Skip to main content

Stolen Card

Decline code: stolen_card Error type: card_error HTTP status: 201 Created (payment status becomes failed asynchronously)

What it means

The card has been reported as stolen by the cardholder. The issuing bank has blocked the card and will decline all transactions.

Why it happens

  • The cardholder reported their card stolen to their bank.
  • Law enforcement flagged the card as part of a fraud investigation.
  • The bank detected unauthorized usage patterns and proactively blocked the card.

API response

The payment is created with status: "pending". After processing, it transitions to failed with decline details: 
{
  "id": "pay_abc123",
  "status": "failed",
  "decline_code": "stolen_card",
  "decline_message": "The card has been reported stolen."
}

What to tell the customer

Your card could not be processed. Please use a different payment method.
Never tell the customer the card was reported stolen. This is critical for fraud prevention — revealing the reason could tip off a fraudster.

What the merchant should do

  1. Show a generic decline message — never reveal the card is stolen.
  2. Do not retry — a stolen card is permanently blocked.
  3. Do not allow the same card number to be retried in the same session.
  4. Log the attempt with full context — IP address, device fingerprint, customer account, timestamp. This data is valuable for fraud investigation.
  5. Consider blocking the session — a stolen_card decline is a stronger fraud signal than lost_card. Consider requiring additional verification or blocking the user.
  6. Report to your fraud team if you have one.

Fraud considerations

A stolen_card decline is the strongest fraud signal among decline codes. The person attempting the payment is very likely not the legitimate cardholder. Best practices:
  • Flag the transaction in your internal fraud monitoring system.
  • Track the customer account — if a registered user attempts a stolen card, their account warrants review.
  • Monitor the IP address — multiple stolen card attempts from the same IP should trigger automated blocking.
  • Preserve evidence — if law enforcement requests transaction data related to card theft, having detailed logs is essential.