Skip to main content

Stolen Card

Decline code: stolen_card Error type: card_error HTTP status: 201 Created (payment status becomes failed asynchronously) WL error code: 43

What it means

The card has been reported as stolen by the cardholder. The issuing bank has blocked the card and will decline all transactions.

Why it happens

  • The cardholder reported their card stolen to their bank.
  • Law enforcement flagged the card as part of a fraud investigation.
  • The bank detected unauthorized usage patterns and proactively blocked the card.

API response

The payment is created with status: "pending". After processing, it transitions to failed with decline details: 
{
  "id": "pay_abc123",
  "status": "failed",
  "decline_code": "stolen_card",
  "decline_message": "The card has been reported stolen."
}

What to tell the customer

Your card could not be processed. Please use a different payment method.
Never tell the customer the card was reported stolen. This is critical for fraud prevention — revealing the reason could tip off a fraudster.

What the merchant should do

  1. Show a generic decline message — never reveal the card is stolen.
  2. Do not retry — a stolen card is permanently blocked.
  3. Do not allow the same card number to be retried in the same session.
  4. Log the attempt with full context — IP address, device fingerprint, customer account, timestamp. This data is valuable for fraud investigation.
  5. Consider blocking the session — a stolen_card decline is a stronger fraud signal than lost_card. Consider requiring additional verification or blocking the user.
  6. Report to your fraud team if you have one.

Fraud considerations

A stolen_card decline is the strongest fraud signal among decline codes. The person attempting the payment is very likely not the legitimate cardholder. Best practices:
  • Flag the transaction in your internal fraud monitoring system.
  • Track the customer account — if a registered user attempts a stolen card, their account warrants review.
  • Monitor the IP address — multiple stolen card attempts from the same IP should trigger automated blocking.
  • Preserve evidence — if law enforcement requests transaction data related to card theft, having detailed logs is essential.