HomeResourcesHow to vet a flash-memory supplier — a counterfeit & due-diligence checklist
Guides · Procurement

How to vet a flash-memory supplier — a counterfeit & due-diligence checklist

By Kalstor 9 min read
Key takeaways
  • Three things actually go wrong with flash supply: a controller that fakes capacity, re-graded or recycled NAND sold as new, and silent BOM swaps between batches.
  • Documentation proves nothing on its own — pair every paper check with a write-and-verify test on a real sample before you commit to volume.
  • The strongest single signal is whether a supplier publishes measured usable capacity and gives you an inspection window before final payment. Reluctance is the answer.
  • The recognized framework is SAE AS6081 (counterfeit avoidance for distributors) on an ISO 9001 quality system — you can ask any supplier where they stand against it.

A bad memory order doesn't fail on your bench. It fails months later, in your customer's cameras or devices, after you've been paid and the container has shipped — which is exactly why a cheap card can be the most expensive mistake a distributor makes. The card costs a dollar. Your reputation with that customer doesn't come back for a dollar.

So the job before a volume order isn't to find the lowest price. It's to confirm the supplier is selling what they say they're selling. Here's how, in the order that actually catches problems.

First, know what actually goes wrong

Three failure modes cover almost everything:

  • Faked capacity. A reprogrammed controller reports 128GB to the host while the real NAND is 32GB or less. It looks fine until data is written past the real limit, then silently corrupts. (We cover the mechanics in Why a 128GB card shows 119GB.)
  • Re-graded or recycled NAND. Factory reject dies, or chips recovered from scrapped boards, re-marked and sold as new. They often work at first and fail early.
  • Silent BOM swaps. The first batch is genuine; later batches quietly change controller, firmware or NAND to cut cost. Your qualification no longer matches what's in the box, and your RMA rate climbs.

A checklist is useful only if it catches these three. The rest is paperwork.

The checklist

1. Documents — necessary, not sufficient

Ask for, and keep on file: a datasheet that states measured usable capacity (not the rounded marketing number), a certificate of conformity, RoHS/CE compliance, and lot/date codes that match the physical goods. Good suppliers can also show traceability back to the actual factory. Treat all of this as the price of entry — none of it proves the parts are real, because paper is the easiest thing to copy.

2. Test a real sample — this is the part that proves it

This is where counterfeits actually surface. On a sample pulled from the real batch:

  • Write-and-verify the full card with H2testw (Windows) or F3 / ValiDrive (Mac/Linux). Confirm the usable bytes match the rating. This is the one test a fake-capacity controller cannot pass.
  • Run a speed test (e.g. CrystalDiskMark) against the claimed speed class.
  • Cross-check the printed part number against the manufacturer's own listing.
  • Do it as a paid trial batch before the volume PO — pull, test end-to-end, then scale.

If a supplier resists letting you test before you pay, you already have your answer.

3. The supplier itself

  • Factory or trader? A source factory can explain its line, its NAND source and its test floor. A pure trader often can't tell you where the stock came from — and "I can't say" is a deal-breaker.
  • Verifiable existence: business registration, years trading, a real commercial address, trade references, an active presence on LinkedIn or at industry shows.
  • Against a standard: the recognized framework for distribution-side counterfeit avoidance is SAE AS6081 (current revision AS6081A), built on an ISO 9001 quality system [1][2]. Most card suppliers won't be formally certified, but a serious one can tell you which of its practices — incoming inspection, traceability, quarantine of suspect parts — line up with it.

4. Commercial terms that protect you

  • An inspection window before final payment — the single most important term. Legitimate suppliers expect it.
  • MOQ and lead time in writing, with realistic dates (especially in a shortage).
  • A warranty / RMA policy that states who bears dead-on-arrival units and the return process.
  • Written change-notification — a locked BOM per order, with the supplier obliged to notify (and re-issue a part number) before changing controller, firmware or NAND. This is your defence against the silent-swap failure mode.

Red flags, at a glance

  • A price well below the market — in a shortage, suspiciously cheap is suspicious.
  • Pushes for fast or full payment before any inspection window.
  • Won't put a measured usable-capacity floor in writing.
  • Can't explain where the stock came from.
  • "No need to test, trust us." The good ones say the opposite.

Bottom line

Vet on evidence, not on the invoice. The order of operations is simple: documents to qualify, a write-verify on a real sample to prove, the supplier's traceability and terms to protect you. A supplier that publishes the measured floor, welcomes a trial-batch test, and locks the BOM per order is telling you — before you've spent anything — that they expect to pass. That's the kind we built Kalstor to be: ask us for the floor figure and a sample to write-verify, and we'll hand you both.

FAQ

Is a supplier's documentation enough to trust them?
No. Certificates, datasheets and lot codes can all be copied, and a reprogrammed controller will pass a visual and a spec-sheet check. Documentation is necessary but not sufficient — the only thing that proves capacity and quality is a write-and-verify test on a real sample from the actual batch.
What is the single most useful test before a volume order?
A full write-and-verify on a sample (H2testw on Windows, or F3 / ValiDrive on Mac and Linux). It writes data across the whole card and reads it back, which is the only reliable way to expose a fake-capacity controller — something no visual inspection or printed spec can catch.
What is AS6081 and why does it matter for buying memory?
SAE AS6081 (current revision AS6081A) is the recognized industry standard for avoiding, detecting and handling counterfeit electronic parts in distribution, built on an ISO 9001 quality system. Even if you are not in aerospace or defence, it is a useful benchmark — ask a supplier what of it they actually practise (incoming inspection, traceability, segregation of suspect parts).

References

  1. SAE AS6081A — Counterfeit EEE Parts: Avoidance, Detection, Mitigation, Disposition (Independent Distribution)
  2. ISO 9001 — Quality management systems
  3. SD Association — SD standard overview (capacity, authenticity)
  4. SanDisk / Western Digital — product specifications and authenticity guidance
  5. F3 — Fight Flash Fraud (open-source write-verify tool, Mac/Linux)
  6. GRC ValiDrive (sector-probe capacity checker, Windows)
Sourcing in volume?

We publish measured usable capacity and welcome trial-batch verification — automotive-grade, direct from the source factory.

Get a quote