How Authorization Works
Authorization is the first step in every card payment. When a customer enters their card details and clicks "Pay," an authorization request travels through multiple parties in under three seconds. The outcome — approved or declined — determines whether the transaction can proceed.
Understanding this flow is essential for merchants who want to optimize their payment gateway configuration and maximize approval rates.
Merchant Sends Authorization Request
The merchant's payment gateway packages the transaction data — card number, expiry, CVV, amount, currency, and billing address — into an authorization request and sends it to the acquiring bank (the merchant's bank).
Acquirer Routes to Card Network
The acquiring bank forwards the request to the appropriate card network (Visa, Mastercard, Amex, or Discover). The network acts as a switch, routing the message to the correct issuing bank.
Issuing Bank Evaluates the Request
The cardholder's issuing bank runs real-time checks: Is the card valid? Are there sufficient funds? Does the transaction pass fraud risk scoring? Does it comply with the cardholder's spending limits and geographic restrictions?
Response Travels Back
The issuer returns an authorization response code — either an approval with a 6-digit auth code, or a decline code indicating the reason for rejection. This response travels back through the network, acquirer, and gateway to the merchant in roughly 1-3 seconds.
Merchant Acts on the Response
If approved, the funds are held (not yet transferred) on the cardholder's account. The merchant can then proceed to fulfill the order and capture the payment. If declined, the merchant can prompt the customer to retry or use a different payment method.
Why Authorization Matters
Authorization is the single biggest lever merchants have over their revenue conversion rate. Every declined authorization is a lost sale — and the numbers are staggering.
According to Visa, the average online authorization approval rate across all merchants is approximately 85-90%, meaning 10-15% of legitimate transactions are declined. For subscription merchants, the figure can be worse: recurring billing authorization rates often drop to 80-85% due to expired cards and insufficient funds.
The financial impact scales fast. A mid-size ecommerce merchant processing $5 million per month with an 85% approval rate is losing roughly $750,000 monthly to declines. Even recovering a fraction of those through retry logic and smart routing can generate six figures in additional revenue per year.
Beyond immediate revenue, authorization performance affects long-term economics:
- Interchange qualification — Transactions that are authorized but not captured within the network's window may downgrade to higher interchange rates, increasing processing costs.
- Customer experience — False declines frustrate legitimate customers. Research from Javelin Strategy shows that 33% of consumers who experience a false decline will abandon the merchant permanently.
- Issuer relationships — Merchants with high decline rates or high retry volumes may be flagged by issuers, leading to even lower approval rates over time.
Authorization vs. Capture
Authorization and capture are two distinct steps in the payment lifecycle. Many merchants conflate them, which leads to operational mistakes.
Authorization places a temporary hold on the cardholder's funds. Capture is the instruction that actually moves the money. Think of authorization as a reservation at a restaurant and capture as sitting down to eat.
| Aspect | Authorization | Capture |
|---|---|---|
| What it does | Reserves funds on the card | Transfers funds to the merchant |
| Money moves? | No — hold only | Yes — initiates settlement |
| Timing | Instant (1-3 seconds) | Can happen immediately or days later |
| Reversibility | Void (free, no chargeback risk) | Refund (incurs processing fees) |
| Hold expiry | Visa: ~7 days, Mastercard: ~30 days | N/A — funds are settled |
| Use case | Verify funds before fulfillment | Confirm final charge after fulfillment |
Most ecommerce platforms default to "auth-and-capture" (sale) mode, where both steps happen simultaneously. However, merchants selling physical goods, travel, or custom orders benefit from separating auth and capture so they only charge once they can fulfill.
Types of Authorization
Not all authorizations work the same way. The type you use depends on your business model, industry, and risk tolerance.
Standard Authorization
The most common type. The merchant requests a specific dollar amount, the issuer approves or declines, and the hold is placed for that exact amount. Used by most online retailers for straightforward purchases.
Pre-Authorization (Pre-Auth)
The merchant authorizes an estimated amount before the final charge is known. Hotels authorize an estimated stay cost at check-in, then capture the actual total at checkout. Gas stations pre-authorize a fixed amount (often $100-$150) before the customer pumps fuel. The key difference: the capture amount can be less than or equal to the authorized amount, but exceeding it requires a new authorization.
