Have you ever wondered why none of the cards you buy from online stores work? Even after reading my thread about AI systems, the card you bought for $30, which the store guarantees is the first one, somehow still can't process the transaction?
Or if they do, why do they act inconsistently ? Some cards sometimes work for thousands, while most of the time many of them can’t even sign you up for a Netflix account!
To understand and optimize your workflow for success, you need to understand the approval levels your order details must go through for your purchase to even be successful, let alone shipped, and why the cards you buy are likely to get caught before they even get to the next stages.
When assessing the risk of a fraudulent/unauthorized transaction, banks and payment processors implement what is called the “Swiss Cheese Model” in the cybersecurity industry.
The Swiss Cheese Model
This means that instead of a transaction being assessed once, it goes through rigorous multiple checks and requires multiple approvals from systems before it will allow the payment to be successful. Thanks to advances in AI and machine learning algorithms, all of these processes take milliseconds and are virtually seamless for the end legitimate consumer.
For the purposes of this article, we will rigorously assume that your card is completely valid. I will walk you through each step and at the end, I will tell you why the cards you buy tend to fail. The first step of the process, when you submit the transaction, is essentially the site’s own risk analysis. Seon, Radar, Riskified, Forter, the list goes on and on, and I covered this in detail in my article: How to Bypass Modern AI-Based Fraud Protection Systems (Anti-Fraud Systems).
In this article, we’ve covered the tricks and workarounds you can control, but I’ve left out a giant piece of the puzzle: the card you’re using.
You see, while you may have a brand-new laptop with an amazing fingerprint, the best residential proxy in the world, your card may have been through a bunch of checks in a fraud system, and that significantly increases the risk factors for your transaction.
To understand what I mean, we need to have a deep understanding of the underground economy of card sales:
(an old photo of a card store from decades ago, haha)
There are only four words to understand how the CVV economy works, and it's very simple: merchants want maximum profit.
While store operators and support staff have a reputation to build and maintain, merchants on many of these platforms do not, they are often faceless entities that change identities regularly, and whatever path they take to make more money, they will take. This means that card stores with looser rules or looser quality checks will inevitably end up with a sea of junk/re-sold cards.
It also logically means that online stores that don't have enough traffic/sales to make merchants maximum profit are relegated to low priority when those merchants start selling cards. This means that the most logical way for someone reselling cards to maximize profit is to list it on the most popular card store first, give it a few days to sell, check for validity after a few days and remove the non-working cards, and then proceed to re-upload it to the next profitable store. By the third time a card is resold, they have essentially become a free for all and will list it on as many smaller stores as possible.
What happens is that your success becomes tied to how high up the food chain the store you are buying from is, or how strict their quality checks are. Another side effect of this kind of economy is that the big players/stores maintain their dominance and can make more profit on each card sold because the quality of their cards is much better (since sellers list them first) and they maintain a higher market share (since smart buyers will check their site first).
The Anatomy of a Resold Card
What people don’t realize is that reselling a card to multiple stores isn’t the biggest factor in why you’re not passing the first risk check. A card could theoretically be resold to five stores, sit unsold for weeks, and still make big numbers. The bigger problem is that the process of reselling cards to multiple stores requires many greedy merchants – since they also want to make double the profit and profit on the cards they sell – to check the cards before reloading them.
How are the cards checked?
Each time a card is reloaded to different stores, the merchant can use services like 4Check and Lux to check the databases and remove unused cards. While this creates a whole host of different problems that I’ll get into later, it’s simply not something most merchants use, since these merchant-based checks tend to be expensive and unprofitable. Checking 1,000 cards with 4Check costs $250!
So what do they use? The cheapest checkers.
The boom of checkers
So what are checkers? Checkers are essentially checkers that try to link a card to a service or create a payment using a card in an automated and fast way. Here are some examples: FlashCheck and OMGCheck:
The payment processor that runs these anchor-based checkers is mostly Stripe or Braintree. Either they have a huge list of API keys that they rotate regularly, or they have a huge list of websites with unsecured forms (for donations/add a card, etc.) where they submit the card details and wait for a response. Their scripts send the card number, expiration date, and CVV to the Stripe/Braintree endpoint and base their assessment of whether the card is active or dead based on the API response.
