# Protecting a Consumer Profile source: https://developer.mastercard.com/account-validation/documentation/use-cases/protect-profile/index.md These example flows demonstrate use of the Account Validation API to help protect a consumer profile. In these examples, you are a Mastercard Send Transaction Initiator and provide a marketplace app that enables consumers to buy and sell items. Each consumer has an app profile with a linked card account for funding purchases and receiving proceeds. These examples do not prescribe the design and interactions of your app; those aspects are for you to define. For details of using the API and sample requests and responses, see [API Reference](https://developer.mastercard.com/account-validation/documentation/api-reference/index.md). If an API request fails validation, Mastercard returns an error response, see [Error Codes](https://developer.mastercard.com/account-validation/documentation/code-and-formats/index.md#error-codes). For details of using other Mastercard Send APIs, refer to those API documentation sets. ## Create a New Profile {#create-a-new-profile} When a new consumer (Ali) creates an app profile, fraud risks include use of a fake identity or stolen card. The app's Create Profile flow can use the Account Validation API to help verify Ali's identity and card account. Example sequence: Diagram av-sequence-new-profile The example sequence above shows: 1. In the app, Ali starts the Create Profile flow. 2. In the first panel, Ali provides her full name, address, and card account details. 3. You send an [Account Validation API](https://developer.mastercard.com/account-validation/documentation/api-reference/index.md) POST request with the name and account details, including optional CVC/CVV. 4. Mastercard sends a non-financial request to the card issuer to validate the supplied account details. 5. The card issuer checks and responds with matching response codes. 6. Mastercard translates the issuer's response codes into [status values](https://developer.mastercard.com/account-validation/documentation/code-and-formats/index.md#status-valuess) and provides those to you in the API response. For example: * `cvcValidationResults.status` = 'MATCHED' * `nameValidationResults.status` = 'MATCHED' We recommend you use additional account checks to provide further data for your validation decision logic, such as these Mastercard Send additional services: * [Account Information service](https://developer.mastercard.com/mastercard-send-account-info/documentation/) checks the sending and receiving eligibility of the card account with Mastercard. * [Account Verification Service (AVS)](https://developer.mastercard.com/mastercard-send-avs/documentation/) checks the postcode and billing address with the card issuer. 7. You use the returned [status values](https://developer.mastercard.com/account-validation/documentation/code-and-formats/index.md#status-valuess) and any other checking results to determine whether to trust the consumer and their card account. 8. The app continues with the Create Profile flow or states that the profile cannot be created. ## Edit Profile or Add New Card Account {#edit-profile-or-add-new-card-account} When an existing app profile is edited, such as changing the associated name, address or adding a new card account, fraud risks include account takeover and payment redirection. For example, if Ben (a fraudster) gets access to Ali's profile, he might try to change the card account to redirect Ali's proceeds to his own account, which is associated with a different name at the card issuer. The app's Edit Profile flow can use the Account Validation API to verify name and card account changes and help detect possible account takeover. Example sequence: Diagram av-sequence-new-account The example sequence above shows: 1. In the app, Ben accesses Ali's profile and starts the Edit Profile flow. 2. Ben chooses to add a new card account and provides the card account details. 3. You send an [Account Validation API](https://developer.mastercard.com/account-validation/documentation/api-reference/index.md) POST request with the profile name and account details, including optional CVC/CVV. This will check the profile name (which Ben hasn't changed) against the account name on record with the card issuer. 4. Mastercard sends a non-financial request to the card issuer to validate the supplied name and account details. 5. The card issuer checks and responds with matching response codes. 6. Mastercard translates the issuer's response codes into [status values](https://developer.mastercard.com/account-validation/documentation/code-and-formats/index.md#status-valuess) and provides those to you in the API response. For example: * `cvcValidationResults.status` = 'MATCHED' * `nameValidationResults.status` = 'NOT_MATCHED' We recommend you use additional account checks to provide further data for your validation decision logic, such as these Mastercard Send additional services: * [Account Information service](https://developer.mastercard.com/mastercard-send-account-info/documentation/) checks the sending and receiving eligibility of the card account with Mastercard. * [Account Verification Service (AVS)](https://developer.mastercard.com/mastercard-send-avs/documentation/) checks the postcode and billing address with the card issuer. 7. You use the returned [status values](https://developer.mastercard.com/account-validation/documentation/code-and-formats/index.md#status-valuess) and any other checking results to determine whether to trust the user and their card account. In this example, you detect possible account takeover. 8. The app states that the card account cannot be added. As possible account takeover is detected, you determine further action to protect the profile and verify the user, for example: * Notify the profile owner (Ali) via a pre-configured secondary contact method. * Ask the app user (Ben) to resupply the CVC/CVV for existing card accounts in the profile, which can be validated using this API, and provide further proof identity such as answers to pre-configured security questions. * Temporarily suspend the account or limit functionality.