My understanding of AVS is that it can happen due to either one of incorrect postal code or incorrect address (e.g., home number + street), or both. I’m a little confused, therefore, as to exactly what’s in-scope for Risk Manager vs using the Payments API.
Per the postal code test card in “Error state values” https://developer.squareup.com/docs/devtools/sandbox/payments, I can see that createPayment with the bad postal code: “99999” leads to ADDRESS_VERIFICATION_FAILURE without Risk Manager activated (unless somehow I activated it in Sandbox but I don’t think so).
But as there’s no test card for a bad house number + street address, I’m not sure, if I were to pass full address details to createPayment, would it check the other aspects of the address and return AVS_FAILURE if they fail? OR would it only check non-postal-code address details if I DID have Risk Manager activated on the account?
With Square we only pass the information that’s collected in the Web Payments SDK to the card network and the card network will either release the funds or they’ll decline the payment. The information that they want is the card number, expiration date, CVV, and postal code associated to the card. Any other address information that’s collected isn’t validated by the card network.
If you enable Risk Manager you can set rules that will further check the validity of each payment based on the rules you configure. 
Oh I hadn’t realized this, so WITHOUT Risk manager, the line address (not postal code) is never checked when it’s passed to createPayment? Interesting.
If I enroll in Risk Manager, do I need to do anything else to ensure this line address check is happening in the Payments API (since they’re separate features), or is it automatic, since it sees that my account is enrolled? OR is it separate entirely, the API doesn’t have anything to do with Risk Manager, what would happen in this case is the API would do validation, RM separately does validation?
I’m not finding a clear answer on docs… seems like most folks who implement Risk Manager are not using an API?
I’m not sure if Risk Manger can trigger a check on the full address. Also we don’t validate the full billing address. We only validate the information that’s submitted in the form.