If you read my guide to the AI system, you'll understand why this approach kills the card (without actually killing it): when you run your card through these checkers, the Stripe/Braintree/Adyen AI model that has mitigations for card verification essentially marks your card as "stolen" and blocks it from any payment process running on their payment network indefinitely.
The only choice you have for this card, since it is blocked by most of the major payment networks, is to use it with an unknown, low-security card processor that has nothing to do with Stripe/Braintree/Adyen at all. Since the big three block your card, you have essentially restricted yourself from using your card at about 90% of all online stores, at least in the US.
The link checker boom only helps greedy card resellers and Telegram script kiddies who generate credit card numbers to buy Spotify subscriptions, but it has been an overall net negative for the industry as a whole. It has single-handedly destroyed the success rate of carders far more than anything else before it. I even joked with a friend that Stripe/Braintree etc. may actually be allowing these link checkers to operate, since it is so easy for them to know which cards to block. Your only solution in this case is to be strict about which stores you plan to purchase your cards from.
Risk Assessment Providers
If your card passes the initial checks by the AI models, the next step is to check it with risk assessment providers. These outside companies specialize in assessing the risk associated with a transaction, providing an additional layer of security beyond what Stripe offers. Unlike Stripe, which primarily considers machine-generated signals like IP addresses and browser fingerprints, risk assessment providers take a more comprehensive approach. They examine all the metadata of a transaction, examining a variety of factors to ensure its overall legitimacy and security. This thorough assessment helps detect any potential fraud that may have been missed by the initial AI checks.
A practical example of this process is repeatedly entering the wrong CVV code. While Stripe’s systems may not block you immediately, different banks using different risk assessment providers may. This discrepancy can result in a “generic_decline” code from Stripe. It’s important to note that Stripe’s Radar system does not provide customers with a detailed explanation if a rejection is initiated by an external risk provider, even if Stripe itself considers your transaction safe. So an external risk assessment can influence the outcome, despite a positive assessment from Stripe. If you’ve used Stripe Radar to assess your own cards, you’ve probably encountered this: all fraud indicators are low, but the fraud score is still high:
If your transaction is flagged by risk assessment providers, this will often result in a “card block”. These blocks are usually temporary and are automatically lifted within about 72 hours. Alternatively, you can speed up the process by contacting your bank directly to have the block lifted.
This situation is what merchants and CC checkers call a “risk check” or a Code 59 “Fraud Suspect.” If you encounter this, it’s best to give your card a little breathing room for a couple of days — think of it as a mini-vacation. During this cooling-off period, if the cardholder hasn’t set up alerts and remains blissfully unaware of your attempted transaction, you can try again. Just remember that success depends on factors largely outside your control, other than the purchase amount. Running your card through merchant checkers again is like repeatedly nudging someone trying to take a nap — you’re bound to get a “card block.” So give it some time and let it cool off a bit.
Bank Checks
Congratulations! Your transaction has passed the payment processor and risk provider. Now for the final step: the bank. Bank checks are the basics; they focus on the transaction amount and how it fits with the cardholder’s normal spending habits.
Let’s say a cardholder uses their Costco card just to hide their $10 OnlyFans subscription from their wife. Suddenly they try to buy an $8,000 Alienware laptop? The bank will likely block them. Large deviations from their normal spending are alarming.
Here’s a trick: Use the cardholder’s zip code with this tool to find out the average income in the area. Use it to set a reasonable transaction limit. Note that for a higher chance of approval, transactions should be within a reasonable range of the average income.
Card level and BINs matter, but not too much. Platinum cards may allow higher limits, but sudden large purchases may still be blocked. The opposite is also true: Standard/Classic cards can be very beneficial if the cardholder likes to spend on expensive things to feel adequate and look rich. Some BINs are better suited to certain stores, and there are already many of them on the forum. Also, consider the transaction history of the card. Frequent small purchases preceding a large one can help normalize the large amount in the eyes of the bank. Logically, large purchases by the cardholder give credibility to large purchases on your part, so I usually use Visa purchase alerts, wait for the cardholder to make such large purchases, and follow them up with my own large purchase; it works every damn time!
Now the magical thing about this is that the entire verification process from the platform to the bank takes less than two seconds. And those two seconds decide the fate of your transaction, so try to optimize what you can control (purchase amount, the store you buy from, choosing a postcode, choosing a BIN) and don’t spend too much time on what you can’t control.
Remember that as financial systems improve over time, so should your strategies for bypassing them. And the only way to do that is to gain proper knowledge with experience.
