BLOG • Credit Card Authorisation
Understanding the credit card authorisation process
DISCOVER MORE OF WHAT MATTERS TO YOU
What is the credit authorisation process?
Credit card authorisation is the process of verifying that a cardholder has enough funds or credit to cover the cost of a card transaction. Card authorisation is required for both in-person and online card transactions. It typically takes place electronically, behind the scenes, from the moment a customer taps their card on the terminal or clicks “purchase” on an e-commerce checkout form. It finishes a few seconds later with either an approval or a payment decline.
Card authorisation is an essential part of the payment process, as it provides the merchant with a guarantee of payment while, at the same time, protecting the cardholder from potential fraud.
- Credit card authorisation is the process of verifying a customer’s credit card and ensuring they have sufficient funds to make a payment.
- Card authorisation is typically an automated, electronic process that begins when a customer taps their card, inserts their PIN, or submits an online checkout form.
- The authorisation process takes just a few seconds and ends with the payment being approved or declined.
- Payments can be declined for several reasons, including insufficient funds, expired cards, or suspected fraud.
- In some situations, such as for high-value transactions, recurring payments, or manual, offline payments, merchants may use a card authorisation form to collect payment details and customer consent. However, these forms are often less secure and are increasingly uncommon.
Card authorisation involves several parties who must work together to verify the funds and approve the payment. These key players are:
- Cardholder - This is the customer who is using their card to make a payment. They initiate the payment by tapping or swiping their card on the point-of-sale (POS) terminal or, for online payments, by entering and submitting their card information into a secure checkout form.
- Merchant - This is the business from which the cardholder is making a purchase. When taking a credit card payment, the business must verify that the customer has enough money or credit in their account to cover the payment.
- Issuing bank - This is the financial institution that has provided the credit card to the cardholder. It holds the cardholder's account and is responsible for approving or declining transactions.
- Acquiring bank - This is what the merchant’s bank is called. When a card payment is initiated, the merchant’s bank (acquiring bank) sends the request to the payment processor for authorisation.
- Payment processor - This intermediary securely transmits the cardholder’s data from the acquiring bank to the issuing bank to facilitate the authorisation process. Sometimes, the merchant’s acquiring bank is also its payment processor.
1. The customer uses their card to make a purchase, either using a card terminal for an in-person payment or entering their card details into a secure checkout form for an online payment.
2. A request is automatically sent to the acquiring bank, which forwards it to the payment processor to facilitate the authorisation process.
3. The payment processor takes the request and, using the card network (Visa, Mastercard, Discover, etc.), sends it over to the issuing bank to provide authorisation.
4. The issuing bank considers a number of factors in order to approve or decline the payment, most importantly:
- whether the customer has sufficient funds or credit to cover the transaction amount,
- the validity of the card and cardholder (e.g., PIN, CVV code, 3DSecure passwords),
- whether the customer’s location, the transaction amount, or the cardholder’s transaction history indicates possible fraud or malicious activity.
5. Based on these considerations, the issuing bank decides whether to approve or decline the transaction, sending its response back via the payment processor to the acquiring bank.
Although card authorisation takes just a few seconds, it’s important to point out that authorisation does not mean that the funds from the payment are instantly available to the merchant. When a payment is authorised, the funds are reserved in the customer’s account but remain in a “pending” state, ready to be “captured” by the merchant.
Capturing is the act of converting the authorised payment into an actual charge. It's the moment when the merchant finalises the transaction—when they’re ready to fulfil the order, ship out the product, or provide the service.
Capturing can be a manual or automated process. For example, an online retailer may automatically capture payments when a customer purchases a digital good or service. However, they may choose to manually capture payments for physical goods, waiting until an item is shipped out to finalise the transaction.
Settlement occurs after capturing when the money is transferred from the customer's account to the merchant's account. It’s the final stage of the payment process.
The time between capturing and settlement can vary, with card payments often settling within a few business days. The settlement timeline depends on the merchant’s agreement with their payment processor and the card network involved.
Insufficient funds or credit - If a customer doesn’t have enough money in their account, or if they’ve exceeded their credit limit for the month, then the issuing bank cannot authorise the payment.
Invalid or expired cards - The issuing bank cannot authorise payments made with expired or invalid cards.
Cardholder verification errors - If the issuing bank can’t verify that the correct person indeed possesses the card, it won’t be able to authorise the payment. This can happen when the cardholder fails to enter the correct PIN or CVV code, their billing address doesn’t match the one associated with their cardholder account, or they cannot accurately complete the 3D Secure process.
Suspected fraudulent activity - If the issuing bank detects suspicious or atypical transaction patterns, such as attempting to make an unusually large purchase or buying several high-value items in a row, they may preventatively decline a payment to protect the cardholder.
