable or AVS not supported (non-US Issuer)

third month of processing. You even have a

I Address information not verified for international transaction

choice of how you are paid. We can give you a

R Retry; system is currently unable to process

$50 check or a $50 gift card to either Burlington

S Card issuer does not support AVS

U Issuer unavailable or AVS not supported (US Issuer)

Coat Factory or GAP. Not only will you earn

E ECHO received an invalid response from the issuer

some extra cash, but your colleagues will thank

NO MATCH:

you for setting them up with quality payment

N Nothing matches

processing.

Electronic Clearing House, Inc.

730 Paseo Camarillo

Camarillo, California 93010

1-805-419-8700

www.echo-inc.com

What is the PCI Self-Assessment Questionnaire (SAQ)

And How Do I Use It?

As mentioned in previous Reverberations, PCI is the shorthand term used for Payment Card Data Security

Requirements that all businesses accepting payment cards are required to follow. The Self-Assessment

Questionnaire (SAQ) is a tool that must be used annually to ensure that your business operations are in

compliance with the PCI security standards. (The largest businesses those processing 6 million transactions

or more annually are required to do an annual on-site security audit!)

Here are some common questions about the SAQ process.

1. Where do I get a Self-Assessment Questionnaire

One can be obtained from a variety of sources, including approved PCI scanning vendors, and can

be downloaded for free from https://www.pcisecuritystandards.org/tech/supporting_documents.htm.

ComplyGuard Networks, one of many approved PCI scanning vendors, offers an on-line version of this

form for $49 which can be completed on-line and printed when completed. For more information,

please visit www.echo-inc.com/pci and click the "Become PCI Compliant" graphic in the upper right

corner of the web page.

2. If I have questions while filling out the SAQ, who should I call

You may call ECHO Security Department at 1-800-262-3246, ext. 6, or you may consult with an

approved PCI scanning vendor. A list of the vendors can be found on the above ECHO PCI web

page, or by visiting the PCI Security Standards Council website listed above and clicking "Resources"

from the drop-down menu.

3. Once I'm done with the SAQ, do I need to turn it into someone

Yes, if you printed out and completed the SAQ from the PCI web site, you should fax it to ECHO

Security Department at (805) 419-8680.

4. If I turn in the SAQ, do I get any kind of response or certification letter

Typically, no response is given unless the ECHO Security Department has questions about the results.

In addition, no certification letter will be sent. Completing just the SAQ will not certify your business

as being PCI compliant. In order to be certified compliant and receive a certification letter, you must

complete and successfully pass both the SAQ and a quarterly network vulnerability scan. To become

certified PCI compliant, please visit www.echo-inc.com/pci and click the "Become PCI Compliant"

graphic in the upper right corner of the web page.

5. If I don't do the SAQ, what will happen

Fines may result if you are ever audited for PCI compliance and cannot produce the completed

SAQ.

In case you are feeling overwhelmed by all these new requirements, remember what is at stake. Consumers

need to feel secure when making payment choices and at the point that they no longer feel secure, it could

have a devastating effect on commerce. With the increase in identity theft and security breaches, these

guidelines have been put in place to ensure the protection of cardholder data.

For more information on PCI compliance and a list of approved scanning vendors, please call ECHO

Security at 800-262-3246, ext. 6.

ECHO merchants process on the Electronic Clearing House, Inc. (ECHO) network. ECHO is a publicly owned company trading on NASDAQ under

the symbol "ECHO". ECHO provides thousands of merchants with reliable processing of bank cards and checks. Merchants are sponsored by FIRST

REGIONAL BANK, Agoura Hills, CA (800-777-0929). Member FDIC.