Purchase Authorization Basics for Merchants
It seems pretty simple: if you receive authorization for a credit card purchase, the purchase is authorized, right? Where’s the problem?
Despite the name, however, a purchase authorization isn’t exactly that. You might think of it more as a transaction authorization: all it means is that the cardholder’s bank has said “We see no obvious reason this credit card can’t be used.”
That’s good, but it still doesn’t guarantee you’ll get your money. In this post, we look a little more closely at purchase authorization, how it happens, where it applies, and what you can do to make sure you get paid.
Recommended reading
- What Are Transaction IDs? How They Help Stop Fraud
- Credit Card Transaction Process: How the 5 Step-Cycle Works
- Credit Card Decline Codes: The Complete List for 2026
- What Do Mastercard Transaction Link Identifiers Do?
- Forced Authorization Codes: How & When to Force Card Auths
- What is Payment Capture? Is it the Same as Authorization?
What Is Purchase Authorization?
- Purchase Authorization
Purchase authorization is a preliminary confirmation from the issuing bank that a payment card is valid for use, and that sufficient funds or credit exist in the corresponding account.
[noun]/pər • CHəs • ô • THər • ə • zā • SHən/
There are several steps in the transaction process, including authorization, authentication, batching, clearing, and funding. The primary goal of the authorization phase is to get the information to the issuer, who does a quick check to make sure that:
- The card information is correct
- The card has not been reported as lost or stolen
- There are enough funds or credit in the account for the transaction
If flags are raised for any of these three items, then the card is declined. Otherwise, the transaction is authorized and allowed to proceed.
When a payment is authorized, the issuer is only saying there are funds available. The transaction will have to be captured and cleared before you get the money, though.
Who’s Involved in the Authorization Process?
There are several players involved in the purchase authorization process. Below, I’ve outlined the key parties involved, along with their respective roles:
- Merchant: The seller who accepts payment from the customer (i.e. you).
- Issuer: The bank that issued the card used for the transaction.
- Customer: The buyer of the goods or services, to whom a card has been issued.
- Acquirer: The bank where you have your merchant account.
- Gateway: A software provider that encrypts and transmits information between parties.
- Payment Processor: A third-party provider that validates payments, authorizes funds, and routes data.
- Card Network: Companies which supply the infrastructure for transactions (Visa, Mastercard, etc.).
Once made, the decision makes the return trip, through the processor, to the gateway, then back to your POS terminal. And, the whole trip takes place in less than five seconds.
Different Authorization Responses
You won’t get a verbal “yes” or “no” response. Instead, you’ll receive an authorization code in response to your payment authorization request.
There’s actually an entire list of different response codes. Each may need to be handled differently. Some of the most commonly used include:
Approved Authorization Response Codes
| Code | Response | Meaning | Action |
| 00 | Approved | Transaction is good to go. | Proceed |
| 08 | Approved (with ID verification) | Approved… pending additional ID | Confirm the ID, then proceed |
Declined Authorization Response Codes
| Code | Response | Meaning | Action |
| 05 | Do Not Honor | Just declined. Don’t ask why. It just is.. | Request a different card/payment type |
| 14 | Invalid Card Number | Wrong card number | Retry, or request a different card |
| 51 | Insufficient Funds | Debit card account has too little cash | Request a different card/payment type |
| 54 | Expired Card | The card is past its expiration date. | Request a different card/payment type |
| 57 | Transaction Not Permitted | Card can’t be used for this type of transaction | Request a different card/payment type |
| 41/43 | Lost/Stolen Card | Card’s been lost or reported stolen | Stop the sale. You might be asked to hang on to the card |
| 61 | Exceeds Limit | Credit card‘s limit has been reached | Request a different card/payment type |
Other Authorization Response Codes
| Code | Response | Meaning | Action |
| 01/02 | Refer to Issuer | Bank wants to talk to the cardholder | Have the buyer either call their bank or use a different card |
| 91 | Issuer Unavailable | Bank can’t be reached for some reason | Use another card, or you can try again later |
| 82 | CVV Fail | Security doesn’t match | Try again, or just try another card |
You may’ve noticed that there are a lot more (and more specific) codes for a decline than for approval. That’s because in most cases (up to 95%), the transaction will be authorized on the first attempt. And, nobody ever tends to ask why a sale is approved.
