Authorization

Authorization is the first critical decision point in a card transaction lifecycle. The authorization response determines whether the transaction proceeds, and its outcome carries significant commercial and operational implications for merchants, PSPs, and acquirers.

Authorization Flow

The authorization sequence for a typical card-not-present transaction:

1. Cardholder submits payment: Card details (or token) are sent from the merchant’s checkout to the payment gateway or PSP
2. Authorization request: The PSP/acquirer formats an ISO 8583 or EMV-compliant authorization request and sends it to the card network
3. Network routing: The card network routes the message to the appropriate issuer based on the card BIN
4. Issuer decision: The issuer’s authorization system checks: available funds/credit, fraud rules, velocity limits, account status, 3DS authentication result
5. Response: The issuer returns an approval code (6-digit alphanumeric) or a decline code with a reason
6. Confirmation: The PSP returns the result to the merchant; an approved transaction proceeds to capture

Total round-trip time in modern infrastructure is typically under 2 seconds for domestic transactions; cross-border transactions may take 3–5 seconds due to additional network hops.

Authorization vs. Capture

Authorization and capture are distinct steps:

• Authorization: Reserve of funds on the cardholder’s account. Does not move money. Creates a hold that reduces available balance.
• Capture: Instruction to the acquirer to collect the authorized funds. Triggers the clearing and settlement process.
• Auth and capture: In many e-commerce implementations, authorization and capture happen simultaneously (single-message).
• Pre-authorization: Authorization placed in advance of the actual charge amount being known (common in hotels, car rentals, fuel). The final capture may be for a different amount than the authorization, within scheme rules.

Authorization holds expire if not captured, typically within 7 days for e-commerce (scheme rules vary). Uncaptured authorizations revert to available funds on the cardholder’s account.

Decline Reasons and Soft vs. Hard Declines

Hard declines: Permanent declines that should not be retried. Examples:

• Do not honor (05): Catch-all decline, often fraud-related
• Invalid account (14): Card number invalid
• Lost/stolen (41, 43): Card reported lost or stolen

Soft declines: Temporary declines that may succeed on retry or with additional authentication:

• Insufficient funds (51): May succeed later or with a lower amount
• Authentication required (65/1A): Requires 3DS challenge (SCA soft decline in EU)
• Issuer not available (91): Retry after a brief delay

Understanding decline codes and implementing appropriate retry logic is a key driver of authorization rate optimization. Blindly retrying hard declines wastes processing capacity and can trigger issuer fraud rules.

Authorization Rate Optimization

Authorization rate — approved transactions as a percentage of total attempts — is a key performance metric for payment operators. Factors affecting authorization rates:

• Network tokenization: Replacing raw card numbers with network tokens (Visa Token Service, Mastercard MDES) improves authorization rates by maintaining token continuity across card reissues
• 3DS2 authentication: Frictionless authenticated transactions have higher approval rates in markets where issuers reward authenticated transactions
• Account updater: Automatically updating stored card credentials when cards are reissued reduces declines from outdated card data
• Transaction routing: For merchants with multiple acquirer relationships, intelligent routing can improve rates by directing transactions to the acquirer with the best issuer relationship for that card type

Southeast Asia Context

Authorization rates in Southeast Asia are generally lower than European markets, driven by higher fraud rates, less sophisticated real-time fraud scoring at some issuers, and the prevalence of prepaid and debit cards with lower available balances. Cross-border authorization — a SEA cardholder authorizing a transaction at a foreign-registered merchant — adds additional decline risk from conservative issuer fraud rules triggered by geography mismatches. Implementing 3DS authentication for cross-border transactions often improves these rates.