Deep Dive·8 min read·May 30, 2026

Soft Declines vs Hard Declines: 2026 Operator Guide

Soft declines are temporary and retryable. Hard declines are permanent and trigger Visa misuse fees. Operator playbook with response codes and dollar math.

myPayAdvisor Editorial

Reviewed by Barak Bachar, Global Payments Manager

Key findings

Subscription merchants leave 2 to 4 percent of monthly revenue on the floor by treating every decline as terminal.
Retrying hard declines like R0, R1, and 04 triggers Visa Misuse of Authorization fees on every attempt.
Code 05 Do Not Honor is the largest recoverable bucket; 3DS step-up on the second retry clears most of it.
Visa Account Updater and Mastercard ABU refresh roughly 60 percent of reissued cards silently before they fail.
Cap retries at 4 per card per cycle to stay clear of Visa Integrity Risk Program flags.

A soft decline is a temporary issuer refusal you can retry under network rules. A hard decline is a permanent refusal you must not retry. Subscription and SaaS merchants leave 2 to 4 percent of monthly revenue on the table by treating every decline as final. The flip side is worse. Retrying hard declines like response code 04 or R0 triggers Visa and Mastercard misuse-of-authorization fees plus chargeback exposure. The fix starts with bucketing response codes from your gateway and building a code-specific retry cadence.

What this actually is

A decline is the issuer's answer to an authorization request, returned through the card network in ISO 8583 field 39 as a two-character response code. The Federal Reserve's payments studies show that card-not-present transactions sit at materially higher decline rates than card-present, and that CNP fraud accounts for the bulk of total card fraud losses in the United States. Both Visa and Mastercard publish rules that govern how acquirers and merchants must treat each response code (Visa regulations, Mastercard interchange and rules).

The split between soft and hard is not about whether the response came back declined. The split is about whether the issuer's reason is fixable.

Soft declines include codes like 05 Do Not Honor, 51 Insufficient Funds, 61 Exceeds Withdrawal Limit, 65 Activity Limit Exceeded, and 91 Issuer Unavailable. The cardholder's account is valid. Conditions at the moment of the auth blocked the charge.

Hard declines include codes like 04 Pick Up Card, 14 Invalid Card Number, 15 No Such Issuer, 41 Lost Card, 43 Stolen Card, 54 Expired Card, 57 Transaction Not Permitted to Cardholder, and R0 or R1 Stop Payment or Revocation. The issuer is telling the acquirer to stop sending this charge.

Operator note

Visa formalized the line in its Stop Payment Service rules and Mastercard formalized it in its Transaction Processing Rules. Both networks apply per-attempt fees and program penalties for repeated authorization attempts after a hard decline.

A soft decline is a temporary issuer refusal that may be retried under network rules, while a hard decline is a permanent refusal that must not be retried.

How it works under the hood

The authorization flow is an ISO 8583 message exchange. Each leg has a few hundred milliseconds of budget. The steps:

The cardholder enters a card at checkout. Your gateway packages the transaction.
The gateway sends an 0100 authorization request to your acquirer or processor.
The acquirer routes the message through Visa, Mastercard, Discover, or Amex based on the BIN.
The network sends the request to the issuer's authorization host.
The issuer evaluates: BIN status, account balance or credit line, AVS match, CVV match, internal fraud score, velocity rules, and any merchant block list.
The issuer returns a response code in field 39. Approved is 00. Anything else is a decline.
The network returns the response to the acquirer.
The acquirer hands it back to your gateway.

Most operators see only steps 1 and 8. The interesting business decisions live in steps 5 and 6.

When a soft decline comes back, the issuer is saying try again later under different conditions. For code 51 Insufficient Funds, a retry on banking day 3 of the next month often clears. For code 91 Issuer Unavailable, a retry in 30 to 120 minutes often clears. Visa's Acquirer Monitoring framework and Mastercard's Account Status Inquiry service exist specifically to support retry behavior at network scale (Visa rules).

When a hard decline comes back, the issuer is saying do not send this again. Visa's Stop Payment Service rules require acquirers to flag account ranges and decline future attempts. Continuing to attempt authorization after a hard decline triggers Visa's Misuse of Authorization fee per attempt and contributes to the acquirer's monthly Integrity Risk Program metrics. Mastercard applies a similar per-attempt penalty under its Transaction Processing Rules and tracks repeat offenders in its Excessive Authorization Attempts category (Mastercard rules).

The retry caps are published. Visa Rules limit recurring and installment merchants to a maximum number of retry attempts within a 30-day window after an initial decline, with stricter caps for non-sufficient-funds codes. Mastercard's Transaction Processing Rules apply different caps for different decline categories.

Card networks also offer recovery tools that sit inside this loop. Visa Account Updater and Mastercard Automatic Billing Updater push updated card numbers and expiration dates from the issuer to enrolled merchants for any subscription card that gets reissued. These tools convert what would otherwise be a permanent 14 Invalid Card Number or 54 Expired Card decline into a soft refresh.