Purchase Authorizations Fees
Authorization involves multiple fees from processors, networks, and card brand, typically totaling 2-3% of transaction value. Merchants may also pay fees for expired authorizations, failed attempts, and ghost transactions.
When people talk about “payment authorization fees,” they’re usually referring to interchange, network, and processing fees.
These fees might be bundled together, or they might be itemized. On average, though, you’ll typically end up paying between 2.5% and 3.5% of the transaction total.
Learn more about authorization feesDepending on the payment processor's policies, some fees will apply even for failed authorizations (declines). In other words, you could get charged for every negative response. Even if the code allows for a retry (what’s called a soft decline), you’ll still pay per decline.
You can get dinged for other costs as well. “Ghost transactions” — transactions that are authorized but never completed — have a price tag, and processor fees almost always apply, since the processing happens whether you get paid or not.
Also, card networks track merchants who frequently miss capture deadlines. Excessive violations can result in fines, higher processing rates, or account restrictions. Some processors automatically flag accounts with authorization expiry rates above 2-3%.
Because of these extra fees, card brands allow merchants to add a surcharge to payment card purchases, as long as the surcharge does not exceed the cost of processing (typically 3%).
Purchase Authorization Time Limits
When you get a positive authorization response, the funds authorized will be held in the cardholder’s account temporarily. This is called an authorization hold.
Authorization holds aren't permanent, though. Card networks impose strict time limits on how long you can wait before capturing authorized transactions, and missing these deadlines creates both financial and operational problems.
Standard authorization windows vary by card type and transaction method. But, they usually fall within the windows I’ve outlined below:
- Credit cards: Typically 7 days for most transactions
- Debit cards: Usually 3-5 days due to direct account access
- Hotel/car rental pre-auths: 30 days
- Restaurant transactions: Often 24-48 hours for tip adjustments
Chargebacks911’s exclusive 106-point non-compliance check helps merchants immediately reduce their chargeback volume.
Request a Demo
When an authorization expires, the held funds get returned to the customer’s available balance. You’ll need to submit a re-authorization request, which might fail if the buyer has spent that money elsewhere. That’s bad news if you’ve already shipped the goods to the customer. You'll also face additional processing fees for the new authorization attempt, essentially paying twice for the same transaction.
Track your authorization-to-capture timeline regularly. Industries like hospitality naturally have longer holds, but standard retail should aim for same-day or next-day capture. Monitor expired authorizations as a key performance indicator, as they directly impact both revenue and customer experience when legitimate purchases get declined due to timing issues.
Authorization Rate Benchmarks by Industry & Card Type
Authorization rates vary by industry, ranging from 85-92% for digital goods to 70-80% for high-risk categories, with domestic credit cards typically achieving the highest approval rates.
Understanding typical authorization rates can help you identify performance issues and set realistic expectations. Authorization rates vary significantly by industry, card type, and transaction characteristics, but top-performing merchants tend to achieve rates well above industry averages.
Here are a few sample benchmarks for industry-specific authorization rates:
- Digital goods/software: 85-92%
- General retail: 82-88%
- Travel/hospitality: 78-85%
- High-risk categories: 70-80%
- Marketplaces: 75-82%
Besides product vertical, there are a few other variables that can impact authorization rate, too:
Is the Card Domestic?
Domestic credit cards generally achieve the highest authorization rates (85-90%), followed by domestic debit cards (80-85%). International cards perform lower across all categories, with authorization rates dropping 5-15 percentage points due to cross-border verification requirements and fraud prevention measures.
Is it a Premium Card?
