The bank that issues a credit or debit card to a cardholder is referred as the “Issuing Bank”. When a customer makes a purchase using their card, their Issuing Bank sends funds to the merchant’s “Acquiring Bank”, where the funds settle. Since Xendit has optimized configurations with Acquiring Banks to prevent declines from their side, card declines that might be experienced are generally the result of the Issuing Bank declining those transactions.
Issuing banks only share the exact reason for a decline to the cardholder, who has the direct relationship (bank account or cardholder agreement) with them. So the only way to know for sure why a card was declined is to ask the cardholder to contact their issuing bank and ask. They can do this by calling their bank and inquiring about the declined transaction by providing the amount, date / time, and other information to help the bank identify the transaction.
However, since asking customers to call their bank to investigate every decline is not a scaleable or a user-friendly process, we have developed heuristics to determine the most likely reasons for the decline. These heuristics are based on signals in the response from the issuing bank combined with its regional context such as country. The Card Transaction Details page in the Xendit Dashboard has a Decline Insights section which explains the most likely reasons for any decline based on these heuristics.
See the below for a description of the different insights that explain why a transaction was most likely declined.
If the cardholder does not have enough balance or credit to complete the transaction, issuing banks may send a code to indicate this. However, our data shows that some banks may sometimes use this code to mask the actual decline reason, so we would advise showing a generic decline message to the customer, perhaps asking them to inquire with their bank about the decline.
Recommendation: Let users know that their card was declined and ask them try a different one.
The cardholder's bank responded that the payer entered the wrong CVN or expiration date. This can happen when the CVN or the expiration date was entered incorrectly. Not all banks properly distinguish which field was incorrect, which is why CVN and expiration date are combined here.
Recommendation: Ask user to retry entering card details.
The cardholder's bank responded that the payer entered the wrong CVN.
Recommendation: Ask user to retry entering card details with the correct CVN. If it still doesn’t work, they can try entering the card without the CVN at all if you allow this option. Note however that this will increase the chance of fraud, since the cardholder isn’t proving that they have the full card details.
Globally, most banks do not require authentication (3DS) prior to charging debit or credit cards. Regionally however, some banks in Malaysia and Indonesia will decline debit cards if they have not been authenticated (e.g. ECI = 7 for Visa cards).
Recommendation: Authenticate these cards, or ask user for another card.
Globally, this would most likely be caused by the user entering a mistyped, fake / test, or inactive card number (e.g. never activated). Regionally, Indonesian and Malaysian banks have been known to issue cards (especially debit & entry-level cards) that are not yet enabled for e-commerce. If the customer is using an Indonesian / Malaysian card that works in stores not online, this is the most likely reason for the decline. The cardholder can call or visit their bank and ask that it be enabled for e-commerce.
Recommendation: Ask user to re-enter their card number or try another card.
Issuing banks will generally block transactions where CVN has been entered incorrectly as this generally indicates a higher chance of fraudulent transaction (CVN result = N).
Xendit recommends always including CVN to reduce fraud. At the same time, we understand that including CVN is not possible for background charges or one-click checkout flows because PCI-DSS does not permit merchants to store CVN post-authorization. If your business has decided that the checkout conversion benefits outweigh the increased fraud risk, you may opt to bypass the CVN altogether. This is what companies like Amazon and Uber do.
Recommendation: Ask user to re-enter their card information. We do not recommend revealing the reason to the user, as this can make your website an attractive vector for fraudsters to repeatedly guess the correct CVN, significantly increasing your chargeback risk.
While optional for most banks in the Asia-Pacific and Americas, European banks will often decline cards if CVN is not included. So if your market includes Europe, try requiring users to enter their CVN, especially if they are European cardholders.
Card is expired and cannot be charged.
Recommendation: Let user know that their card has expired, and to try a different card that is active.
This card number has been reported as stolen.
Recommendation: You may want to prevent this user from using your services, as they are using fraudulent cards, and there is a high chance that you would be liable for a chargeback when the scammer uses another card that has not been marked stolen yet. Alternatively, if you are sure that the user is legitimate, you can ask them to try using another card.
The cardholder's bank is not allowing this charge to go through. This could be because the card is not enabled for online purchases, or because the bank sees suspicious behavior. The cardholder (user) is the only person authorized by their bank to know exactly why the charge was declined. This is especially common with foreign cards when they are used to make an online payment in Indonesia for the first time. Often, you may find that the same card number is used to successfully make the purchase a few minutes or hours later, after they have confirmed with their bank that the charge attempt was made by them. For local cards, this is common when the cardholder’s bank has simply decided not to allow the cardholder to make this purchase, or any online online purchases in general.
Recommendation: Let the user know that their bank declined the transaction, and that they should try another card if they have one. Or, let them know that they can call their bank to find out why it was declined.