But why? It’s the merchant’s decision to take the risk or not, isn’t it?
Keep in mind that address matching isn’t a precise science: Particularly if I get a payment card from abroad I should expect some address mismatch, because addresses are formatted differently in different countries, and my “order form” may not match what the customer is used to, or what the card issuer uses.
And, again, not all online purchases require providing an address, so it’s entirely up to the merchant to decide whether it’s worth the risk or not.
Most of us are probably not really aware of this, but the bank’s authorisation is really only the first out of a number of checks that most merchants will take into account when deciding whether to accept a card for payment or not (especially online). There is, for example, this stuff where the payment network returns a risk indicator to the merchant together with the auth message, and leaves it up to the merchant to decide which risk level they want to accept.
Here are two fictional examples I can think of at the opposite end of the scale:
- I sell high value physical goods online. In that case, I’d certainly do well to reject transactions with higher risk factors (e.g. address mismatch).
- I sell some online subscription to a service I provide. Providing that service to each individual user has little cost, and the service can easily be cancelled if the payment is reversed. I will be willing to take higher risk transactions due to the low financial risk to myself, and I might not even bother asking for someone’s address at all, as it reduces the burden on data protection compliance (I don’t need to bother about data I never held).