If you’ve ever used a credit or debit card to make a purchase, you’ve been involved in the card authorisation process. The same is true if you have a business that accepts credit and debit card payments from customers. According to data collected by Capital One Shopping, US credit card transactions totalled 56.2 billion in 2024. But despite being an important part of doing business, most people don’t know very much about the process.

Card authorisation is a complex process that provides a powerful security check against fraud. However, it can lead to several pain points for businesses, such as declined transactions, authorisation holds that freeze cash flow and the complexity of error management. Understanding how card authorisation works and why some authorisations fail will enable you to set up your business and give your customers the smoothest transaction experience possible.

What's in this article?

• What is card authorisation?
  
• How does card authorisation work?
  
• What is capturing?
  
• What is settlement?
  
• What is a credit card authorisation form?
  
• Are credit card authorisation forms safe?
  
• What is a card authorisation hold?
  
• Why does card authorisation fail?
  
• How businesses can improve authorisation rates
  
• How Stripe Payments can help
  

What is card authorisation?

Card authorisation is approval from a credit or debit card issuer (usually a bank or credit union) that states that the cardholder has sufficient funds or the available credit needed to cover the cost of a transaction that they're using a card to complete.

How does card authorisation work?

Card authorisation usually happens through a payment processor as part of the scope of services they provide for businesses. Many payment processors play multiple roles for businesses around payment processing, including serving as the business’s acquirer.

Stripe, for example, offers payment processing for businesses, as well as the functionality of a business account and acquirer. An acquirer – also called an acquiring bank – is a bank or financial institution that processes credit or debit card payments on behalf of businesses, specifically in the context of communicating with cardholders’ banks – called issuers, or issuing banks – to authorise transactions.

Card authorisation involves four different parties:

• The customer, often referred to in this context as the cardholder
  
• The business
  
• The issuer, or issuing bank
  
• The acquirer, or acquiring bank
  

Here’s the process in which all these parties communicate with each other to approve (or not approve) a transaction:

• The customer presents a card for payment at the point of sale. Card authorisation is required for both online and in-person transactions.
  
• The business’s point-of-sale (POS) software will automatically send a request to their payment processor or acquirer, asking them to authorise the transaction.
  
• The acquirer will take the request and send it to the issuer, via the card network, requesting approval. Card networks like Visa, Mastercard,and Discover act as the communication layer between issuing and acquiring banks, routing authorisation requests and responses.
  
• The issuing bank reviews the cardholder’s account to check for two things:
  
  • To make sure the card itself is valid
    
  • To make sure there are sufficient funds or credit available to cover the cost of the purchase
    
• The issuing bank will return one of two decisions to the acquiring bank:
  
  • Approved with an authorisation code
    If the card is valid and there are sufficient funds available, then the issuer responds to the acquirer’s request with approval for the transaction to proceed. This approval will be accompanied by an authorisation code.
    
  • Declined with an error code
    If the issuer determines that the transaction cannot be authorised, they will inform the acquirer and send an error code.
    

The credit or debit card authorisation process usually lasts just a few seconds.

What is capturing?

The capturing phase of the card payment process occurs when the business acquirer requests that authorised funds be sent from the issuing account. During card authorisation, the issuer confirms that the funds or credit necessary to cover the cost of the purchase is available, but the money itself doesn’t move during authorisation. That happens right after, during capturing.

Payment capture can happen on a variable timeline, but as most card authorisations expire within 5–10 days, most businesses and their payment processors capture funds before that time.

What is settlement?

Settlement is when the funds from customer transactions are transferred from the cardholder’s issuing bank to the business’s acquiring bank. Think of it like this:

• Authorisation is when the issuer says, “Yes, those funds are available and approved to be used for this purchase.”
  
• Capture is when the business acquirer says, “OK, great, please send us the funds.”
  
• Settlement is when the funds move from the issuing account to the business account.
  

Credit card authorisation and settlement are often conflated, but they are different processes. Authorisation confirms that funds are available and approved, while settlement is the point at which money moves between banks. A transaction can be authorised without ever being settled if it’s cancelled or expires.

Card authorisation example

Let’s say you place an order for groceries to be delivered to your house. The app you’re using adds up the estimated cost of the items you selected, plus the estimated tax, plus a tip for the driver. The app won’t know the exact total until after the order is complete, but it needs prior authorisation from your card’s issuer to make sure you have enough available funds or credit to cover the amount.

When you submit your card information for payment, the app's acquirer or payment processor will contact the bank that issued your card and request authorisation for the estimated total amount of your order, which will probably be slightly higher than the actual total amount.

Assuming your card’s issuer authorises the transaction, a hold for that amount will be placed on your card. After the transaction has been completed and the app knows how much the final amount of your order is, it will ask to capture that amount.

What is a credit card authorisation form?

Credit card authorisation forms are documents that customers fill out granting permission for their credit card to be charged. The information on such a form must include:

• Cardholder’s name
  
• Card number
  
• Card network (Visa, Mastercard, American Express, Discover, etc.)
  
• Card expiry date
  
• Cardholder’s billing ZIP code
  
• Business name
  
• Statement authorising charges
  
• Cardholder’s signature and the date they signed
  

In addition, many credit card authorisation forms include some or all of the following information:

• Cardholder’s full billing address and shipping address
  
• Cardholder’s phone number
  
• Cardholder’s email address
  
• Business contact information
  
• Purchase amount
  
• Language stipulating that this approval is for a recurring payment, if applicable
  
• Details of items or services covered by the purchase
  
• Customer ID, invoice or purchase order numbers
  

Credit card authorisation forms are more often used for larger purchases (think cars, computers, etc.) than they are for smaller, everyday items. They are also commonly used when starting new subscriptions and other recurring payments. Sometimes credit card authorisation forms are generated digitally; sometimes they’re printed. Usually, businesses will use these forms when they plan to charge the card later without the cardholder present.