Or if they do, why do they act inconsistently ? Some cards sometimes work for thousands, while most of the time many of them can’t even sign you up for a Netflix account!
To understand and optimize your workflow for success, you need to understand the approval levels your order details must go through for your purchase to even be successful, let alone shipped, and why the cards you buy are likely to get caught before they even get to the next stages.
When assessing the risk of a fraudulent/unauthorized transaction, banks and payment processors implement what is called the “Swiss Cheese Model” in the cybersecurity industry.
The Swiss Cheese Model
This means that instead of a transaction being assessed once, it goes through rigorous multiple checks and requires multiple approvals from systems before it will allow the payment to be successful. Thanks to advances in AI and machine learning algorithms, all of these processes take milliseconds and are virtually seamless for the end legitimate consumer.
For the purposes of this article, we will rigorously assume that your card is completely valid. I will walk you through each step and at the end, I will tell you why the cards you buy tend to fail. The first step of the process, when you submit the transaction, is essentially the site’s own risk analysis. Seon, Radar, Riskified, Forter, the list goes on and on, and I covered this in detail in my article: How to Bypass Modern AI-Based Fraud Protection Systems (Anti-Fraud Systems).
In this article, we’ve covered the tricks and workarounds you can control, but I’ve left out a giant piece of the puzzle: the card you’re using.
You see, while you may have a brand-new laptop with an amazing fingerprint, the best residential proxy in the world, your card may have been through a bunch of checks in a fraud system, and that significantly increases the risk factors for your transaction.
To understand what I mean, we need to have a deep understanding of the underground economy of card sales:
(an old photo of a card store from decades ago, haha)
There are only four words to understand how the CVV economy works, and it's very simple: merchants want maximum profit.
While store operators and support staff have a reputation to build and maintain, merchants on many of these platforms do not, they are often faceless entities that change identities regularly, and whatever path they take to make more money, they will take. This means that card stores with looser rules or looser quality checks will inevitably end up with a sea of junk/re-sold cards.
It also logically means that online stores that don't have enough traffic/sales to make merchants maximum profit are relegated to low priority when those merchants start selling cards. This means that the most logical way for someone reselling cards to maximize profit is to list it on the most popular card store first, give it a few days to sell, check for validity after a few days and remove the non-working cards, and then proceed to re-upload it to the next profitable store. By the third time a card is resold, they have essentially become a free for all and will list it on as many smaller stores as possible.
What happens is that your success becomes tied to how high up the food chain the store you are buying from is, or how strict their quality checks are. Another side effect of this kind of economy is that the big players/stores maintain their dominance and can make more profit on each card sold because the quality of their cards is much better (since sellers list them first) and they maintain a higher market share (since smart buyers will check their site first).
The Anatomy of a Resold Card
What people don’t realize is that reselling a card to multiple stores isn’t the biggest factor in why you’re not passing the first risk check. A card could theoretically be resold to five stores, sit unsold for weeks, and still make big numbers. The bigger problem is that the process of reselling cards to multiple stores requires many greedy merchants – since they also want to make double the profit and profit on the cards they sell – to check the cards before reloading them.
How are the cards checked?
Each time a card is reloaded to different stores, the merchant can use services like 4Check and Lux to check the databases and remove unused cards. While this creates a whole host of different problems that I’ll get into later, it’s simply not something most merchants use, since these merchant-based checks tend to be expensive and unprofitable. Checking 1,000 cards with 4Check costs $250!
So what do they use? The cheapest checkers.
The boom of checkers
So what are checkers? Checkers are essentially checkers that try to link a card to a service or create a payment using a card in an automated and fast way. Here are some examples: FlashCheck and OMGCheck:
The payment processor that runs these anchor-based checkers is mostly Stripe or Braintree. Either they have a huge list of API keys that they rotate regularly, or they have a huge list of websites with unsecured forms (for donations/add a card, etc.) where they submit the card details and wait for a response. Their scripts send the card number, expiration date, and CVV to the Stripe/Braintree endpoint and base their assessment of whether the card is active or dead based on the API response.
If you read my guide to the AI system, you'll understand why this approach kills the card (without actually killing it): when you run your card through these checkers, the Stripe/Braintree/Adyen AI model that has mitigations for card verification essentially marks your card as "stolen" and blocks it from any payment process running on their payment network indefinitely.
