What is an authorisation rate and how is it calculated?

Authorisation rate is the percentage of payment attempts that result in a successful authorisation (approval) by the issuing bank. Calculated as: approved transactions / total transaction attempts × 100. It is distinct from conversion rate (which includes UX friction before the payment attempt) and capture rate (which measures successful captures after authorisation). A 95% authorisation rate on 1,000 monthly payment attempts means 50 transactions were declined by the issuing bank. The 50 declines may be hard (definitively rejected — stolen card, closed account) or soft (declined for risk or capacity reasons that may resolve on retry).

What is the difference between a hard decline and a soft decline?

A hard decline (response codes like 05 Do Not Honour, 41 Lost Card, 43 Stolen Card, 54 Expired Card) means the issuer is definitively rejecting the transaction — retrying immediately will not change the outcome and may increase fraud signals. A soft decline (codes like 51 Insufficient Funds, 65 Exceeds Withdrawal Limit, response codes indicating temporary unavailability) means the decline is potentially reversible. Soft declines can be retried after a delay or remediated by the cardholder. For subscription billing, distinguishing hard from soft declines is critical for retry logic — retrying hard declines wastes money and flags the merchant as a chargeback risk.

How much does a 1% improvement in auth rate add in revenue?

It depends on your current auth rate baseline and your average transaction value. Formula: (new auth rate − current auth rate) × monthly transaction volume × average order value = monthly revenue recovered. Example: current auth rate 88%, target 89%, 5,000 monthly transactions, $80 average order value. Improvement: 1% × 5,000 × $80 = $4,000/month = $48,000/year. Importantly, recovered transactions carry near-zero incremental cost — the customer acquisition cost, product cost, and most overhead are already sunk — so the revenue recovered from an auth rate improvement flows almost entirely to margin.

What auth rate should I expect for my card-not-present business?

Card-not-present (e-commerce, subscription) auth rates vary significantly by geography, card mix, and industry. Rough benchmarks: US domestic card-not-present typically 85–92%; EU domestic 90–95% (higher because [3DS2](/glossary/3ds2) authentication shifts issuer liability and improves approval confidence); cross-border transactions typically run 5–10 percentage points lower than domestic. Subscription rebills often run 88–94% for well-optimised retry logic. If your auth rate is below 85% domestically, there is almost certainly a recoverable structural issue — wrong MCC, missing billing descriptor, missing network tokens, or suboptimal retry logic.

Does 3DS improve or hurt authorisation rates?

3DS (specifically [3DS2](/glossary/3ds2) with frictionless flows) tends to improve net authorisation rates in markets where liability shift matters to issuers. When the issuer can see rich authentication data, they approve more transactions that they would otherwise decline on fraud risk grounds. Frictionless 3DS2 (where the issuer approves without a cardholder challenge) has minimal conversion impact. Challenge flows (where the cardholder must enter an OTP or biometric) add friction and increase abandonment by 5–15% depending on the market and implementation. The net effect depends on challenge rate: in markets with low challenge rates (EU for regulated issuers), 3DS2 is typically net positive. In markets with high challenge rates or poor issuer implementation, the friction cost can outweigh the auth rate benefit.

Payments Economics 10 min read

What an Auth Rate Point Is Worth: The Economics of Authorisation Optimisation

A one-percentage-point improvement in authorisation rate is not an engineering metric — it's a revenue number. Here's how to calculate it, what drives declines, and which interventions actually move the rate.

By Shaun Toh April 14, 2026

TL;DR

A 1% auth rate improvement is a revenue number, not an engineering metric. How to calculate the value for your business, what drives soft versus hard declines, and which interventions move the rate at scale.

The authorisation rate is the most undervalued number in most payments reporting dashboards. It sits next to the MDR line items, often reported by the PSP as a single percentage, and receives a fraction of the optimisation attention that goes into conversion rate, chargeback rate, or processing cost. This is a mistake — and it has a precise financial cost.

The economic argument is simple: a declined transaction is a lost sale. Unlike acquisition channels or marketing spend, the customer is already at checkout with a payment intent. The product, the customer acquisition cost, and most of the operational overhead are already in place. A decline is a refusal at the last moment by the issuing bank. Improving the approval rate recovers revenue at near-zero incremental cost — the margin on recovered transactions approaches 100% of the transaction margin.