Are credit card authorisation forms safe?

The security of credit card authorisation forms entirely depends on the protective measures taken by the business. For example, digital credit card authorisation forms through third-party websites like DocuSign are rigorously engineered to be as secure as possible.

Conversely, when you’re dealing with a printed template, the security of sensitive information on the form depends on what the business does after the cardholder fills it out.

What is a card authorisation hold?

When the card issuer reviews an authorisation request for a transaction, if there are enough funds available to cover the cost of the sale, the issuer will place an authorisation hold – which often clear within a few days but can last up to 31 days – on the cardholder’s account. This will reduce their available funds or credit by the amount of the sale, to prevent them from potentially overdrawing the account before the funds from the current transaction are moved and sent to the business’s bank. Authorisation holds are a helpful mechanism for preventing card fraud and chargebacks.

Alongside authorisation holds, there are also preauthorisation holds used in specific kinds of transactions. A preauthorisation is a specific type of authorisation used when the final transaction amount isn’t known yet, such as hotels, gas stations or delivery apps.

As a customer, you may see a pending authorisation appearing as a temporary charge that hasn't been posted yet. It reduces available credit but may disappear if the transaction isn’t completed.

Card authorisation hold example

Say someone had $300 available on a line of credit, and they purchased something for $260. If there was no authorisation hold placed on their card after that transaction was approved, it would be possible for them to quickly purchase something else for, say, $100 before the $260 from the first purchase was transferred out of their account.

When all transactions settled, the cardholder would be over their limit by $60. Authorisation holds are effectively a way for issuers to make sure that cardholders’ accounts immediately reflect their true available balance, even before all pending transactions are settled.

Why does card authorisation fail?

If a card issuer declines to authorise a transaction, the issuer will return an authorisation response code that indicates why the transaction failed. Payment processors can surface these codes differently depending on their level of detail.

When a transaction fails, the reason almost always falls into one of the following three categories:

Declines caused by security or fraud concerns

The card authorisation process is where any red flags related to potential fraud most often get raised. If the issuer finds that a card has been marked as stolen, lost or frozen, they will reject the transaction and likely trigger a deeper look into the account to see if there’s been other suspicious activity. Similarly, if the card is past its expiry date, the transaction will also not be authorised.

One way businesses can help mitigate the occurrence of security-related failed authorisations is to take strong offensive measures against fraud overall. Stripe users have access to Stripe Radar, which uses machine learning to prevent fraud without blocking your real customers from making payments and applies Dynamic 3D Secure authentication to high-risk payments. Radar doesn’t require any additional setup or integration if you’re already using Stripe products.

Declines caused by insufficient funds or credit

If the issuer looks at the cardholder's account and finds that there are insufficient funds or not enough credit available, they will decline credit or debit card authorisation and reject the transaction. Some issuers offer overdraft protection that allows transactions to proceed even when sufficient funds are not available, but this feature usually comes with a fee and is not available on all accounts. In most cases, insufficient funds will stop a transaction from being authorised.

Declines caused by technical errors or incorrect payment details

There are also technical reasons why a payment authorisation might fail. This is more common with online purchases, where there’s more room for user error while inputting payment information. Online transactions tend to be more sensitive to technical errors because of the increased risk of fraud with these card-not-present (CNP) transactions. If anything about the payment information submitted for an online purchase is incorrect or suspicious, it’s likely to get rejected by the issuer.

Sometimes the business and customer are given a specific reason why a rejected charge was declined, and sometimes it’s simply not authorised. The amount of information that accompanies a rejected authorisation depends on various factors, such as who the card issuer is, who the business’s payment processor is, what kind of POS they have, and whether the transaction was online or in person.

How businesses can improve authorisation rates

Card authorisation can fail for a range of reasons, no matter where they’re processed, but there are steps businesses can take to improve their authorisation rate. Having your payments supported by Stripe is a strong step in that direction: the Stripe platform provides intelligent acquiring functionality with direct integrations to major card networks globally, reducing latency and improving reliability on card transactions.

Stripe users have access to issuer-level insights and enhanced data fields, like raw response codes, to give you greater visibility into what’s going on with your payments. With its modern acquiring platform, Stripe continually learns from billions of data points to help optimise routing and messaging on each transaction – it’s a payments infrastructure itself that’s primed to work in favour of better authorisation rates. Stripe solutions have generated billions in revenue for businesses by preventing legitimate payments from being blocked. Read more here for details on how Stripe works for businesses to optimize authorisations.

How Stripe Payments can help

Stripe Payments provides a unified, global payments solution that helps any business – from scaling startups to global enterprises – accept payments online, in person and around the world.

Stripe Payments can help you:

• Optimise your checkout experience: Create a frictionless customer experience and save thousands of engineering hours with prebuilt payment UIs, access to 125+ payment methods and Link, a wallet built by Stripe.
  
• Expand to new markets faster: Reach customers worldwide and reduce the complexity and cost of multicurrency management with cross-border payment options, available in 195 countries across 135+ currencies.
  
• Unify payments in person and online: Build a unified commerce experience across online and in-person channels to personalise interactions, reward loyalty and grow revenue.
  
• Improve payments performance: Increase revenue with a range of customisable, easy-to-configure payment tools, including no-code fraud protection and advanced capabilities to improve authorisation rates.
  
• Move faster with a flexible, reliable platform for growth: Build on a platform designed to scale with you, with 99.999% historical uptime and industry-leading reliability.
  

Learn more about how Stripe Payments can power your online and in-person payments or get started today.