For US based transactions, AVS failures (address, zip) don't typically fail the transactions.

Most often, the api has 3 possible return values "Success", "Success With Warnings" and "Failure".

The "Success with Warnings" will have some error codes for AVS failures (street address, zip). Usually the same for invalid CVV2. I've also noticed that cardholder name matching isn't universally supported...AMEX does it well, but VISA/MC is hit or miss.

Most merchants choose to allow for "Success with Warnings" and then manually check them.

It's hard to automate, because it's very typical for real customers to mistype billing addresses, CVV2, etc. One good example is small business owners. They, very often, use their business address as billing, even when the billing address is actually their home address.

In short, you can configure for hard failure on address mismatch or CVV2 mismatch, but you're throwing away a lot of legit transactions if you do so.

Only Amex has the ability to check the cardholder name. Visa & Mastercard don't pass this data to the issuer.

That's entirely up to the merchant, not the processor (or the gateway, either of the banks, or any of the other middlemen). From the link you gave "You will need to log into your payment gateway website and adjust these settings as you learn your customer profile and behavior." Most merchants want to sell things, and don't want to constantly field complaints from customers (or bad word of mouth from lost customers), so they set them to rather loose settings.

The fraud checks go through many middlemen each with their own systems, with their own bugs and limitations. Any programmer could guess a few. If the address is "apt 2, 300 main street" entered as "300 main st, apt 2" (or vice-versa), it can fail. If the zip code is 9-digits entered as 5 (or vice-versa), it could fail. Of course, the customer doesn't know exactly what pattern the system is looking for. If the punctuation is different, it might fail. If there are unexpected characters or encodings that any system or network in the chain can't handle properly, it might fail. If any of the systems is in a different country from any of the others, it might fail. In fact, AVS doesn't work in most countries (or at least didn't, last time I checked.) The internet brings international customers, but the payment systems aren't really internationalized.

So the question becomes, do we tighten this down to try to reduce fraud at the cost of losing 2/3rds of our regular repeat customers and limiting ourselves to only U.S. customers? Unless the cost of fraudulent transactions regularly exceeds 2/3rds of your revenue and you're intentionally a U.S.-only business, probably not. Companies would rather ignore AVS and expiration date failures than go out of business.

My memory is fuzzy, but I believe this depends on an issuers and acquirers. There are acquirers who do not check for anything but card number, expiration date and optionally CVC. And there are issuers who do not have AVS (address verification) support, which I think is almost all issuers outside the States.

Most modern payment gateways will enforce CVC check, and require the name to be present, though.

Believe that the address validation only checks the numbers present in the address, not the rest of the text, at least that was what I read in some gateway's documentation. Imagine the level of what they check may vary.

This is of course if the merchant/gateway even cares about that level...