The Revenue Calculation

To calculate what one percentage point of auth rate improvement is worth, you need three numbers:

Monthly transaction volume (attempts, not approvals)
Current authorisation rate
Average transaction value

Formula: 1% × monthly transaction attempts × average transaction value = monthly revenue recovered

Examples by scale:

Monthly attempts	Average order value	1% auth rate improvement
1,000	$80	$800/month
5,000	$80	$4,000/month
20,000	$120	$24,000/month
100,000	$60	$60,000/month

At 20,000 monthly transactions and $120 average order value, moving from 88% to 90% auth rate is worth $48,000/month — $576,000 annually. That number is comparable to significant engineering investments or major PSP contract renegotiations. It rarely gets comparable management attention.

The margin amplification compounds the case. A transaction declined at authorisation has zero incremental revenue but most of its associated costs already sunk — the ad spend that drove the visit, the customer service overhead, the product cost (for digital goods). A recovered transaction has the same fully-loaded cost but now generates revenue. For SaaS businesses with near-zero marginal cost of an additional subscriber, every recovered subscription authorisation is essentially 100% gross margin.

The Anatomy of a Decline

Not all declines are equal. Understanding the decline reason code is the prerequisite for any optimisation.

Hard declines are issuer determinations that will not change on retry:

05 Do Not Honour — the issuer declined without a specific stated reason. Often fraud-related or risk-based. Do not retry.
14 Invalid Card Number — the card number failed the Luhn check or does not exist.
41 Lost Card / 43 Stolen Card — the cardholder has reported the card. Any retry flags the merchant for suspicious behaviour.
54 Expired Card — the card expiry date has passed.
57 Transaction Not Permitted to Cardholder — the cardholder’s account restrictions prohibit this transaction type.

Retrying hard declines is waste and increases chargeback exposure. The correct handling: for expired or invalid cards, trigger a card update flow. For 05 declines, attempt account update first and do not retry the same card.

Soft declines are potentially recoverable:

51 Insufficient Funds — the cardholder’s available balance is insufficient at this moment. May resolve with a retry on a different day.
61 Exceeds Withdrawal Amount Limit — temporary limit on the account; may resolve.
65 Exceeds Withdrawal Frequency Limit — frequency-based limit; wait before retrying.
91 Issuer Unavailable — technical issue on the issuer side. Retry after a short delay is appropriate.

For subscription billing, correctly classifying hard versus soft declines and implementing intelligent retry logic based on that classification is worth 1–3 percentage points of authorisation rate improvement on its own.

The Four Structural Drivers of Auth Rate

Beyond decline codes, there are four structural factors that determine baseline auth rate:

1. Network Tokens

Network tokens (Visa Token Service, Mastercard MDES) replace static card credentials with a dynamic token that the issuer controls. When a card is renewed, lost, or reissued, the network token is automatically updated — the merchant’s stored credential continues to work without a card re-vault cycle.

The authorisation rate impact: Visa’s published data shows network-tokenised transactions approve at 2–5 percentage points higher than PAN-on-file transactions on recurring billing. The mechanism is issuer confidence — the issuer sees a token they issued, knows the cardholder’s device-level context, and approves at higher rates than they would for a stored credential they cannot verify.

For subscription businesses with large recurring billing volumes, network token adoption is the single highest-leverage auth rate intervention available and does not require cardholder action.

2. Card Account Updater

Card Account Updater (CAU, also called Visa VAU or Mastercard ABU) is a network service that proactively updates stored card details when a card is reissued — new expiry, new account number after cancellation and reissue. For subscription businesses, it reduces declines driven by 54 expired card and account-change scenarios.

Typical uplift: 1–2% on recurring billing for merchants not already on CAU. CAU is available through most PSPs and is often bundled into IC+ pricing — check your contract. Network tokens largely supersede CAU where implemented, but many subscription merchants have card-on-file stores that are not yet migrated to network tokens and benefit from CAU in the interim.

3. 3DS2 Frictionless Flows

3DS2 authentication shifts chargeback liability from the merchant to the issuer for fraud disputes on authenticated transactions. This means the issuer is more willing to approve transactions it was previously declining on fraud risk grounds — because it now bears the liability if the transaction turns out to be fraudulent.

