Skip to main content

Visa 11.1 - Card Recovery Bulletin

Transaction processed on a card that was on the Card Recovery Bulletin (CRB), also known as the "hot card list."

Overview

The Card Recovery Bulletin is a list of cards reported lost, stolen, or fraudulent. If a card appears on this list and a merchant processes the transaction anyway, liability shifts to the merchant.

When This Code Applies

  • Card was on CRB at time of transaction
  • Terminal didn't check CRB (or ignored result)
  • Transaction processed despite CRB listing
  • Card-present transactions primarily

Conditions for Valid Dispute

Issuer Must Verify

  1. Card was on CRB at transaction time
  2. Cardholder did not authorize
  3. Card was blocked/cancelled

Transaction Requirements

  • Card-present transaction
  • Merchant should have received "pick up card" or similar response
  • Within CRB publication timeframe

Time Frames

ScenarioDispute Window
Standard120 days from transaction date

CRB Process

How CRB Works

  1. Card reported lost/stolen/fraudulent
  2. Issuer adds to Card Recovery Bulletin
  3. CRB distributed to terminals/acquirers
  4. Terminal should decline and retain card

Terminal Response Codes

CodeMeaningMerchant Action
04Pick up cardDecline, retain if safe
07Pick up card (special)Decline, retain if safe
41Lost cardDecline
43Stolen cardDecline

Representment Options

Limited options due to CRB nature:

1. Card Not on CRB at Transaction Time

Evidence required:

  • Timestamp of transaction
  • CRB publication records
  • Proof card added to CRB after transaction

2. Authorization Obtained

Evidence required:

  • Auth approval code
  • Auth request/response logs
  • No "pick up card" response received

3. Timing Dispute

Evidence required:

  • Transaction timestamp
  • CRB addition timestamp
  • Proof of real-time auth check

Prevention Strategies

Terminal Configuration

  1. Real-time auth required - Always get online authorization
  2. CRB checking enabled - Never skip hot card check
  3. Response code handling - Train for decline codes

Staff Training

  1. Decline code recognition - Know what 04, 41, 43 mean
  2. Card retention procedures - When safe to retain
  3. Never override - Don't bypass CRB declines

System Requirements

  1. Online terminals - No offline authorizations
  2. Updated CRB - Regular downloads if batched
  3. Response logging - Record all auth responses

Win Rate Expectations

Defense TypeExpected Win Rate
Card added to CRB after transaction80-90%
Auth approved (no CRB match)70-85%
Card was on CRB at transactionUnder 10%

Common Mistakes

  1. Offline processing - CRB can't be checked offline
  2. Ignoring decline codes - Processing despite "pick up"
  3. Old CRB data - Not updating terminal data
  4. No auth logging - Can't prove auth was clean
  • 11.2 - Declined Authorization
  • 11.3 - No Authorization
  • 10.1 - EMV Counterfeit

Next Steps

Got this chargeback?

  1. Check if card was on CRB at transaction time → Very hard to defend
  2. Verify you had valid authorization → Pull auth logs
  3. If card was on CRB → Accept the chargeback (limited defense)

Prevent future 11.1 chargebacks:

  1. Process transactions online (real-time CRB check)
  2. Update terminal CRB data regularly if offline capable
  3. Never override "pick up card" decline responses
  4. Review authorization basics

See Also