Authorization is the real-time process by which a merchant requests approval from a cardholder’s issuing bank to accept a payment. When a card is presented or card credentials are submitted, the transaction data travels from the merchant through the payment gateway and acquirer processor to the card network, which routes the request to the issuing bank. The issuer checks the cardholder’s available balance or credit limit, evaluates fraud signals, and returns an approval or decline within seconds.
A successful authorization places a hold on the cardholder’s funds for the authorized amount but does not yet move money. Funds are not transferred until the transaction is captured and cleared through the settlement process.
Authorization is the first and most time-sensitive step in the card payment lifecycle. It determines whether a transaction can proceed and establishes the terms under which funds will eventually settle.
Diving Deeper into Authorization
Authorization is the moment in a card transaction where all the major participants in the payment ecosystem communicate in real time. A request originates at the point of sale or payment gateway and passes through the acquirer processor and card network to the card issuer, which makes the final approval or decline decision and sends its response back through the same chain. This entire process typically completes in under two seconds.
Understanding how authorization works helps merchants and payment professionals diagnose declines, interpret response codes, manage holds, and design payment flows that minimize friction while controlling risk.
The Authorization Request
When a cardholder initiates a payment, the merchant’s point of sale system or payment gateway formats an authorization request containing the card number or token, expiration date, card verification value, transaction amount, merchant category code, and other data elements required by the card network. This request is submitted to the acquirer processor, which routes it through the appropriate card network to the issuing bank.
The issuer’s authorization system evaluates the request against several factors in real time.
Available Balance or Credit Limit
The issuer checks whether the cardholder has sufficient funds or available credit to cover the transaction amount. If the account is overdrawn, at its credit limit, or the transaction would exceed the limit, the issuer will decline the request.
Fraud Rules and Risk Scoring
Every authorization request passes through the issuer’s fraud detection systems. The issuer evaluates the transaction against the cardholder’s spending patterns, the merchant category, the geographic location of the transaction, and other behavioral signals. Transactions that score above the issuer’s risk threshold may be declined or flagged for additional verification.
Card Status
The issuer confirms that the card is active and not blocked, reported lost or stolen, or otherwise restricted. A card that has been reported compromised will be declined regardless of available balance.
Authorization Responses
The issuer returns a response code that indicates the outcome of the authorization request. An approval response includes an authorization code that the merchant retains as proof that the transaction was approved. Decline responses include codes that indicate the reason for the decline, though these codes are often intentionally vague to prevent fraud.
Common decline reasons include insufficient funds, suspected fraud, card reported lost or stolen, invalid card number, and do not honor — a catch-all code issuers use when declining for reasons they do not wish to specify.
Authorization Holds
A successful authorization places a hold on the cardholder’s funds for the authorized amount. This hold reduces the cardholder’s available balance but does not constitute a completed transaction. The hold remains in place until the merchant captures the transaction and submits it for settlement, or until the hold expires — typically between one and thirty days depending on the issuer and merchant category.
In some industries, authorization amounts differ from final settlement amounts. Hotels and car rental companies routinely authorize for estimated amounts and settle for the actual charges. Gas stations often authorize for a small fixed amount and settle for the actual fuel purchase. These practices can cause cardholder confusion when holds temporarily reduce available balances beyond the final transaction amount.
Pre-Authorization and Incremental Authorization
Pre-authorization is a technique used when the final transaction amount is unknown at the time of the initial authorization. The merchant authorizes for an estimated amount and adjusts or increments the authorization as additional charges accumulate. Hotels use pre-authorization at check-in to cover the estimated cost of the stay and any incidentals. Mastercard and Visa support incremental authorization, which allows merchants to add to an existing authorization rather than issuing a new one.
Authorization vs. Capture
Authorization and capture are distinct steps in the payment lifecycle that are sometimes conflated. Authorization reserves the funds. Capture is the instruction to the processor to actually collect those funds and submit them for settlement. In some payment flows these happen simultaneously — a single message authorizes and captures in one step. In others, particularly in card-present retail, they are separated, with authorization happening at the point of sale and capture occurring in a batch at end of day.