The only choice you have for this card, since it is blocked by most of the major payment networks, is to use it with an unknown, low-security card processor that has nothing to do with Stripe/Braintree/Adyen at all. Since the big three block your card, you have essentially restricted yourself from using your card at about 90% of all online stores, at least in the US.
The link checker boom only helps greedy card resellers and Telegram script kiddies who generate credit card numbers to buy Spotify subscriptions, but it has been an overall net negative for the industry as a whole. It has single-handedly destroyed the success rate of carders far more than anything else before it. I even joked with a friend that Stripe/Braintree etc. may actually be allowing these link checkers to operate, since it is so easy for them to know which cards to block. Your only solution in this case is to be strict about which stores you plan to purchase your cards from.
Risk Assessment Providers
If your card passes the initial checks by the AI models, the next step is to check it with risk assessment providers. These outside companies specialize in assessing the risk associated with a transaction, providing an additional layer of security beyond what Stripe offers. Unlike Stripe, which primarily considers machine-generated signals like IP addresses and browser fingerprints, risk assessment providers take a more comprehensive approach. They examine all the metadata of a transaction, examining a variety of factors to ensure its overall legitimacy and security. This thorough assessment helps detect any potential fraud that may have been missed by the initial AI checks.
- Cardholder risk profile (including amount)
- Trader Risk Profile
- Nature of the transaction
A practical example of this process is repeatedly entering the wrong CVV code. While Stripe’s systems may not block you immediately, different banks using different risk assessment providers may. This discrepancy can result in a “generic_decline” code from Stripe. It’s important to note that Stripe’s Radar system does not provide customers with a detailed explanation if a rejection is initiated by an external risk provider, even if Stripe itself considers your transaction safe. So an external risk assessment can influence the outcome, despite a positive assessment from Stripe. If you’ve used Stripe Radar to assess your own cards, you’ve probably encountered this: all fraud indicators are low, but the fraud score is still high:
If your transaction is flagged by risk assessment providers, this will often result in a “card block”. These blocks are usually temporary and are automatically lifted within about 72 hours. Alternatively, you can speed up the process by contacting your bank directly to have the block lifted.
This situation is what merchants and CC checkers call a “risk check” or a Code 59 “Fraud Suspect.” If you encounter this, it’s best to give your card a little breathing room for a couple of days — think of it as a mini-vacation. During this cooling-off period, if the cardholder hasn’t set up alerts and remains blissfully unaware of your attempted transaction, you can try again. Just remember that success depends on factors largely outside your control, other than the purchase amount. Running your card through merchant checkers again is like repeatedly nudging someone trying to take a nap — you’re bound to get a “card block.” So give it some time and let it cool off a bit.
Bank Checks
Congratulations! Your transaction has passed the payment processor and risk provider. Now for the final step: the bank. Bank checks are the basics; they focus on the transaction amount and how it fits with the cardholder’s normal spending habits.
Let’s say a cardholder uses their Costco card just to hide their $10 OnlyFans subscription from their wife. Suddenly they try to buy an $8,000 Alienware laptop? The bank will likely block them. Large deviations from their normal spending are alarming.
Here’s a trick: Use the cardholder’s zip code with this tool to find out the average income in the area. Use it to set a reasonable transaction limit. Note that for a higher chance of approval, transactions should be within a reasonable range of the average income.
Card level and BINs matter, but not too much. Platinum cards may allow higher limits, but sudden large purchases may still be blocked. The opposite is also true: Standard/Classic cards can be very beneficial if the cardholder likes to spend on expensive things to feel adequate and look rich. Some BINs are better suited to certain stores, and there are already many of them on the forum. Also, consider the transaction history of the card. Frequent small purchases preceding a large one can help normalize the large amount in the eyes of the bank. Logically, large purchases by the cardholder give credibility to large purchases on your part, so I usually use Visa purchase alerts, wait for the cardholder to make such large purchases, and follow them up with my own large purchase; it works every damn time!
Now the magical thing about this is that the entire verification process from the platform to the bank takes less than two seconds. And those two seconds decide the fate of your transaction, so try to optimize what you can control (purchase amount, the store you buy from, choosing a postcode, choosing a BIN) and don’t spend too much time on what you can’t control.
Remember that as financial systems improve over time, so should your strategies for bypassing them. And the only way to do that is to gain proper knowledge with experience.