These 2 anti-fraud measures were introduced by the industry purely for transactions taken in a cardholder not present environment. Both measures are to try and help the merchant identify whether the person using the card number has at least seen the back of the card and they know the registered postal address of the card.

Card Security Code
This is a 3 or 4 digit numeric code that appears on the card. Visa, MasterCard, Maestro and most other cards will have 3 digits on the back of the card which usually appear on or next to the signature strip. American Express cards have a 4 digit code on the front of the card.
Each card will have a security code that has been generated by the card issuers computer systems. The reason for this appearing on cards in the first place is so that the merchant taking payment in a cardholder not present situation can verify that the person using the card has it in their hand at time of purchase. In reality however, all it means is that the person placing the transaction has seen either seen the back of the card, or has gotten a hold of the number by other means such as by capturing the details from the cardholders computer when they entered it via some kind of virus or spyware.
The Cards Security Code has various different names, depending on who you speak to:

• CSC = Card Security Code
• CVV2 = Card Verification Value 2
• CVC2 = Card Validation Code 2
• CCID = Credit Card ID
• CID = Card Identification Number
• CVN = Card Verification Number

Please note that the Card Security Code must not be stored. This guideline is part of the PCI DSS (Payment Card Industry, Data Security Standard). If you do store these details, you will not be PCI DSS compliant; which is a mandatory regulation.

AVS (Address Verification System)
This measure sends the numbers in the address and post code that has been entered into the terminal or webpage to the card issuer. The card issuer will check the numbers against what they have on record for the card and return a "correct" "partially correct" or "incorrect" response. The Address and Postcode check are 2 separate checks, meaning that you could get a matched for one but not the other.
This measure can be an effective anti-fraud check as long as the card issuer supports AVS checking and returns a response.

Unfortunately, the AVS system has flaws. The first one is that it is not mandatory for the card issuer to return a response and secondly there are compatibility problems when the card issuer, resides in a different country.
If the issuer does reside in another country there will be a big chance that there is no response at all in relation the AVS check.

British Forces Postal Office and AVS
The following information was taken from the APACS website and is not in our own words. The full details can be accessed Here.

The British Forces Postal Office (BFPO) is a joint services organisation tasked with providing postal counter services, letter, packet and postal transmission services to and from military and other governmental locations throughout the world. BFPO locations are identified by a special BFPO number rather than a Royal Mail postcode. As such when a member of the military services uses their credit or debit card to make a purchase over the internet, by telephone or mail order and requests the goods to be delivered to a military site they may quote an address that includes a BFPO number rather than a postcode.
Therefore, when merchants enter a BFPO number rather than a postcode into the system it is likely to result in a 'no match' AVS response.
In this situation this should not be considered a valid reason not to deliver to the customer, on the basis that the goods can only ever go to one central secure BFPO sorting location and can therefore be classified a 'lower' risk transaction. Common sense rules should continue to apply i.e. orders from a BFPO address should still be subject to routine fraud checks undertaken by a merchant.