Slash raises $100M Series C at a $1.4B valuation

Learn more

Code 63: Security Violation

Security concern

Decline Code 63: What 'Security Violation' Means for Merchants

Decline code 63 means a security check on the transaction failed. The most common cause is a CVV or CVC mismatch — the security code entered doesn't match what the issuing bank has on file. It can also fire for other security failures, but a wrong CVV is where to look first. Whether it's a hard or soft decline depends on the situation, which makes code 63 one of the more nuanced declines merchants encounter.

What Does Decline Code 63 Mean?

When a card transaction is submitted, the payment network doesn't just check the card number and available balance. It also validates the card's security credentials: the CVV or CVC code, the billing address, and in some cases additional authentication layers like 3D Secure. Code 63 fires when one of those checks fails.

Most of the time that failure is a simple data entry error. The customer typed their CVV wrong, their billing address doesn't match what the bank has on file, or an autofilled form pulled outdated information. Correct the entry and the transaction goes through.

Less commonly, code 63 points to something more structural: a failed 3D Secure authentication, a cryptogram validation issue, or a bank-level security flag on the account. In those cases a retry with corrected information won't be enough.

Common Causes of a Decline Code 63

  • Incorrect CVV or CVC entered. The most common trigger by a wide margin. One wrong digit in the three or four character security code is enough to fail the check.
  • Failed 3D Secure or Verified by Visa authentication. Online transactions that require additional cardholder authentication can return a 63 if that step fails or times out.
  • AVS mismatch on billing address. The billing address submitted doesn't match the address the bank has on file. Common after a move or when autofill pulls an old address.
  • Security token or cryptogram validation failure. Relevant for digital wallets and tokenized transactions where the security element attached to the transaction couldn't be validated.
  • Card used in a way that bypasses required security checks. Some transactions require CVV entry by bank policy. Attempting to process without it can trigger a 63.

Bank-configured security rules triggered. Some issuers have security thresholds that, once hit, start returning 63 declines on subsequent attempts even if the CVV entered is correct.

Is Decline Code 63 a Hard or Soft Decline?

Code 63 sits in between, and the distinction matters for how you respond.

If the cause is a data entry error, specifically a wrong CVV or incorrect billing address, it behaves like a soft decline. The underlying card is valid and a single retry with corrected information will typically go through.

If the cause is something at the bank level, a repeated security failure, a flagged account, or a failed authentication that can't be corrected by re-entering information, it functions as a hard decline. Retrying won't help and the cardholder needs to contact their bank.

The practical rule: one careful retry with corrected information is reasonable. If it fails again, stop and ask for an alternate payment method. Repeated failures on the same card signal that the issue goes beyond a simple typo.

How Merchants Should Handle Decline Code 63

  1. Ask the customer to re-enter their CVV carefully. Don't assume the first entry was wrong, but a simple "could you double-check your security code?" is a low-friction first step.
  2. Verify the billing address matches what the bank has on file. If the customer has moved recently or the form autofilled an old address, this is worth checking before retrying.
  3. Allow one retry with corrected information. A single follow-up attempt with the right CVV and correct billing address is appropriate. That's the extent of it.
  4. If it fails again, ask for an alternate payment method. A second failure suggests the issue is beyond a data entry error. Continuing to retry risks triggering a fraud flag on the account and escalating a manageable situation.

Do not store or log the CVV entered. This is a PCI compliance requirement, not just good practice. CVV data cannot be retained after a transaction attempt regardless of whether it succeeded or failed.

Frequently Asked Questions About Decline Code 63

Is decline code 63 always a CVV error? No, but it's the most common cause. Code 63 covers any security check failure, which includes AVS mismatches, failed 3D Secure authentication, and cryptogram validation issues in tokenized transactions. That said, if you're seeing a 63 and don't know where to start, the CVV is the right first thing to check.

Can I retry after a code 63 decline? Once, with corrected information. If the customer re-enters their CVV carefully and confirms their billing address is current, a single retry is appropriate. If that attempt fails as well, stop. Repeated security failures on the same card can trigger a fraud flag on the account, and continuing to run the card after multiple 63 declines is the kind of pattern processors and card networks flag.

Does code 63 mean my card has been compromised? Not necessarily. A 63 is most often a data entry issue, not evidence that the card has been tampered with or stolen. If you're consistently getting 63 declines on a card where you're confident the CVV and address are correct, it's worth calling your bank to check whether there's a security flag on the account. But a single 63 on its own is not a reason to assume the card is compromised.

How does code 63 differ from code 82? Both relate to CVV validation but they originate differently. Code 63 is a security violation returned by the issuing bank, meaning the CVV was checked and failed at the account level. Code 82 is a CVV validation error that typically originates at the network or processor level, often indicating the CVV format or structure was invalid rather than simply incorrect. In practice the merchant response is similar for both, but the distinction can matter when troubleshooting recurring issues.

Related Decline Codes

Code 63 lives in the security and authentication space. These related codes cover adjacent failure types:

  • Code 05 — Do Not Honor. The catch-all decline. Sometimes overlaps with security flags where the bank declines without specifying the exact reason.
  • Code 14 — Invalid Card Number. The card number itself doesn't match a valid account, a different kind of validation failure from a CVV mismatch.
  • Code 51 — Insufficient Funds. A balance issue with no security implication.
  • Code 57 — Transaction Not Permitted to Cardholder. A permissions issue at the account level rather than a security check failure.
  • Code 59 — Suspected Fraud. The bank flagged the transaction for fraud rather than a specific security credential failure.
  • Code 62 — Restricted Card. Card-level restrictions blocking the transaction rather than a failed security check.
  • Code 82 — CVV Validation Error. A related but distinct CVV failure originating at the network or processor level.
  • Code 41 — Lost Card. Hard decline. Card was reported lost. Do not retry.




What to do when your card is declined

Quick steps to resolve card declines and complete your transaction.

1

Verify your CVV and billing address.

Double-check the 3-4 digit security code and ensure your billing address matches what your bank has on file.

2

Complete authentication steps.

If prompted for 3D Secure verification, enter the one-time code sent to your phone or email.

3

Contact your bank.

If details are correct, call your bank to verify your identity and lift any security holds.

Other
decline codes

Apply in less than 10 minutes today

Join the 5,000+ businesses already using Slash.

Discover more insights