Premium cards often see better authorization rates despite higher transaction values. Visa and Mastercard premium products typically authorize 2-3% more frequently than standard cards, as issuers maintain higher risk tolerance for affluent cardholders.
Is it an Intra-Regional Transaction?
Geographic factors significantly impact performance. Transactions between similar regions (US-to-Canada, EU-to-EU) maintain authorization rates within 3-5% of domestic levels, while transactions crossing major economic zones can see rates drop 10-20%.
If you’re consistently achieving authorization rates below these benchmarks, you should examine your fraud detection settings, processor relationships, and transaction data quality. But, authorization rates above 90% across all card types may indicate overly permissive fraud controls, potentially increasing chargeback risk. You should monitor authorization performance monthly and investigate significant deviations from industry standards.
Authorization Doesn’t Guarantee You’ll Get Paid
Issues like missed captures, expired authorizations, technical failures, mismatched data, or chargebacks can delay or block funds after settlement.
Even if the transaction gets authorized, it’s no guarantee you’ll get paid.
As we discussed above, payment authorizations will expire after a given period (seven days in most cases). There are other things that could go wrong between authorization and settlement, too:
- Authorization Not Captured: Even if you get the authorization and complete the transaction, you won’t get paid if you forget to submit the order.
- Settlement Failure: A technical problem on your end, such as a downed system or even a power outage, could keep the processor from receiving the batch.
- Clearing Mismatch: A captured transaction amount that differs from the original authorization amount could indicate fraud or theft.
- Fraud Flag / Compliance Block: The processor or card network suspects certain activities could indicate policy violations, such as money laundering.
- Merchant Account Issue: Processors may freeze payouts if your account is suspended (or even just under review).
- Funds Held in Reserve: Especially for high-risk clients, processors may temporarily withhold a percentage of funds in case of future chargebacks.
You can lose funds even after a transaction is authorized, captured, and settled. The cardholder can dispute the entire transaction by filing a chargeback with the bank. Even if you challenge the chargeback and win, you’ll only claw back part of your loss.
Travel and hospitality chargebacks are a different breed.
Chargebacks911 specialize in their detection and prevention.
Request a Demo
Authorization vs. Pre-Authorization
Pre-authorization is similar to authorization, but is only used when the final transaction amount isn’t yet known, like at hotels or rental car agencies.
A credit card pre-authorization (or pre-auth) is a temporary hold placed on a customer’s credit or debit card. The transaction will go through all the same steps and verifications, and either approve or decline the card.
Pre-authorization still puts a lock on the customer’s card, but instead of reflecting what the purchase costs, it shows what the purchase might cost.
Pre-auths exist to help protect against non-payment or unexpected costs for hospitality, rental cars, and similar businesses, where the final price isn’t actually known at the time of the purchase. Pre-authorizations can typically be kept in place for up to 30 days.
Learn more about pre-authorizationTroubleshooting Common Issues With Purchase Authorization
Most authorization problems follow predictable patterns that can be diagnosed through systematic analysis of decline codes, geographic trends, and payment method distribution. Regular processor relationship maintenance and proper technical integration monitoring help, too.
What do you do when you see your authorization rate start to decline unexpectedly?
Most authorization problems fall into predictable categories with specific solutions. So, conducting a systematic diagnostic can help you prevent revenue loss and identify root causes quickly. Here’s what I’d recommend:
Regulatory Requirements for Authorization Data Handling
Sellers must comply with PCI-DSS encryption and security standards, plus regional data privacy laws like GDPR and CCPA that govern data collection and retention.
Authorization involves sensitive payment data. So, these transactions are subject to strict regulatory compliance across multiple jurisdictions. You have to understand regulatory requirements to avoid penalties, maintain processing relationships, and protect customer information throughout the authorization process.
PCI-DSS compliance governs all authorization data handling. You’re required to encrypt authorization requests, use secure transmission protocols, and tokenize sensitive card data. Authorization logs must be protected with the same security controls as stored cardholder data, including access restrictions, audit trails, and regular vulnerability assessments. Non-compliance can result in fines up to $500,000 monthly and loss of card acceptance privileges.
