Without billing address data, the card network's Address Verification System (AVS) cannot run a fraud check on the transaction. AVS compares the postal code and street address the customer provides against the address on file with the card issuer — a mismatch is one of the strongest signals that a card is being used fraudulently. Skipping AVS doesn't just reduce fraud detection accuracy; it increases your Stripe Radar risk score across all transactions and can raise your effective fraud dispute rate. PCI-DSS 4.0 Req 6.4 covers fraud detection controls; missing AVS data is a direct gap in that control layer for card-present and card-not-present transactions alike.
Medium because omitting billing address data disables AVS fraud scoring at the card network level, increasing the success rate of fraudulent card-not-present transactions against your store.
Collect billing address fields in the checkout form and pass them in billing_details when creating or confirming the PaymentMethod.
const { error } = await stripe.confirmPayment({
elements,
confirmParams: {
return_url: `${window.location.origin}/checkout/complete`,
payment_method_data: {
billing_details: {
name: formData.cardholderName,
email: formData.email,
address: {
line1: formData.billingLine1,
city: formData.city,
state: formData.state,
postal_code: formData.postalCode, // minimum required for AVS
country: formData.country,
},
},
},
},
})
At minimum, collect postal_code and country. Stripe Radar uses the AVS result automatically once billing_details.address is populated — no additional Radar rule configuration is required.
ID: ecommerce-payment-security.fraud-prevention.avs-enabled
Severity: medium
What to look for: Check whether billing address data is collected in the checkout form and passed to the payment provider. Enumerate the billing address fields present in the checkout form (postal code, country, street, city, state) and count how many are collected. For Stripe, look for billing_details being populated on the PaymentMethod or PaymentIntent — specifically billing_details.address. Verify that at least 2 billing address fields (postal code + country at minimum) are collected and passed to the provider.
Pass criteria: The checkout form collects billing address with at least 2 fields (postal code and country at minimum) and includes it in the payment provider request via billing_details. AVS is not explicitly disabled. The provider processes AVS checks automatically (default behavior).
Fail criteria: Billing address is not collected at all, or collected but not passed to the payment provider request. Without a billing postal code, AVS cannot run and fraudulent transactions are more likely to succeed.
Skip (N/A) when: The project only processes tokenized or vaulted payments where the billing address was captured and stored in a previous session, or uses a payment method type where AVS is not applicable (e.g., SEPA debit, iDEAL).
Detail on fail: Describe what is missing. Example: "Checkout form collects shipping address but no billing address. stripe.confirmPayment() is called without billing_details — AVS checks cannot run, reducing fraud detection effectiveness"
Remediation: Collect billing address and include it in your payment method creation:
const { error } = await stripe.confirmPayment({
elements,
confirmParams: {
return_url: `${window.location.origin}/checkout/complete`,
payment_method_data: {
billing_details: {
name: formData.cardholderName,
email: formData.email,
address: {
line1: formData.billingAddress,
city: formData.city,
state: formData.state,
postal_code: formData.postalCode,
country: formData.country,
},
},
},
},
})
Stripe Radar uses the AVS result automatically — no additional configuration is needed once billing details are included.