The retry decision is not a developer choice. It is a network compliance question with a per-attempt price tag.

Where it goes wrong for operators

Five patterns account for most of the lost revenue and most of the misuse fees we see on operator statements.

Pattern 1: Retrying R0 and R1 stop payments. R0 and R1 are network-level instructions from the cardholder, through the issuer, to stop the recurring charge. Visa's Stop Payment Service rules treat continued attempts as misuse. A merchant running $200K monthly volume with 0.5 percent of attempts as R0 or R1 retries can see Visa Misuse of Authorization fees that total over $1,200 per year, plus a heightened chance of an Acquirer Monitoring Program flag.

Pattern 2: Same-second retries on a soft decline. Code 51 Insufficient Funds retried 60 seconds later returns 51 again. The issuer's risk system also notices the velocity spike and may downgrade the BIN's trust score for this merchant. Cleanest practice is to wait for the next billing cycle or send the retry on the third banking day of the next month, which is when payroll typically settles.

Pattern 3: Treating 05 Do Not Honor as terminal. Code 05 is the catchall. The issuer is not telling you the card is bad. It is telling you something inside the issuer's risk model fired. A 3DS step-up authentication on retry often clears it. Skipping the retry on 05 is the most common single source of lost revenue for subscription merchants.

Pattern 4: Not enrolling in VAU and ABU. Roughly 5 to 7 percent of cards in a recurring book get reissued each year per Nilson Report data on reissuance cycles. Without Visa Account Updater and Mastercard Automatic Billing Updater, every one of those reissuances becomes a 14 or 54 hard decline at next billing.

Pattern 5: Flat-rate processor with no retry logic. Most flat-rate gateways either retry blindly on every decline or never retry. Both behaviors are wrong. Blind retry triggers misuse fees on hard declines. No retry leaves the soft-decline recovery on the floor.

Watch out

The cost of treating every decline as final is bigger than the cost of misuse fees. The cost of retrying hard declines is the one the networks care about. Both should be quantified before you talk to your processor.

Worked example with real numbers

Merchant profile: a B2B SaaS company on a monthly subscription model. $400,000 in monthly card volume. Average ticket $79. About 5,063 attempted transactions per month, of which roughly 12 percent decline. That is 608 declines per month.

The decline mix breaks down as follows after pulling a 90-day gateway report and bucketing every code:

408 soft declines: codes 05, 51, 91, 61
200 hard declines: codes 14, 41, 43, 54, R0

Current state: the merchant retries everything once, 24 hours after the initial decline. Recovery rate is 18 percent on the soft bucket (about 74 transactions, $5,846 in recovered MRR). Recovery rate on the hard bucket is 2 percent (about 4 transactions, $316), and each of the 196 failed hard retries incurs a Visa Misuse of Authorization fee or the Mastercard equivalent.

Decline mix and recovery math for a $400K monthly SaaS book.

Move to a tiered retry strategy by code:

Soft 05 Do Not Honor: retry at 24 hours and again at 72 hours with 3DS step-up. Recovery climbs to 35 percent.
Soft 51 Insufficient Funds: retry on banking day 3 of the next month. Recovery climbs to 55 percent.
Soft 91 Issuer Unavailable: retry in 30 to 90 minutes. Recovery climbs to 70 percent.
Hard 14, 41, 43, R0: no retry. Send the customer a card-update email instead.
Hard 54 Expired Card: enroll in Visa Account Updater and Mastercard Automatic Billing Updater. About 60 percent refresh silently.

After the change, the merchant recovers roughly 175 of the 408 soft declines (about $13,825 in monthly recovered MRR) and 30 of the 54 expired-card hard declines via VAU and ABU (about $2,370 in recovered MRR). Total monthly lift: $16,195. Annualized: about $194,340.

Real-world example

Same merchant, before and after: monthly recovered revenue moves from $6,162 to $16,195. Misuse of Authorization fees drop from roughly 196 per month to near zero. Net pickup is the full lift minus the retry-engine cost, which sits at 0.05 to 0.15 percent of recovered volume on most modern gateways. That is roughly $185,000 in annual incremental MRR from a code-mapping exercise that takes one afternoon.

Operator playbook

Eight actions you can take this week. They are sequenced so each one feeds the next.

