What criminal statutes and penalties apply to purchasing stolen payment card data in the United States?

1. Federal statutes most commonly used: trafficking in “access devices” and credit‑card fraud

The federal government frequently prosecutes buyers and sellers of stolen card data under statutes that make it illegal to traffic in access devices and to use or sell counterfeit, stolen, or fraudulently obtained payment cards; 18 U.S.C. § 1029 (federal access‑device fraud) and related federal credit‑card fraud provisions are routinely invoked against those who sell, transport, or use stolen card numbers or devices ^{[1] [4]}. Separate but overlapping federal provisions such as 15 U.S.C. sections addressing fraudulent use or transport of credit/debit instruments also criminalize sale, possession, and interstate transport of stolen card data ^{[5] [6]}.

2. Typical federal penalties and large-range exposure

Federal penalties vary by statute and subsection but can be severe: access‑device and related federal fraud statutes commonly carry sentences measured in years to decades — reported maxima include 10, 15, and in some identity‑theft‑related aggregations even up to 20 or 30 years’ imprisonment — together with fines, restitution, and criminal forfeiture in serious cases ^{[6] [4] [7] [2]}. Legal commentators and defense sites note fines up to roughly $250,000 under some subsections and prison terms often increased when offenses involve organized schemes, high dollar losses, or aggravated identity theft ^{[4] [3] [2]}.

3. State statutes, thresholds and “wobblers” — local law matters

Most states also have credit‑card and identity‑theft statutes that criminalize possession, sale or use of stolen card information, and penalties often turn on monetary thresholds: many state laws treat small‑value offenses as misdemeanors and larger losses as felonies (examples of $500–$1,000 thresholds appear in model descriptions), with felony exposures including years in prison, hefty fines and restitution obligations ^{[8] [9] [10]}. States such as California explicitly criminalize selling or possessing stolen card information (Penal Code 484e) and allow certain offenses to be charged as either misdemeanors or felonies depending on facts — a “wobbler” approach ^{[11] [8]}.

4. Collateral and overlapping charges prosecutors frequently add

Buying stolen card data rarely exists in isolation; prosecutors commonly layer charges — identity‑theft statutes (18 U.S.C. § 1028), wire or mail fraud (18 U.S.C. §§ 1343, 1341), computer fraud (18 U.S.C. § 1030), bank fraud (18 U.S.C. § 1344), and money‑laundering statutes — each carrying its own penalties and sometimes statutory enhancements that push exposures higher ^{[2] [1]}. The Department of Justice and commentators note that combined charges in a single indictment can yield aggregate sentences that far exceed the baseline for a single credit‑card offense ^{[2] [1]}.

5. Enforcement realities, prosecutorial discretion and sentencing factors

Enforcement choices depend on facts: whether the transaction affected interstate or foreign commerce (triggering federal jurisdiction), the total loss amount, evidence of organized distribution, prior criminal history, and whether “aggravated” features such as targeting the elderly are present — all affect charging and sentencing ^{[5] [2] [7]}. Legal defense materials emphasize possible defenses (lack of knowledge that data were stolen, coercion, or entrapment) and note that advisory sentencing ranges and plea bargaining shape outcomes more than statutory maxima in many cases ^{[4] [6]}.

6. Bottom line and limits of available reporting

The legal risk for purchasing stolen payment card data is substantial: federal statutes targeting access‑device trafficking and identity fraud, combined with state credit‑card laws, expose buyers to felony convictions, multi‑year federal prison terms, significant fines, restitution and forfeiture when losses or interstate conduct are large or organized ^{[1] [4] [2]}. Reporting and secondary legal summaries show considerable variation in maximums and thresholds across statutes and states; the sources provided do not supply an exhaustive list of every state penalty or every subsection’s exact maximum sentence, so case‑specific legal advice is necessary for precise exposure ^{[9] [3]}.