Card authorisation explained: How it works and what businesses need to know

Learn about the credit and debit card authorisation process to give your customers the smoothest transaction experience possible.

1. Introduction
2. What is card authorisation?
3. How does card authorisation work?
4. What is capturing?
5. What is settlement?
6. What is a credit card authorisation form?
7. Are credit card authorisation forms safe?
8. What is a card authorisation hold?
9. Why does card authorisation fail?
   1. Security reasons
   2. Financial reasons
   3. Technical reasons

   If you've ever used a credit or debit card to make a purchase, you've been involved in the card authorisation process. The same is true if you have a business that accepts credit and debit card payments from customers. Over one billion credit card transactions are processed worldwide every day and all of them require credit or debit card authorisation to be completed. But despite being a routine aspect of most people's daily lives and a pivotal part of doing business, most people don't know very much about the credit and debit card authorisation processes.

   Card authorisation is far more complicated and consequential than simply checking to see if a cardholder has the funds available to complete a purchase. This process is a powerful security measure that gives card issuers and businesses a routine way to screen for potential fraud before it turns into a successful transaction. As a business owner, understanding how card authorisation works and why some payment authorisations fail will enable you to set up your business and give your customers the smoothest transaction experience possible.

   What's in this article?

   • What is card authorisation?
     
   • How does card authorisation work?
     
   • What is capturing?
     
   • What is settlement?
     
   • What is a credit card authorisation form?
     
   • Are credit card authorisation forms safe?
     
   • What is a card authorisation hold?
     
   • Why does card authorisation fail?
     
     • Security reasons
       
     • Financial reasons
       
     • Technical reasons
       

     What is card authorisation?

     Card authorisation is approval from a credit or debit card issuer (usually a bank or credit union) that states that the cardholder has sufficient funds or the available credit needed to cover the cost of a transaction that they're using a card to complete.

     In one sense, the term "card authorisation" can refer to the authorisation itself, as in, "We have card authorisation for this purchase". It can also mean the process by which payment authorisation is sought, as in, "We are in the middle of card authorisation right now".

     How does card authorisation work?

     Before we get into the actual process of card authorisation, let's quickly run through all of the key players involved. Card authorisation involves four different parties:

     • The customer, often referred to in this context as the cardholder
       
     • The business
       
     • The issuer (or issuing bank)
       
     • The acquirer (or acquiring bank)
       

     Card authorisation usually takes place through a payment processor as part of the scope of services that they provide for businesses. Many payment processors play multiple roles for businesses when it comes to payment processing, including serving as the business's acquirer. Stripe, for example, offers payment processing for businesses, as well as the functionality of a business account and acquirer. An acquirer – also called an "acquiring bank" – is a bank or financial institution that processes credit or debit card payments on behalf of businesses, specifically in the context of communicating with cardholders' banks – known as "issuers" or "issuing banks" – to authorise transactions.

     Here's the process in which all these parties communicate with each other to approve a transaction (or not approve it):

     1. The customer presents a card for payment at the point of sale. Card authorisation is required for both online and in-person transactions.
        
     2. The business's point-of-sale (POS) software will automatically send a request to their payment processor or acquirer, asking them to authorise the transaction.
        
     3. The acquirer will take the request and send it over to the issuer, via the card network, requesting approval.
        
     4. The issuing bank reviews the cardholder's account to check for two things:
        
        • To make sure that the card itself is valid
          
        • To ensure that there are sufficient funds or credit available to cover the cost of the purchase
          
     5. The issuing bank will return one of two decisions to the acquiring bank:
        
        • Approved with an authorisation code: if everything looks good on the issuer's end (the card is valid and there are sufficient funds available), then the issuer responds to the acquirer's request with approval for the transaction to proceed. This approval will be accompanied by an authorisation code.
          
        • Declined with an error code: if the issuer determines that the transaction cannot be authorised (we'll cover the possible reasons why in a minute), they will let the acquirer know and send an error code.
          

     The credit or debit card authorisation process usually lasts just a few seconds. Think of the brief amount of time that lapses between when you submit a card for payment and when the card reader says "approved" – all the steps in the process outlined above take place during those few seconds.

     What is capturing?

     The capturing phase of the card payment process occurs when the business acquirer requests that authorised funds are sent over from the issuing account. During card authorisation, the issuer confirms that the funds or credit necessary to cover the cost of the purchase are available, but the money itself doesn't move during authorisation. That happens straight after, during capturing. Payment capture can happen on a variable timeline, but as most card authorisations expire within five to ten days, most businesses and their payment processors capture funds before that time.

     What is settlement?

     Settlement is when the funds from customer transactions are actually transferred from the cardholder's issuing bank to the business's acquiring bank. Think of it like this:

     • Payment authorisation is when the issuer says, "Yes, those funds are available and have been approved for use for this purchase".
       
     • Capture is when the business acquirer says, "OK, great, please send us the funds".
       
     • Settlement is when the funds actually move from the issuing account to the business account.
       

