← Decline Codes
Hard Decline

Stripe Decline Code · Glossary

stolen_card

stolen_card is a permanent hard decline fired when the issuing bank has been notified that the card was stolen — every future charge attempt against that card number is blocked at the network level, forever.

Non-recoverable·10–15%·Updated May 2026

What It Means

What stolen_card actually means.

stolen_card is a permanent hard decline fired when the issuing bank has been notified that the card was stolen — every future charge attempt against that card number is blocked at the network level, forever. Like lost_card, Stripe's official guidance is explicit: never reveal this specific reason to the customer — the person attempting the transaction may be the thief themselves, and disclosing the code enables social engineering and fraud escalation.

Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →

Why It Happens

The root causes.

  • 1Cardholder reported the card stolenThe legitimate customer contacted their bank, triggered an immediate network-wide block, and the bank issued a replacement with a completely new card number, CVC, and expiry — leaving the dead card on file in Stripe
  • 2Bank detected theft pattern before the customer didModern fraud detection flags cards proactively based on velocity, geography, or dark web data matches — the bank marks the card stolen before the customer is even aware
  • 3Card tester / fraudster probing your checkoutA bad actor using stolen card data from a breach is attempting to validate the card against your merchant ID — stolen_card fires when the issuer recognizes the card as already flagged in their fraud database
  • 4Old card persisted after theft replacementCustomer received a replacement card weeks ago but never updated their Stripe payment method — the stolen card number is still on file and fails on next billing cycle

What NOT to Do

Common mistakes that make it worse.

Absolutely never disclose the stolen_card code to the user

This is Stripe's strongest official mandate across all decline codes. Display it as a generic payment failure only. If the person attempting the transaction is the thief, revealing the stolen_card status hands them critical intelligence — confirming the card is flagged, giving them time to pivot to a different stolen card before you can react.

Don't retry — not once, not ever

stolen_card is among the hardest of hard declines. The card is permanently blocked at the card network level — no timing logic, no payday cycle, no smart retry algorithm changes this. Retrying wastes API calls, degrades your merchant health signal with card networks, and delivers a 0% success rate.

Don't apply the same workflow as lost_card

While lost_card and stolen_card are siblings, stolen_card carries a meaningfully higher fraud signal — especially on new accounts. Your internal triage logic must treat stolen_card as fraud-first, customer-second, rather than the other way around. Applying an identical, customer-friendly outreach workflow to both codes without fraud screening first exposes your platform to abuse.

Retry Timing

Optimal retry schedule.

Zero retries. Zero retry scheduling. Full stop. Every second of your operational effort goes into two parallel tracks: internal fraud triage and (where appropriate) customer outreach to capture a new payment method.

Recovery Benchmark

What good looks like.

MetricResult
Overall recovery rate10–15%
Recovery from legitimate customers (card replaced)25–35% of the recoverable subset
Recovery via alternate payment method+8–10% additional lift
Recovery with blind retries~0%
Non-recoverable (fraud / true theft)~65–75% of all occurrences
Median recovery window (legitimate customers)3–7 days

A 12–15% overall recovery rate on stolen_card is the realistic ceiling. The majority of occurrences are non-recoverable — either fraud attempts or genuine theft where the card is gone for good. Your recovery lever is exclusively speed of neutral outreach to the legitimate customer segment — the faster you get them to add a replacement card or alternate method, the better your recoverable-subset conversion.

At Scale

How to handle it at scale.

Automated

  • Webhook trigger: invoice.payment_failed → check failure_code === 'stolen_card' → route to a completely isolated, fraud-aware workflow — no overlap with soft decline tracks
  • Fraud scoring gate: Before any email fires, auto-score the account: account age, number of prior successful payments, IP/device match, charge amount vs. plan average — only proceed to customer outreach if risk score is below your fraud threshold
  • Hard-block all retries: Add stolen_card to your retry engine blocklist alongside lost_card, fraudulent, and pickup_card — these four codes should never enter a retry queue
  • Email Day 0 — neutral, fraud-safe copy: Subject: "Action needed on your [Product] account" — never reference stolen card, card fraud, or card status. Show last 4 digits of the card on file so the legitimate customer can identify which card to replace. Single CTA to payment update page
  • No-login card update link: Include a tokenized, no-login payment update URL in every email — requiring a customer to log in to update payment adds unnecessary friction and kills recovery rate for stolen_card where urgency is highest
  • Stripe Account Updater: Enable this — in rare cases where a bank proactively reissues after a theft event, Account Updater may silently resolve the payment before your dunning sequence fires

Manual Escalation

  • New account + stolen_card on first charge: Immediate manual suspension + internal review — do not send any customer email until a human verifies account legitimacy; this is your highest fraud-risk scenario
  • High-ACV legitimate accounts: Personal outreach Day 2 from a founder or CSM using completely neutral language — "We noticed a payment issue and wanted to reach out directly" — personal touch recovers 20–30% of legitimate high-value customers who missed the automated email
  • Cluster of stolen_card failures in short window: If 3+ customers hit stolen_card within 24–48 hours, escalate immediately — this pattern can signal an upstream card data breach in your checkout or CRM integration, not individual theft events
  • Fraud pattern review monthly: Export all stolen_card occurrences monthly and cross-reference with account age, IP geography, and failed charge amounts — builds a fraud signal model specific to your product category and customer base

FAQs

Frequently asked questions.

What does the Stripe stolen_card decline code mean?

The stolen_card decline code means the customer's issuing bank has flagged the card as reported stolen, permanently blocking all future charge attempts at the network level. Stripe requires merchants to never disclose this specific reason to the customer — it must be presented as a generic payment decline.

What are the most common causes of a stolen_card error in Stripe?

Common causes include the legitimate cardholder reporting the card stolen and receiving a replacement with new details, the bank proactively flagging the card after detecting a theft pattern, a fraudster testing stolen card data against your checkout, or an old stolen card number remaining on file in Stripe after the customer received a replacement card.

Should I tell my customer their card was reported stolen?

No. Stripe's official guidance is to never reveal the stolen_card reason to the person attempting the transaction. If the person is the thief, disclosing the code enables further fraud. Always present it as a generic payment failure and direct them to update their payment method.

Should I retry a payment after a Stripe stolen_card decline?

Never. stolen_card is a permanent hard decline with a 0% retry success rate. The card is blocked at the network level. Add this code to your retry engine blocklist immediately and focus all recovery effort on getting legitimate customers to add a new payment method or alternate payment option.

What is the recovery rate for Stripe stolen_card failures?

The overall recovery rate for stolen_card is 10–15%, one of the lowest of all Stripe decline codes. Among confirmed legitimate customers who simply need to update to their replacement card, 25–35% recovery is achievable. The majority of stolen_card occurrences involve fraud attempts or true card theft that are not recoverable.

Before you retry

Most stolen_card failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.

See what stolen_card costs me →

Stop leaving revenue on the table

stolen_card can't be retried — but it can be caught earlier.

Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.