Stripe gives you multiple layers of card security: CVC, AVS, and 3D Secure.
On paper, that sounds more than enough.
Yet many merchants still see fraud coming from fully approved payments — not from obvious failures.
This isn’t because these checks are weak.
It’s because most teams misunderstand how Stripe actually treats them by default.
In this post, we’ll break down how CVC, AVS, and 3DS really work in Stripe, where their limitations are, and why relying on them alone still leaves gaps — the kind that lead to Ghost Transactions.
The False Assumption: “Stripe Approved It, So It Must Be Safe”
One belief shows up again and again when we talk to teams:
“If Stripe approved the payment, the checks must have passed.”
That’s not how Stripe works.
Stripe gives you signals, not decisions.
What you do with those signals depends entirely on your Radar configuration.
GhostAudit was built after seeing this pattern repeatedly: payments that look clean in the dashboard, but quietly bypassed critical checks like CVC, AVS, or 3D Secure.
What CVC Actually Does (and Doesn’t)
CVC (also called CVV) is the short numeric code printed on the card. When a customer enters it, Stripe sends it to the card issuer during authorization.
The issuer returns a cvc_check result such as:
passfailunchecked
Stripe correctly describes CVC as a key signal for detecting fraud.
But here’s the part many teams miss:
A failed CVC does not automatically block a payment.
Stripe explicitly notes that “a charge can still be approved by the customer’s bank, even if the CVC or ZIP code (AVS) check fails,” unless you have a rule that blocks it.
CVC is a signal — not a safeguard.
How AVS Works in Practice
AVS (Address Verification Service) compares the billing address entered by the customer with what the card issuer has on file, especially the postal code.
In Stripe, AVS results appear as fields like:
address_line1_checkaddress_postal_code_check
These signals are extremely useful for fraud detection.
They are also commonly ignored.
Just like CVC:
- AVS failures don’t block payments by default
- They only matter if your Radar rules explicitly act on them
Fraudsters know this — and exploit it.
3D Secure: Powerful, but Strategic
3D Secure (3DS) adds an authentication step where the cardholder verifies themselves via a banking app, SMS code, or biometrics.
When 3DS succeeds:
- The issuer confirms the cardholder
- Liability for most fraud chargebacks shifts away from you
This makes 3DS one of the strongest tools Stripe offers.
But it’s not free:
- It adds friction
- It can reduce conversion if overused
That’s why Stripe doesn’t force 3DS everywhere — and why you need rules to decide when to require it.
Where These Signals Meet: Stripe Radar
Stripe Radar sits above payments and evaluates transactions using:
- Machine-learning risk scores
- CVC and AVS results
- 3DS authentication status
- Signals like IP country, card BIN, and velocity
Radar includes default AI rules, and Radar for Fraud Teams lets you create custom logic.
But Radar follows a simple principle:
Allow unless told otherwise.
If your rules don’t say what to do when CVC or AVS fails, Radar often allows the payment — even if the signal looks suspicious.
These signals only matter when Radar rules actually act on them.
If Radar is misconfigured, even strong checks like CVC and AVS can quietly fail.
We explain why this happens — and how to fix it — in
Why Stripe Radar Still Lets Fraud Through (And How to Fix It).
Why CVC, AVS, and 3DS Aren’t Enough on Their Own
The issue isn’t that these checks are ineffective.
The issue is:
- They’re permissive by default
- Many accounts have no explicit rules tied to them
- Fraudsters understand this model better than merchants do
This is how Ghost Transactions happen:
successful payments that failed important checks but were never blocked.
How GhostAudit Closes the Gap
GhostAudit doesn’t replace CVC, AVS, or 3DS.
It helps you use them intentionally.
GhostAudit scans your historical Stripe charges using a restricted, read-only key and shows you:
- Approved payments with failed CVC or AVS checks
- How often these failures still lead to successful charges
- Which patterns are most common in your account
From there, it suggests concrete Radar rules aligned with Stripe’s own best practices — so you’re not guessing.
From Signals to Strategy
CVC, AVS, and 3DS are powerful — but only when they’re connected to decisions.
If you want to move from “we enabled Stripe security” to “we understand what’s actually getting through,” visibility is the missing step.
GhostAudit gives you that visibility — using your own data.
Want to See How These Checks Behave in Your Account?
GhostAudit runs a read-only analysis of your Stripe charges to uncover Ghost Transactions and show where CVC, AVS, and 3DS rules could have prevented fraud.