     Here's a real-life example to help clarify. Let's say that you place an order for food shopping to be delivered to your house. The app that you're using adds up the estimated cost of the items you selected, plus the estimated tax, plus the tip for the driver. The app won't know the exact total amount until after the order has been completed, but it needs to get prior payment authorisation from your card's issuer to make sure that you have enough available funds or credit to cover the amount. When you first place the order and submit your card information for payment, the app (or rather the app's acquirer or payment processor) will contact the bank that issued your card and request credit or debit card authorisation for the estimated total amount of your order, which will probably be slightly higher than the actual total amount. Assuming that your card's issuer authorises the transaction, a hold for that amount will be placed on your card. After the transaction has actually been completed and the app knows how much the final amount of your order is, they will request to capture that amount. It's a similar process to putting down a credit card with a hotel reservation to cover incidental costs, having the hotel add a hold for a certain amount on the card, but then actually charging you only the amount you spent upon checkout.

     What is a credit card authorisation form?

     The information on such a form must include:

     • Cardholder's name
       
     • Card number
       
     • Card network (Visa, Mastercard, American Express, Discover etc.)
       
     • Card expiry date
       
     • Cardholder's billing postcode
       
     • Business name
       
     • Statement authorising charges
       
     • Cardholder's signature and the date that they signed
       

     In addition, many credit card authorisation forms include some or all of the following information:

     • Cardholder's full billing address and delivery address
       
     • Cardholder's phone number
       
     • Cardholder's email address
       
     • Business contact information
       
     • Purchase amount
       
     • Language stipulating that this approval is for a recurring payment, if applicable
       
     • Details of items or services covered by the purchase
       
     • Customer ID, invoice or purchase order numbers
       

     Are credit card authorisation forms safe?

     The security of credit card authorisation forms depends entirely on the protective measures taken by the business. For example, digital credit card authorisation forms through third-party websites such as DocuSign are rigorously engineered to be as secure as possible. Conversely, when you're dealing with a printed template form, the security of sensitive information on the form depends on what the business does with the form (and the credit card information it contains) after the cardholder has filled it in.

     What is a card authorisation hold?

     When the card issuer reviews an authorisation request for a transaction, if there are enough funds available to cover the cost of the sale, the issuer will place an authorisation hold on the cardholder's account. This will reduce their available funds or credit by the amount of the sale in order to prevent them from potentially overdrawing the account before the funds from the current transaction are moved and sent to the business's bank. Authorisation holds are a helpful mechanism for preventing card fraud and chargebacks.

     For example, if someone had £300 available in credit and they purchased something for £260, if no authorisation hold was placed on their card after the transaction was approved, it would be possible for them to quickly purchase something else for £100, to give an example, before the £260 from the first purchase was transferred out of their account. Once all transactions have been settled, they would be over their limit by £60, which isn't an ideal situation for either the issuer or the cardholder. Authorisation holds are effectively a way for issuers to make sure that cardholders' accounts immediately reflect their true available balance, even before all pending transactions are settled.

     Authorisation holds can last anywhere from a few minutes to 31 days and are removed once the business has received the funds or when the authorisation expires.

     Why does card authorisation fail?

     If a card issuer declines to authorise a transaction, the reason almost always falls into one of the following three categories.

     Security reasons

     The card authorisation process is where any red flags related to potential fraud most often get raised. If the issuer finds that a card has been marked as lost, stolen or frozen, they will reject the transaction. This is then likely to trigger a deeper look into the account to see if there has been any other suspicious activity. Similarly, if the card has expired, the transaction will also not be authorised.

     One way that businesses can help to mitigate the occurrence of security-related failed authorisations is to take strong offensive measures against fraud overall. Stripe users have access to Stripe Radar, which uses machine learning to prevent fraud without blocking your real customers from making payments. In addition, it applies Dynamic 3D Secure authentication to high-risk payments as well. Radar doesn't require any additional setup or integration if you're already using Stripe products.

     Financial reasons

     If the issuer looks at the cardholder's account and finds that there are insufficient funds or not enough credit available, they will decline credit or debit card authorisation and reject the transaction. Some issuers offer overdraft protection that allows transactions to proceed even when sufficient funds are not available, but this feature usually comes with a fee and is not available on all accounts. In most cases, insufficient funds will stop a transaction from being authorised.

     Technical reasons

     There are also technical reasons why a payment authorisation might fail. This is more common with online purchases, where there's more room for user error while inputting payment information. Online transactions tend to be more sensitive to technical errors because of the increased risk of fraud with these card-not-present (CNP) transactions. In fact, online debit and credit card transactions are authorised 10% less frequently than in-person, card-present (CP) transactions. If anything about the payment information submitted for an online purchase is incorrect or suspicious, it's likely that it will be rejected by the issuer.

     Sometimes, the business and customer are given a specific reason as to why a rejected charge was declined, and sometimes it's simply not authorised. The amount of information that accompanies a rejected payment authorisation depends on various factors, such as who the card issuer is, who the business's payment processor is, what kind of POS system they have and whether the transaction was online or in person.

     Payment authorisation can fail for a range of reasons, no matter where the purchase was processed. However, businesses can take certain steps to improve their authorisation rate. Having your payments supported by Stripe is a strong step in that direction. The Stripe platform provides intelligent acquiring functionality with direct integrations to major card networks globally, reducing latency and improving reliability for card transactions. Stripe users have access to issuer-level insights and enhanced data fields, such as raw response codes, to give you greater visibility over what's going on with your payments. With its modern acquiring platform, Stripe is continuously learning from billions of data points to help optimise routing and messaging on each transaction – it's a payments infrastructure itself that's primed to work in favour of better payment authorisation rates. Stripe solutions have generated billions in revenue for businesses by preventing legitimate payments from being blocked. Read more here for details about how Stripe works for businesses to optimise payment authorisations.

     The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.