If you’ve ever used a credit or debit card to make a purchase, you’ve been involved in the card authorization process. The same is true if you have a business that accepts credit and debit card payments from customers. There are over one billion credit card transactions processed worldwide every day, and all of them require authorization to be completed. But despite being a routine aspect of most people’s daily lives and a pivotal part of doing business, most people don’t know very much about the card authorization process.
Card authorization is far more complicated and consequential than simply checking to see if a cardholder has the funds available to complete a purchase. This process is a powerful security measure that gives card issuers and businesses a routine way to screen for potential fraud before it turns into a successful transaction. As a business owner, understanding how card authorization works and why some authorizations fail will enable you to set up your business and give your customers the smoothest transaction experience possible.
What’s in this article?
- What is card authorization?
- How does card authorization work?
- What is capturing?
- What is settlement?
- What is a credit card authorization form?
- Are credit card authorization forms safe?
- What is a card authorization hold?
- Why does card authorization fail?
- Security reasons
- Financial reasons
- Technical reasons
- Security reasons
What is card authorization?
Card authorization is approval from a credit or debit card issuer (usually a bank or credit union) that states the cardholder has sufficient funds or the available credit needed to cover the cost of a transaction they’re using a card to complete.
In one sense, the term “card authorization” can refer to the authorization itself, as in, “We have card authorization for this purchase.” It can also mean the process by which authorization is sought, as in, “We are in the middle of card authorization right now.”
How does card authorization work?
Before we get into the actual process of card authorization, let’s quickly run down all the key players involved. Card authorization involves four parties:
- The customer, often referred to in this context as the cardholder
- The business
- The issuer, or issuing bank
- The acquirer, or acquiring bank
Card authorization usually happens through a payment processor as part of the scope of services they provide for businesses. Many payment processors play multiple roles for businesses around payment processing, including serving as the business’s acquirer. Stripe, for example, offers payment processing for businesses, as well as the functionality of a business account and acquirer. An acquirer—also called an acquiring bank—is a bank or financial institution that processes credit or debit card payments on behalf of businesses, specifically in the context of communicating with cardholders’ banks—called issuers, or issuing banks—to authorize transactions.
Here’s the process in which all these parties communicate with each other to approve a transaction (or not approve it):
- The customer presents a card for payment at the point of sale. Card authorization is required for both online and in-person transactions.
- The business’s point-of-sale (POS) software will automatically send a request to their payment processor or acquirer, asking them to authorize the transaction.
- The acquirer will take the request and send it over to the issuer, via the card network, requesting approval.
- The issuing bank reviews the cardholder’s account to check for two things:
- To make sure the card itself is valid
- To make sure there are sufficient funds or credit available to cover the cost of the purchase
- To make sure the card itself is valid
- The issuing bank will return one of two decisions to the acquiring bank:
- Approved with an authorization code: If everything looks good on the issuer’s end—the card is valid and there are sufficient funds available—then the issuer responds to the acquirer’s request with approval for the transaction to proceed. This approval will be accompanied by an authorization code.
- Declined with an error code: If the issuer determines that the transaction cannot be authorized (we’ll cover the possible reasons why in a minute), they will let the acquirer know and send an error code.
- Approved with an authorization code: If everything looks good on the issuer’s end—the card is valid and there are sufficient funds available—then the issuer responds to the acquirer’s request with approval for the transaction to proceed. This approval will be accompanied by an authorization code.
The card authorization process usually lasts just a few seconds. Think of the brief amount of time that lapses between when you submit a card for payment and when the card reader says “approved”—all the steps in the process outlined above took place during those few seconds.
What is capturing?
The capturing phase of the card payment process occurs when the business acquirer requests that authorized funds be sent over from the issuing account. During card authorization, the issuer confirms that the funds or credit necessary to cover the cost of the purchase is available, but the money itself doesn’t move during authorization. That happens right after, during capturing. Payment capture can happen on a variable timeline, but since most card authorizations expire in 5–10 days, most businesses and their payment processors capture funds before that time.
What is settlement?
Settlement is when the funds from customer transactions are actually transferred from the cardholder’s issuing bank to the business’s acquiring bank. Think of it like this:
- Payment authorization is when the issuer says, “Yes, those funds are available and approved to be used for this purchase.”
- Capture is when the business acquirer says, “OK, great, please send us the funds.”
- Settlement is when the funds actually move from the issuing account to the business account.
Here’s a real-life example to help clarify: Let’s say you place an order for groceries to be delivered to your house. The app you’re using adds up the estimated cost of the items you selected, plus the estimated tax, plus tip for the driver. The app won’t know the exact total amount until after the order is complete, but it needs to get prior authorization from your card’s issuer to make sure you have enough available funds or credit to cover the amount. When you first place the order and submit your card information for payment, the app (or rather the app’s acquirer or payment processor) will reach out to the bank that issued your card and request authorization for the estimated total amount of your order, which will probably be slightly higher than the actual total amount. Assuming your card’s issuer authorizes the transaction, a hold for that amount will be placed on your card. After the transaction has actually been completed and the app knows how much the final amount of your order is, they will request to capture that amount. It’s a similar process to putting down a credit card with a hotel reservation to cover incidental costs, having the hotel put a hold for a certain amount on the card, but then actually charging you only the amount you spent upon checkout.
What is a credit card authorization form?
