Stripe Decline Code · Glossary
security_violation is a hard decline fired when the issuing bank's internal security rules or fraud detection systems flag the transaction as a security risk and block it at the authorization layer — the bank detected signals that suggest the card, the transaction, or the cardholder's account may be compromised.
What It Means
What It Means
security_violation is a hard decline fired when the issuing bank's internal security rules or fraud detection systems flag the transaction as a security risk and block it at the authorization layer — the bank detected signals that suggest the card, the transaction, or the cardholder's account may be compromised. Unlike fraudulent (Stripe Radar-driven) or stolen_card (network-flagged theft), security_violation is exclusively an issuer-side security decision — the bank's own risk engine made this call, and only the bank can resolve it.
Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →
Why It Happens
Why It Happens
What NOT to Do
What NOT to Do
✕ Don't retry without customer bank contact first
security_violation must be treated as a hard decline unless the customer explicitly confirms their bank has cleared the security flag. Retrying without that confirmation hits the same bank security wall every time — burning retry attempts, degrading your merchant signal, and potentially worsening the bank's risk scoring on your merchant ID.
✕ Don't assume it's just a wrong CVC and ask for a simple card detail correction
While incorrect card details can surface as security_violation at some issuers, treating every occurrence as a data entry error misses the majority of cases. Sending a generic "please re-enter your CVC" email when the real issue is a bank security hold frustrates customers and delays the actual fix — which requires bank contact, not a form re-entry.
✕ Don't display "security violation" to the customer
The specific phrase "security violation" on your checkout or dunning email is alarming and technically meaningless to most customers — it suggests your platform has a security problem, not their bank. Always surface this as a generic payment decline and direct the customer to call their bank for details.
Retry Timing
Retry Timing
security_violation requires a bank-contact-first gate before any retry is attempted — identical in structure to do_not_honor but treated with slightly more severity.
Recovery Benchmark
Recovery Benchmark
| Metric | Result |
|---|---|
| Overall recovery rate | 15–30% |
| Recovery when customer contacts bank | 45–55% of those who take action |
| Recovery via alternate payment method | +12–18% additional lift |
| Recovery with blind retries (no bank contact) | ~5–8% |
| Customer action rate on bank-contact email | ~30–40% (lower than card update emails) |
| Recovery within 7 days | ~20–25% |
A 25–30% overall recovery rate on security_violation is the realistic ceiling, and it's driven almost entirely by how effectively your email sequence motivates customers to call their bank. The biggest conversion lever is email specificity — telling the customer exactly what to say to their bank (charge amount, date, merchant name) doubles action rates versus vague "contact your bank" messaging.
At Scale
At Scale
Automated
Manual Escalation
FAQs
FAQs
What does the Stripe security_violation decline code mean?
security_violation means the customer's issuing bank blocked the transaction because its internal security rules or fraud detection system flagged it as a potential risk. It is an issuer-side hard decline — the bank detected suspicious signals on the transaction and refused it as a security precaution. Only the customer's bank can resolve the underlying flag.
What are the most common causes of a security_violation error in Stripe?
Common causes include the bank's risk engine detecting unusual transaction signals, card compromise indicators triggering a precautionary block, incorrect card details being interpreted as a security breach attempt, customer-activated card security controls, and account-level security holds placed by the bank pending identity verification or fraud investigation.
Should I retry a payment after a Stripe security_violation decline?
Not without customer bank contact first. Treat security_violation as a hard decline and gate all retries behind a customer confirmation that their bank has cleared the security flag. Limit retries to a maximum of 2 attempts total. Blind retries without bank clearance produce only 5–8% recovery and risk worsening your merchant risk signal.
What should I tell my customer when Stripe shows security_violation?
Ask them to call their bank and specifically say: 'I'm trying to authorize a payment of [amount] to [company name] made on [date] — please clear the security hold on my card.' Providing this exact script in your email doubles customer action rates versus vague contact-your-bank messaging. Never display the term security_violation to the customer — always use neutral decline language.
What is the recovery rate for Stripe security_violation failures?
Overall recovery rates for security_violation are 15–30%. Among customers who contact their bank, 45–55% recover successfully. Adding an alternate payment method offer on Day 5 adds 12–18% additional recovery lift. Blind retries without bank contact recover only 5–8%.
What to do next
You are here
security_violation
Decline code reference
Check recoverability
Stripe Failure Lookup
See what's recoverable — and what isn't →
Then
Sign up for Recurflux
Automate recovery for every decline code →
Before you retry
Before you retry
Most security_violation failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.
Stop leaving revenue on the table
Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.