Using API endpoint “Create Card” with a card nonce based on a bad card number, security code and expire date fails:
"errors": [
{
"category": "INVALID_REQUEST_ERROR",
"code": "INVALID_CARD_DATA",
"detail": "Invalid card data.",
"field": "source_id"
}
But using an INCORRECT zip code with valid card number, security code and expire date succeeds
I don't understand this behavior. If the zip code isn't validated with the card, why ask for it?
(I discovered by mistake it while testing when I wrongly entered an incorrect zip code.)
ZIP or postal code matching, also known as the Address Verification System (AVS), is a factor that our fraud prevention models consider when assessing risk. Based on seller feedback, we found that rejecting payments based on AVS mismatches alone ended up declining an unacceptable number of good payments. When our fraud detection models analyze a payment, they take a number of factors into account to determine if the ZIP code was either unintentionally mistyped or if it was a fraudulent transaction. If the data points to an unintentional mistype, we’ll approve the payment; if it appears fraudulent, we’ll decline it. 
To clarify, I take this to mean that the zip code is not taken into account when the cardnonce returns a valid card id, but that the zip code the customer associated with the card IS taken into account when and only when a purchase is made. Yes?
A source_id that’s used to create a card_id does go through some validation checks. However if a card_id is returned that was generated with an incorrect postal code it may or may not succeed when being charged since it’s ultimately up to the customers bank to release the funds.
1 Like