Regional data privacy laws add authorization-specific requirements, too. The GDPR mandates explicit consent for storing authorization data beyond immediate transaction needs and requires data deletion within specified timeframes. It also means authorization routing through certain jurisdictions may require local data residency or additional encryption standards. Meanwhile, the California Consumer Privacy Act grants consumers the right to know what authorization data merchants collect and request deletion.
The key to compliance is authorization process documentation. You need data flow diagrams and regular compliance assessments. Authorization-related data breaches carry severe penalties, making proactive compliance management essential for continuity and customer trust.
General Best Practices for Dealing with Payment Authorization
In the end, the best way to prevent avoidable authorization issues is to make sure you’re following general payment best practices:
- Capture funds quickly after authorization, or as soon as an order is delivered.
- In cases of soft declines, retry for authorization. Just remember that multiple tries result in multiple fees, so play it smart.
- Use automated batching so you don’t forget transactions.
- Track declines and try to spot patterns.
- 3D Secure can help reduce fraud by adding extra verification during authorization.
One other thing to consider: the list of options for payment methods has grown far beyond credit and debit cards. More and more consumers are turning to alternative payment methods like digital wallets, mobile payments, buy now pay later, P2P payments, and cryptocurrencies.
The more of these different payment types you accept, the more likely your customer has a backup if their payment card is declined.
Sticking to best practices for payment authorization can help in most situations, but it won’t help in every scenario. Chargebacks, for example, can come from internal errors. But, most are the result of intentional or accidental misuse of the dispute system by cardholders. And, since they happen after the fact, these claims can’t really be predicted.
Want to explore your vulnerability to chargebacks? Chargebacks911® are the industry’s leading experts in the payment dispute and chargeback management space. With more than a decade of experience helping merchants eliminate chargebacks and ensure cash flow, Chargebacks911 are the “gold standard” for dispute resolution. Call us today for a free ROI analysis that can prove prevention is the best medicine.
FAQs
What does “purchase authorized” mean?
“Purchase authorized” means that the card issuer has verified the transaction details, confirmed sufficient funds or credit are available, and given preliminary approval for the payment to proceed. This authorization serves as a temporary hold on the customer's account, reserving the specified amount until the merchant captures the final transaction.
What are examples of authorization?
Common examples include hotel reservations that authorize your card for the room rate plus incidentals, gas stations that place a temporary hold before you pump fuel, and restaurants that authorize the meal amount before adding a tip. Online purchases also typically involve immediate authorization when you click “buy now,” followed by capture when the item ships.
Is an authorization the same as a charge?
No, authorization and charging are two distinct steps in the payment process. Authorization is the initial approval that reserves funds, while the actual charge (or “capture”) occurs when the merchant finalizes the transaction and the money is actually transferred from the customer's account.
Does a preauthorization take money out of your account?
Pre-authorization does not “take money” out of the cardholder’s account. A pre-auth places a temporary hold on a card for an estimated amount needed for the transaction when the final total is not known at the time of authorization request.
Pre-authorizations are used to reserve funds for a “reasonable estimate” of how much will be needed for the final transaction. Pre-authorizations only apply in certain situations, such as reserving a rental car.
How long is an authorization good for?
Authorizations are typically good for up to 7 days before the hold expires. In some situations, as in the case of pre-auths, the hold can remain active for as long as 31 days.
Is authorization the same as approval?
While often used interchangeably, authorization is technically more specific than general approval. It's the formal process where the payment network verifies account validity, checks available funds, and provides a specific authorization code.
Approval is the broader concept, while authorization is the technical implementation of that approval in payment processing systems.
Can an authorized transaction be reversed?
Yes, authorized transactions can be reversed through several methods depending on timing and circumstances. If the transaction hasn't been captured yet, the authorization will typically expire automatically within 30 days (or less), or merchants can release the hold immediately through a reversal request to free up the customer's available credit or funds.
