Compromised Credit Card API
Pre-fraud intelligence to stop payment fraud.
SpyCloud's Compromised Credit Card API detects compromised credit, gift, and loyalty cards siphoned from malware-infected devices and other criminal sources before criminals can use them, giving issuers and retailers a chance to act early.
🚨 The Challenge
Criminals monetize stolen payment data by breaching companies, infecting desktops and phones with infostealers, and running phishing sites. This exposes not just card numbers, but often emails, phone numbers, full names, postal codes, and other PII tied to credit, gift, and loyalty cards.
✅ What This API Helps You Do
- Uncover issued card exposures: Match your portfolios to SpyCloud’s darknet recaptures (credit/gift/loyalty) to spot compromise quickly.
- Prevent financial losses: Act on compromised cards to reduce fraud and chargebacks, and protect brand trust.
- Automate remediation: Pull exposed card records for your BIN(s) via REST and feed into risk models, case management, or re-issuance workflows.
Note for retailers: Retail-issued credit/gift/loyalty cards must be digits only, min 12 and max 28 digits to use this API.
⚙️ How It Works
- Query your BINs — Submit one or more 6-digit BINs (up to 10 per request) to the API.
- Receive matched records — API returns compromised card records (card numbers as SHA-1 hash by default; SHA-256/512 by request), plus exposure context. Delivered via RESTful JSON.
- Take action — Use results to block/verify/flag transactions, prioritize outreach, or reissue cards.
🧰 Request & Response
Requests
| Parameter | Purpose |
|---|---|
bin[] (6-digit, up to 10) | Portfolio/brand scope for exposure lookups. |
| Time window / pagination | Retrieve from first published to most recent as needed. |
Responses
| Field (selected) | What you get |
|---|---|
cc_number | SHA-1 hash of card number (SHA-256/512 available). |
cc_bin, cc_last_four, cc_type, cc_expiration, cc_code | BIN, last 4, card type, expiration (MM/YYYY), CVV. |
full_name, postal_code | Cardholder name and postal code (when available). |
source_id, log_id/document_id | Breach/phish/malware source linkage to support triage. |
infected_time, spycloud_publish_date | Approx. time stolen and SpyCloud publish time (UTC ISO-8601). |
ip_addresses, email, user_hostname, system_model, user_sys_registered_owner | Device/user context for investigations and customer outreach. |
🧪 Common Uses
Transaction screening
Flag BIN-matched cards at authorization or checkout; step-up, block, or queue for review.
Portfolio hygiene
Identify exposures across co-branded or issuer programs; reissue cards pre-fraud.
Fraud analytics
Enrich models with pre-fraud exposure signals instead of waiting for confirmed fraud.
🗃️ Data Sources
SpyCloud recaptures exposed financial data from malware-infected devices, phishing sites, and breaches, transforming it into actionable intelligence for issuers, processors, and retailers.
📈 Outcomes You Can Target
- Reduce chargebacks and operational burden by cutting off exposed cards early.
- Protect customer trust & brand equity with proactive remediation.
- Accelerate investigations using source and device context embedded in results.
🔍 Selected API Field Reference
| Field | Example | Description |
|---|---|---|
source_id | 12322 | Maps to a specific breach/source. |
log_id / document_id | sha256 / alphanum | Malware vs. non-malware record pointer. |
infected_time | 2023-01-01T00:00:00Z | Closest known time data was stolen. |
spycloud_publish_date | 2023-01-01T00:00:00Z | Closest publish time by SpyCloud. |
cc_bin / cc_last_four | 510510 / 5100 | BIN and last four digits. |
cc_type | Visa | Card network (when known). |
cc_expiration / cc_code | 01/2001 / 123 | Expiry (MM/YYYY) and CVV. |
full_name / postal_code | Bob Smith / 100-01A5 | Cardholder name and postal code. |
cc_gateway | Stripe | Gateway observed checking card validity. |
ip_addresses, email, user_hostname, system_model, user_sys_registered_owner | Device and user context from malware logs. |
📎 Integration Notes
- Delivery: RESTful API with JSON output.
- Scale: Query up to 10 BINs per request; retrieve records from first published to most recent.
- Hashing: Card numbers returned as SHA-1 by default (SHA-256/512 available by request).
Updated 2 months ago