Location restrictions - Some cardholders may encounter authorisation failures based on their geographic location. For instance, if the cardholder travels internationally but hasn’t informed their bank beforehand, their card payments may be declined as a fraud-prevention measure.
When a customer’s payment is declined, it doesn’t always mean they have insufficient funds. Merchants can help troubleshoot and resolve the issue by walking customers through the following steps.
1. Verify the card information. Has the customer entered the correct card details, expiration date, billing address, CVV/CVC and/or PIN? If not, enter the correct information and try again.
2. Check the card status. Is the card expired, or is it an old card that has been replaced? If so, find the right card and try again.
3. Consider security reasons for the decline. Could a security hold be placed on the card due to the type of purchase or the customer’s geographical location? If so, the customer can call their bank to release the hold.
If the customer is making an in-person purchase, the merchant’s POS terminal may provide a code indicating the reason for the decline. This makes it even easier for the merchant to assist the customer and resolve the issue.
Although, in most scenarios, card authorisation is a very brief and automated process, there are certain situations in which a cardholder may need to complete a more thorough credit card authorisation form.
These forms are designed to collect the necessary payment information and cardholder consent for specific payment scenarios. They can be paper or digital forms, typically with the following fields to complete:
- Full name (as it appears on the card)
- Billing address
- Contact information
- Card details
- Card type (e.g., Visa, Mastercard, American Express, etc.)
- Card number
- Expiration date
- CVV or CVC code
- Transaction amount and description
- Transaction date
- Cardholder signature
- Reference number (e.g., customer ID, invoice number, PO number, etc.)
Recurring payments and subscriptions - A company may require a customer to complete a card authorisation form to consent to recurring payments or subscriptions, such as monthly gym memberships or streaming service subscriptions. This practice is less and less common as technology now allows merchants to set up recurring payments through secure online checkout forms.
High-value transactions - Merchants selling high-value items, like cars or luxury goods, may ask customers to complete a card authorisation form as part of the payment process. This provides an additional layer of documentation that can be used as evidence if issues arise during the payment process.
Pre-authorisation - Hotels and car rental companies may require customers to complete card authorisation forms to pre-authorise a future payment. This allows them to temporarily reserve funds on the customer's card as both a guarantee and to allow for potential additional charges or incidentals during their stay or rental period (e.g., an additional cleaning fee for the rental car or items from the hotel minibar).
Offline, manual transactions - In certain scenarios where electronic payments aren’t possible, merchants can take card payments manually by having customers complete a paper card authorisation form. One example may be at an outdoor event outside of Wi-Fi range or for purchases made over the telephone. As with the other scenarios mentioned, this is increasingly less common due to technological advances and the security issues associated with handling unencrypted cardholder data.
Security issues with card authorisation forms
Although card authorisation forms were once a routine part of the payment process for certain sales scenarios, the introduction of more secure and convenient payment technologies has made them much less common.
It is still possible to securely collect cardholder data via digital card authorisation forms, but not without implementing an array of rigorous security measures. For paper authorisation forms, this gets even more difficult if not impossible.
In order to protect cardholder data and maintain PCI DSS compliance, many merchants instead opt for modern payment processing software with built-in security measures, like tokenisation and encryption, to authorise and reserve funds.
The merchant’s bank (acquiring bank) initiates the card authorisation request by sending it to the payment processor. The payment processor, acting as an intermediary, then securely delivers the request to the cardholder’s bank (issuing bank).
Typically, the issuing bank—the financial institution that issued the card to the customer—verifies the cardholder, confirms they have sufficient funds, and authorises the payment.
Whether making an in-person or online payment, card authorisation doesn’t usually last longer than a few seconds.
Capturing is when a merchant finalises an authorised payment, perhaps after shipping out a physical item or completing a service. Capturing can be set up to happen automatically, or it can be up to the merchant to log into their payment processing system and manually capture the payments (e.g., clicking “complete” or “fulfilled” next to each finalised transaction). In capturing a payment, the merchant signals that it’s time for the pending payment to be settled.
Settlement is the final stage of the payment process, when the funds from an authorised and captured transaction are transferred from the customer’s bank account to the merchant’s. After settlement, the payment process is complete.
A card authorisation hold is when a merchant temporarily reserves funds as a guarantee that the cardholder can cover a future payment (e.g., a hotel stay, a bar tab, a car rental payment). The hold is released when the transaction is settled, or when the authorisation hold expires.
The security of credit card authorisation forms depends entirely on how the merchant collects and stores the form’s cardholder data. It’s increasingly difficult to use traditional card authorisation forms and still meet the payment industry’s rigorous security standards. Instead, merchants can use modern payment processing technologies to authorise and reserve funds while protecting cardholder data and maintaining compliance.