Zero-Dollar Authorization ($0 Auth)
Validates the card without holding any funds. Used when saving a card on file, starting free trials, or verifying payment methods during account setup. The cardholder sees no pending charge. Visa and Mastercard both support $0 auths, though acceptance varies by issuer — about 95% of US issuers support them.
Incremental Authorization
Allows merchants to increase the authorized amount without starting over. Common in hospitality (adding room service charges) and car rentals (extending the rental period). Not all processors support incremental auth, and card network rules vary: Visa allows incremental auths for specific merchant category codes (MCCs), while Mastercard has broader support.
Best Practices
Optimizing authorization performance requires attention from both the business and technical side. Small improvements compound into meaningful revenue gains.
For Merchants
- Use clear billing descriptors. Ensure the charge name on the customer's statement matches your brand. Unrecognizable descriptors trigger "I don't recognize this charge" disputes and issuer blocks.
- Send complete transaction data. Include billing address, CVV, email, and phone number. Transactions with full AVS and CVV data have approval rates 5-10% higher than those without.
- Capture promptly. Do not let authorizations expire. Capture within 24-48 hours when possible. Expired auths mean re-authorization, which risks a decline on the second attempt.
- Implement account updater. Card networks offer account updater services that automatically refresh expired or reissued card numbers. This is critical for subscription businesses where stored cards go stale.
For Developers
- Handle decline codes intelligently. Map response codes to retry logic. Soft declines (insufficient funds, issuer temporarily unavailable) can be retried; hard declines (stolen card, closed account) should not.
- Implement idempotency keys. Prevent duplicate authorizations from network timeouts or retry storms. Every authorization request should carry a unique idempotency key.
- Use network tokens over raw PANs. Network tokenization (Visa Token Service, Mastercard MDES) replaces the card number with a network-level token that updates automatically and has higher approval rates — Visa reports a 2-4% lift in auth rates with network tokens.
- Log authorization response times. Monitor p50/p95 latency to your processor. Slow auth responses degrade checkout conversion and may indicate routing issues.
Common Mistakes
Even experienced merchants make authorization errors that cost revenue. Here are the most frequent ones to avoid.
Retrying hard declines. When an issuer returns a hard decline code (e.g., "card cancelled" or "pick up card"), retrying wastes processing fees and can trigger card network monitoring programs. Visa's Transaction Acceptance Policy penalizes merchants who excessively retry hard-declined transactions — fines start at $0.025 per violation and escalate.
Letting authorizations expire before capture. If you authorize on Monday and don't capture until two weeks later, the hold has expired. The capture may still succeed (as a forced capture), but it will likely downgrade to a higher interchange rate and increases the risk of a chargeback since the cardholder may not expect the charge.
Ignoring partial approvals. Some issuers approve a transaction for less than the requested amount (common with prepaid and debit cards). If your integration doesn't handle partial approvals, you'll either decline the entire transaction or charge the full amount and face a dispute.
Not using 3D Secure selectively. Applying 3D Secure (Verified by Visa, Mastercard SecureCode) to every transaction adds friction and can reduce conversion by 10-15%. Use it risk-based: apply 3DS to high-risk transactions (new customers, high order values, flagged geographies) and skip it for low-risk returning customers.
Single-processor dependency. Routing all transactions through one processor creates a single point of failure. If that processor experiences downtime or degrades approval rates for your MCC, you have no fallback. Multi-processor setups with intelligent routing are significantly more resilient.
Authorization and Tagada
Tagada's payment orchestration layer sits between your checkout and your processors, giving you intelligent control over how authorization requests are routed and retried.
Rather than sending every transaction to a single processor, Tagada evaluates each authorization request and routes it to the processor most likely to approve it — based on the card's issuing bank, country, currency, BIN range, and historical approval data. This is smart routing, and it typically lifts authorization rates by 2-7% compared to single-processor setups.
Automatic cascade on soft decline
When a processor returns a soft decline, Tagada automatically cascades the authorization to the next processor in your routing stack — without the customer seeing anything. This retry happens in real time and recovers transactions that would otherwise be lost. Tagada is not a bank or a processor itself; it orchestrates across your existing processor relationships to maximize every authorization attempt.
For merchants running multiple MIDs across geographies, Tagada's payment orchestration consolidates authorization management into a single integration. You configure routing rules once, and Tagada handles processor selection, failover, and performance monitoring across all of them.