← Decline Codes
Hard Decline

Stripe Decline Code · Glossary

incorrect_cvc

incorrect_cvc fires when the 3 or 4-digit security code (CVV/CVC) entered by the customer doesn't match what the card issuer has on file — causing the bank to reject the transaction as a security violation.

Non-recoverable·Updated May 2026

What It Means

What incorrect_cvc actually means.

incorrect_cvc fires when the 3 or 4-digit security code (CVV/CVC) entered by the customer doesn't match what the card issuer has on file — causing the bank to reject the transaction as a security violation. It is a card-data error, not a funds error — meaning the customer's card may be perfectly valid and fully funded, but the payment will keep failing until the correct CVC is entered or a new payment method is submitted.

Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →

Why It Happens

The root causes.

  • 1Simple typo at checkoutThe most common cause; customer mis-keys the 3-digit CVV (or 4-digit for Amex) under time pressure or on mobile, especially in small input fields
  • 2Card reissued with a new CVCWhen a bank reissues a card after a fraud event, the new card gets a new CVC number — if the customer updated only the expiry or card number in Stripe but not the CVC, this mismatch triggers the error
  • 3Expiry date wrong, CVC shown as culpritA known Stripe/issuer quirk: some issuers return incorrect_cvc even when the CVC is correct but the expiry date is wrong — the bank combines both signals into one error code
  • 4Stripe Radar's CVC block rule activeIf your Stripe Radar settings have the rule Block if :cvc_check: = 'fail' enabled, Stripe itself blocks the payment before it reaches the bank — causing incorrect_cvc even on legitimate cards with minor entry errors
  • 5Fraud attempt with stolen card dataA bad actor using scraped card numbers may not have the correct CVC, triggering this error as a fraud signal — particularly relevant on first-time checkouts from new, unverified accounts

What NOT to Do

Common mistakes that make it worse.

Don't retry without prompting the customer to re-enter their CVC

incorrect_cvc is almost always a data entry problem — retrying the exact same stored card details will produce the exact same failure every single time. Every blind retry is guaranteed to fail until the underlying CVC mismatch is corrected.

Don't immediately assume fraud and hard-block the customer

While a wrong CVC can be a fraud signal, the majority of incorrect_cvc failures on subscription billing come from genuine customers with reissued cards or simple typos — not fraud attempts. Immediately blocking or cancelling their account without a correction opportunity destroys good customer relationships unnecessarily.

Don't only update the CVC field — prompt a full card details review

Because some issuers conflate expiry and CVC errors into the same code, asking a customer to only re-enter their CVC may not fix the issue. Your card update flow should prompt them to verify all fields — card number, expiry, CVC, and billing address — in one step.

Retry Timing

Optimal retry schedule.

incorrect_cvc has no retry window — it is a data accuracy problem, not a timing problem. All recovery effort flows into getting the customer to correct their card details.

Recovery Benchmark

What good looks like.

MetricResult
Recovery with immediate card update prompt55–70%
Recovery with in-app + email combined65–75%
Recovery within 48 hours of failure~50–60% (fastest of all data-error codes)
Recovery with blind retries only (no prompt)~0–5%
Fraud-related incorrect_cvc (non-recoverable)~5–10% of all occurrences

A 65%+ recovery rate on incorrect_cvc is achievable with a fast, frictionless card update flow. The biggest drop-off happens when the update page requires too many steps — every extra click between the email CTA and the CVC input field costs you 5–10% recovery. Optimize your card update UX for single-screen, pre-filled corrections.

At Scale

How to handle it at scale.

Automated

  • Webhook trigger: invoice.payment_failed → check failure_code === 'incorrect_cvc' → immediately check outcome.type to distinguish Radar block vs. issuer decline before any action
  • Zero retries: Remove from all retry schedulers — no retry should fire until customer completes card update; gate the retry on a customer.updated webhook event confirming new card details saved
  • Email Day 0 — within 60 minutes: Subject: "Your card's security code didn't match — quick fix needed" — CTA links directly to a pre-filled card update page showing the last 4 digits of the card on file
  • In-app correction widget: Inject an inline card update modal on first post-failure login — pre-fill card number and expiry, highlight the CVC field with a tooltip showing where to find the code on their card type (back for Visa/MC, front for Amex)
  • Radar rule audit: Run a monthly review of your Block if :cvc_check: = 'fail' Radar rule — if false positive rates are high, consider switching to a softer rule that flags instead of blocks, recovering legitimate customers caught by aggressive settings
  • Post-update auto-retry: The moment a customer saves new card details (customer.updated event fires), trigger an immediate automatic retry — don't make them manually re-initiate payment

Manual Escalation

  • Repeat incorrect_cvc on same card (2+ times): Flag for manual fraud review — a legitimate customer almost never enters their CVC wrong twice in a row; this pattern correlates with card testing or account takeover
  • New customer, first charge fails with incorrect_cvc: Route to manual review before any retry — elevated fraud probability on brand-new accounts vs. long-tenure subscribers
  • High-ACV accounts: Personal outreach on Day 2 if no card update — a CSM email mentioning the specific card (last 4 digits) and walking through the fix step-by-step recovers 25–30% of stalled high-value accounts
  • Radar misconfiguration reports: If multiple customers from the same cohort hit incorrect_cvc simultaneously, check your Radar rules — a misconfigured rule can block an entire customer segment at once

FAQs

Frequently asked questions.

What does the Stripe incorrect_cvc decline code mean?

The incorrect_cvc decline code means the card security code (CVV/CVC) entered by the customer does not match the code the issuing bank has on file. The card itself may be valid and funded — but every charge attempt will fail until the correct CVC is provided or a new payment method is added.

What causes an incorrect_cvc error in Stripe?

Common causes include a simple typo at checkout, a reissued card with a new CVC number, an issuer returning incorrect_cvc when the expiry date is actually wrong, Stripe Radar blocking the payment due to a CVC check failure rule, or a fraud attempt using stolen card data without the correct security code.

Should I retry a payment after a Stripe incorrect_cvc error?

No. Retrying the same card details will always fail because the CVC mismatch remains unchanged. All recovery effort should go into prompting the customer to update their card details — specifically to verify their card number, expiry date, CVC, and billing address in one step.

Can incorrect_cvc be a fraud signal in Stripe?

Yes, but it is not the most common cause. Fraudsters using scraped card data often lack the correct CVC, so a first-charge incorrect_cvc failure on a brand-new account warrants manual review. However, for existing long-tenure customers, the same error most likely indicates a reissued card or a simple typo rather than fraud.

What is the recovery rate for Stripe incorrect_cvc failures?

With a fast, frictionless card update flow triggered within 60 minutes of the failure, recovery rates of 65–75% are achievable. Without any customer prompt, blind retry recovery is near zero since the CVC mismatch is never corrected.

Before you retry

Most incorrect_cvc failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.

See what incorrect_cvc costs me →

Stop leaving revenue on the table

incorrect_cvc can't be retried — but it can be caught earlier.

Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.