In markets with mature 3DS2 implementation (EU, UK, some Asia-Pacific markets), properly implemented 3DS2 increases issuer approval rates on previously borderline transactions by providing authentication data. The challenge is challenge rate — if 3DS2 generates a high cardholder challenge rate (OTP, biometric), the authentication friction offset is real.

The optimisation: use 3DS2 requestor exemptions for low-risk transactions (merchant-initiated, low-value, trusted beneficiary) to reduce challenge frequency while maintaining authentication on higher-risk transactions. Well-structured 3DS2 can add 1–3% to net auth rate in EU/UK markets with minimal conversion impact.

4. Merchant Category Code and Billing Descriptor

The MCC (Merchant Category Code) and billing descriptor (what appears on the cardholder’s statement) affect issuer approval models and cardholder dispute rates. Issuers use MCC-level risk signals to set approval thresholds — a merchant on the wrong MCC may face systematically lower approval rates because the issuer’s model is calibrated for a riskier category.

Billing descriptor clarity reduces friendly fraud chargebacks (cardholders disputing charges they do not recognise) which feeds back into chargeback rate metrics that influence future approval decisions. A clear, recognisable billing descriptor reduces unrecognised-charge disputes by 15–30% in operator data — and lower dispute rates feed into higher future approval rates.

Multi-Acquirer Routing as an Auth Rate Lever

For merchants above $5M monthly processing volume, multi-acquirer routing becomes an auth rate optimisation tool rather than just a redundancy play.

The mechanism: different acquirers have different approval relationships with issuers. Transactions declined by one acquirer/issuer pair may be approved when routed through a different acquirer — because the acquiring bank has different risk-model history with that issuing bank, or because the acquirer’s BIN (Bank Identification Number) is associated with different risk signals in the issuer’s model.

Intelligent routing to the acquirer with the best approval rate for a given issuer-country combination is a 1–4% auth rate improvement for merchants with sufficient volume to run routing analysis. Payment orchestration platforms (Spreedly, Primer, Gr4vy) provide the infrastructure to implement this without bespoke engineering.

Subscription-Specific Retry Logic

Subscription rebilling creates a distinct optimisation problem. When a subscription renewal attempt is declined, the revenue is not lost immediately — it may be recoverable through a retry at the right time with the right frequency.

Smart retry frameworks:

On soft declines: Wait 3–7 days before retrying. 51 insufficient funds often resolves at the beginning of a new pay cycle.
On 65 frequency limit: Wait 24 hours.
On 91 issuer unavailable: Retry after 4–6 hours.
Never: Retry hard declines on the same card without a card update event.
Cadence: Exponential backoff — retry more frequently early in the billing period, reduce frequency in later days to avoid becoming a harassment signal to the issuer.

Optimised retry logic typically recovers 20–40% of initially soft-declined subscription renewals, adding 1–3% to the net monthly billing auth rate. For a subscription business with 10,000 monthly renewal attempts and 5% soft decline rate, that is 100–200 additional recovered subscriptions per month.

The Measurement Framework

To measure your auth rate correctly and identify optimisation opportunities:

Separate authorisation rate from conversion rate. Many analytics tools conflate checkouts abandoned before attempting payment with genuine authorisation declines. Authorisation rate should be calculated only on attempted transactions — those that sent an authorisation request to the issuer.
Segment by card type and geography. Domestic auth rates versus cross-border auth rates should be tracked separately. Credit versus debit. Consumer versus corporate. Each segment has different drivers and benchmarks.
Break down by decline code. If your PSP provides decline reason codes (request this explicitly — not all surface it by default), build a weekly view of decline code distribution. Hard declines above 3% are a flag. A high rate of 05 Do Not Honour may indicate fraud signals in your customer base or MCC misclassification.
Benchmark against industry. Adyen, Stripe, and Checkout.com all publish auth rate benchmarks by industry and region in their annual reports. If your auth rate is more than 5 percentage points below category average, there is a structural issue worth investigating.

Auth rate optimisation is not a one-time project — it is a continuous operations function for any business with significant recurring or card-not-present volume. The math on a single percentage point of improvement is large enough to justify dedicated engineering and product attention at relatively modest scale.

By Shaun Toh · Director, Digital Payments · Razer

Subscribers get the PSP Selection RFP Kit — 60+ structured questions, evaluation scorecard, and negotiation playbook — delivered to your inbox instantly.

Related briefings

Payments Economics 11 min read