Pull the last 3 months of decline reports from your gateway. The line items you want: response code, BIN, MCC, time of day, retry attempt number. If your gateway will not export response codes by transaction, that is a switching trigger.
Bucket every code as soft or hard against Visa's published response-code list and Mastercard's Transaction Processing Rules. Note which codes you currently retry and how many times.
Pull your last 3 monthly processor statements and find the Misuse of Authorization line items, including the Mastercard equivalent on the same statement. Multiply by 12 to estimate annual exposure. Any line over $50 per month means you have a hard-decline retry problem.
Confirm enrollment in Visa Account Updater and Mastercard Automatic Billing Updater. If you are not enrolled, ask your processor for the enrollment form. Enrollment is usually free, though some processors charge $0.10 to $0.25 per updated card.
Build a code-specific retry cadence: 30 to 90 minutes for 91 Issuer Unavailable, 24 hours then 72 hours for 05 Do Not Honor, banking day 3 of next month for 51 Insufficient Funds, no retry for 04, 07, 14, 41, 43, 54 (use VAU and ABU instead), no retry for R0 or R1 under any circumstances.
Turn on 3DS step-up authentication on the second retry of code 05 Do Not Honor. Issuers approve 3DS-authenticated retries at a materially higher rate because the authentication shifts liability and confirms cardholder intent.
Set up an alert on your gateway for any single card account receiving more than 2 retries within 30 days. This is your tripwire for Visa Integrity Risk Program metrics and Mastercard's Excessive Authorization Attempts category.
On your next processor renewal, ask in writing what the per-attempt cost is for retries that hit Visa Misuse of Authorization and the Mastercard equivalent, and what the threshold is for an Integrity Risk Program flag. Get both answers before you sign.

Most decline math is recoverable inside one quarter. The work is mostly classification, not engineering.

Frequently asked questions

What is the difference between a soft decline and a hard decline?

A soft decline is a temporary issuer refusal where the cardholder's account is valid but conditions blocked the charge. Common soft codes include 05 Do Not Honor, 51 Insufficient Funds, and 91 Issuer Unavailable. A hard decline is a permanent issuer refusal that signals the card itself is unusable, lost, stolen, expired, or revoked. Common hard codes include 04 Pick Up Card, 14 Invalid Card Number, 41 Lost Card, 43 Stolen Card, 54 Expired Card, and R0 or R1 Stop Payment. Soft declines may be retried under network rules. Hard declines must not be retried without triggering misuse-of-authorization fees and integrity-program flags.

Can I retry a hard decline?

No, and the network rules charge you per attempt for trying. Visa's Stop Payment Service rules and Mastercard's Transaction Processing Rules treat continued authorization attempts after a hard decline as misuse. Visa applies a per-attempt Misuse of Authorization fee on response codes like R0, R1, 04, 07, 41, and 43. Mastercard applies an equivalent fee under its acquirer rules. Beyond the fees, repeated attempts feed Visa's Integrity Risk Program and Mastercard's Excessive Authorization Attempts category. A flag in either program raises your processor's exposure and usually flows down to you as a higher reserve, a surcharge, or a termination notice.

What is Visa's Misuse of Authorization fee?

The Misuse of Authorization fee is a per-attempt charge Visa applies when an acquirer continues to send authorization requests on accounts that have already returned a hard decline or a no-stand-in response. Visa publishes the current rate in the US Acquirer ePay Pricing document and updates it through bulletins. The fee covers codes like R0 Stop Payment, R1 Revocation, and certain pick-up-card codes. The per-attempt fee is small but adds up fast on subscription books that retry blindly. A merchant running $250K monthly volume with even 0.3 percent of attempts in misuse territory can see hundreds of dollars per month in fees, plus indirect costs from program flags.

What does response code 05 Do Not Honor mean and should I retry it?

Code 05 Do Not Honor is the issuer's catchall decline. The issuer is not telling you anything specific. Internal risk rules, velocity limits, or a soft fraud score blocked the charge. Code 05 is the single largest category of recoverable declines on most subscription books. The right approach is a delayed retry at 24 hours, with 3DS step-up authentication on a second attempt at 72 hours. Issuers approve 3DS-authenticated retries at a higher rate because the authentication shifts liability and confirms cardholder intent. Treating code 05 as terminal is the most common single source of lost revenue we see on flat-rate processor stacks.

How does Visa Account Updater fix the expired-card decline problem?

Visa Account Updater and Mastercard Automatic Billing Updater are network services that push updated card numbers and expiration dates from the issuer to enrolled merchants. About 5 to 7 percent of cards in a recurring book are reissued each year per Nilson Report data on cycle volumes. Without these services, every reissuance becomes a 14 Invalid Card Number or 54 Expired Card decline at next billing. With enrollment, roughly 60 percent of those reissued cards refresh silently before the next charge. Most processors offer the services at no cost or at a per-update fee of $0.10 to $0.25. Confirm both are enabled before building any retry strategy.

How many times can I retry a soft decline under Visa rules?

Visa Rules cap retry attempts within a 30-day window for declined recurring and installment transactions. The exact cap varies by decline reason. Stricter caps apply to code 51 Insufficient Funds, looser caps to code 91 Issuer Unavailable, and different caps again to code 05 Do Not Honor. Mastercard's Transaction Processing Rules apply similar limits under different categories. The practical answer for most subscription operators is no more than 4 retries per card per billing cycle, spaced by code: immediate retry for 91, 24 to 72 hours for 05, banking day 3 of the next month for 51. Going above this triggers issuer-side throttling and downgrades approval rates on the next legitimate attempt.