Have you ever wondered what happens behind the scenes on your website when your customers click the 'Pay' button? When a customer uses a credit or debit card to make a purchase, a card authorization request is sent to the issuer to verify the card's validity.
Credit card authorization is performed to determine whether the customer has sufficient funds in their card account to cover the transaction. If the customer's information is correct and sufficient funds are available in their account, the specified amount is held and deducted from the customer's credit limit after issuer approval.
Let's delve a little deeper into the process.
How does credit card authorization work?
When a credit or debit card transaction is made, the merchant sends a request to the acquirer, which is usually done through a credit card processor like Shift4. The acquirer then submits a request to the issuer to review the customer's account, examine whether the customer's card is valid, and determine whether the customer has sufficient funds to complete the transaction.
If funds cover the sale's costs, an authorization hold is placed on the customer's account, reducing the credit line by the sale amount. Then the acquirer receives an approval or error code in return. As you might expect, the transaction isn't completed if an error code is issued.
As you can see, multiple entities must collaborate to determine whether a transaction is valid during the authorization process. These are cardholder, merchant, acquirer, card schemes, and issuer.
By placing an authorization hold on a credit or debit card transaction, merchants can protect their businesses from fraud or chargebacks. They can temporarily block funds for a transaction to verify it and ensure they will get paid.
What happens with the authorization hold? In short, it is removed when a merchant captures the charge or when the authorization expires (usually after five days). Blocking funds on the customer’s card gives you time to verify and capture the funds needed to complete a transaction. So, the actual money transaction happens after the authorization and is called capturing. It usually happens automatically.
Authorization can block funds on a customer’s card for up to 7 days for debit cards and 25 days for credit cards. This gives a merchant time to ensure that the customer’s card is valid.
What the Process Looks Like When the Card Authorization Fails
The most common reasons for failed authorizations are technical or financial issues. Most payment processors notify online customers about failures automatically by displaying a certain notification explaining why their transaction wasn’t completed. A merchant can see the cause of the failure, which is identified by its decline code.
Decline codes can differ based on the acquirer. They could appear due to technical issues or problems with the information sent to the processor, such as a wrong configuration, a missing value in an online form, etc. In many cases, financial error codes are related to the customer’s account. If it’s a technical issue, it should be fixed by a merchant or acquirer, depending on the root cause of the problem.
You should only complete the transaction and ship the product if you get an authorization code. A payment scenario that includes card authorization enables merchants to check for potentially fraudulent activity before delivering goods or services. It also helps the merchant avoid issuing refunds by canceling payments before capture and saving time and transaction fees.
Authorization and Capture
Most merchants use one-phase transactions, which we call sales. A sale is literally a financial transaction. It’s when you authorize, verify, and capture everything simultaneously. What about a two-phased approach?
In a two-phased approach, the transaction is authorized, funds are blocked from the customer, and then funds are captured. The transaction occurs in that capture phase. Here’s how it looks from the customer’s perspective.
Reminder: Card capture releases funds from a customer to a merchant.
A customer is on your website; they want to buy a product or a service that you provide, so they put in the card data and complete the transaction. Products are delivered, everyone’s happy, and they go on their way.
It looks a bit different from the merchant’s perspective, however. If they're doing a one-phase transaction or a sale, the flow is as follows:
The customer is on the website
A merchant receives the payment request
The transaction goes through
The product is delivered
But, there are things that can go wrong in this situation. say the transaction goes through a few seconds later and you receive a fraud score saying it’s fraud. You then decide to issue a refund, but it’s costly, and because it’s fraud, you’ll likely get a chargeback in a few days. This one-phase transaction gives you no time to verify, makes you vulnerable to chargebacks, and costs you refunds.
Here’s how it would go with authorization.
The merchant receives a payment request, authorization happens, funds are blocked on the customer’s bank account, and no money goes through. It gives you time to verify the customer — to review the fraud score (usually 7 days for debit cards and 25 days for credit cards), so you know whether the funds are secured, no chargeback is possible until after capture, and there’s a free refund in case you want to change your mind. In 95% of the cases, this is automated and lasts up to three minutes.
Here’s a breakdown of how it works when you’re using the Shift4 API:
The card is authorized, you then get a fraud score within a few seconds, and the system decides for you, so the scenario can be as follows:
If the score is 75 — it’s fraud and you will issue a refund without processing the customer’s payments
If it’s 50 — you make the decision manually
If it’s 0 — it’s captured automatically
You're offering a free trial for seven days. You authorize the payment, the customer is testing your service for those seven days, and after that period, the customer decides to go with the product. So, you capture the funds; then the transaction goes through. If it is not okay, you refund them at no cost.
Let’s say you have 1,000 transactions for $20 each, meaning you have $20k in sales. If the transaction fee is $0.02, that makes the total transaction cost $400. There is roughly a 1% chargeback ratio resulting in 10 chargebacks. Ten chargebacks plus the cost of the chargeback, $25, the money that you lose equals $450. Overall costs are $400 + $450 = $850, plus the time, energy, and resources spent on disputing that chargeback.
So, what do you do?
Choosing Shift4 authorization and capture drops your chargeback by 60% to 4 from the initial 10, saving $270. If you go one step further and use our non-invasive 3D secure, the chargeback is reduced to just one, resulting in only $45 of cost, saving you a total of $405.
Card capture is determined not only by your agreement with your payment service provider (PSP) but also by the type of business you operate. Although the timing of payment collection can vary, most firms and their payment processors manage to do it ahead of schedule because most card authorizations expire in 5–10 days.