A credit card authorization form is a document that customers (or cardholders) fill out to grant businesses the permission to charge their credit card. Credit card authorization forms are more often used for larger purchases (think cars, computers, etc.) than they are for smaller, everyday items. They are also commonly used when setting up new subscriptions and other recurring payments. Sometimes credit card authorization forms are generated digitally; sometimes they’re printed out. Usually, businesses will use these forms when they plan to actually charge the card later without the cardholder present.
The information on such a form must include:
- Cardholder’s name
- Card number
- Card network (Visa, Mastercard, American Express, Discover, etc.)
- Card expiration date
- Cardholder’s billing zip code
- Business name
- Statement authorizing charges
- Cardholder’s signature and the date they signed
Additionally, many credit card authorization forms include some or all of the following information:
- Cardholder’s full billing address and shipping address
- Cardholder’s phone number
- Cardholder’s email address
- Business contact information
- Purchase amount
- Language stipulating that this approval is for a recurring payment, if applicable
- Details of items or services covered by the purchase
- Customer ID, invoice, or purchase order numbers
Are credit card authorization forms safe?
The security of credit card authorization forms entirely depends on the protective measures taken by the business. For example, digital credit card authorization forms through third-party websites like DocuSign are rigorously engineered to be as secure as possible. Conversely, when you’re dealing with a printed-out template form, the security of sensitive information on the form depends on what the business does with the form—and the credit card information it contains—after the cardholder fills it out.
What is a card authorization hold?
When the card issuer reviews an authorization request for a transaction, if there are enough funds available to cover the cost of the sale, the issuer will place an authorization hold on the cardholder’s account. This will reduce their available funds or credit by the amount of the sale in order to prevent them from potentially overdrawing the account before the funds from the current transaction are moved and sent to the business’s bank. Authorization holds are a helpful mechanism for preventing card fraud and chargebacks.
For example, if someone had $300 available on a line of credit, and they purchased something for $260, and there was no authorization hold placed on their card after that transaction was approved, it would be possible for them to quickly purchase something else for, say, $100 before the $260 from the first purchase was transferred out of their account. When all transactions are settled, they would be over their limit by $60, which isn’t an ideal situation for the issuer or the cardholder. Authorization holds are effectively a way for issuers to make sure that cardholders’ accounts immediately reflect their true available balance, even before all pending transactions are settled.
Authorization holds can last anywhere from a few minutes to 31 days and are removed once the business receives the funds or when the authorization expires.
Why does card authorization fail?
If a card issuer declines to authorize a transaction, the reason almost always falls into one of the following three categories.
Security reasons
The card authorization process is where any red flags related to potential fraud most often get raised. If the issuer finds that a card has been marked as stolen, lost, or frozen, they will reject the transaction and likely trigger a deeper look into the account to see if there’s been other suspicious activity. Similarly, if the card is past its expiration date, the transaction will also not be authorized.
One way businesses can help mitigate the occurrence of security-related failed authorizations is to take strong offensive measures against fraud overall. Stripe users have access to Stripe Radar, which uses machine learning to prevent fraud without blocking your real customers from making payments and applies Dynamic 3D Secure authentication to high-risk payments. Radar doesn’t require any additional setup or integration if you’re already using Stripe products.
Financial reasons
If the issuer looks at the cardholder’s account and finds there are insufficient funds or available credit, they will decline authorization and reject the transaction. Some issuers offer overdraft protection that allows transactions to proceed even when sufficient funds are not available, but this feature usually comes with a fee and is not available on all accounts. In most cases, insufficient funds will stop a transaction from being authorized.
Technical reasons
There are also technical reasons why a payment authorization might fail. This is more common with online purchases, where there’s more room for user error while inputting payment information. Online transactions tend to be more sensitive to technical errors because of the increased risk of fraud with these card-not-present (CNP) transactions. In fact, online debit and credit card transactions are authorized 10% less frequently than in-person, card-present (CP) transactions. If anything about the payment information submitted for an online purchase is incorrect or suspicious, it’s likely to get rejected by the issuer.
Sometimes the business and customer are given a specific reason why a rejected charge was declined, and sometimes it’s simply not authorized. The amount of information that accompanies a rejected authorization depends on various factors, such as who the card issuer is, who the business’s payment processor is, what kind of POS system they have, and whether the transaction was online or in person.
Card authorization can fail for a range of reasons, no matter where they’re processed, but there are steps businesses can take to improve their authorization rate. Having your payments supported by Stripe is a strong step in that direction: The Stripe platform provides intelligent acquiring functionality with direct integrations to major card networks globally, reducing latency and improving reliability on card transactions. Stripe users have access to issuer-level insights and enhanced data fields, like raw response codes, to give you greater visibility into what’s going on with your payments. With its modern acquiring platform, Stripe continually learns from billions of data points to help optimize routing and messaging on each transaction—it’s a payments infrastructure itself that’s primed to work in favor of better authorization rates. Stripe solutions have generated billions in revenue for businesses by preventing legitimate payments from being blocked. Read more here for details on how Stripe works for businesses to optimize authorizations.
Innehållet i den här artikeln är endast avsett för allmän information och utbildningsändamål och ska inte tolkas som juridisk eller skatterelaterad rådgivning. Stripe garanterar inte att informationen i artikeln är korrekt, fullständig, adekvat eller aktuell. Du bör söka råd från en kompetent advokat eller revisor som är licensierad att praktisera i din jurisdiktion för råd om din specifika situation.