• A payment authorization request is created at the payment gateway and approved or declined by the customer’s issuing bank.
  • Payment authorization results are delivered to the merchant in seconds, completing the transaction.
  • Merchants have the option to immediately collect or place the approved payment transaction amount on hold.

At first glance, payment processing may seem like a simple process with instant results. However, a series of steps happens right after a customer provides their payment details during checkout. The entire process involves different financial institutions working together to authenticate the data, confirm the availability of funds, and eventually authorize the payment. 

What is payment authorization?

Payment authorization is the portion of the payment processing system where transaction data goes through a series of validations to facilitate the release of the customer’s funds. It is generally associated with credit card transactions, which is why the term is often interchanged with “credit card authorization.” However, other payment methods, such as direct bank deposits (echecks, ACH), have their own payment authorization processes in place. 

Payment authorization vs payment capture

Payment authorization happens after a transaction is confirmed and that the customer has enough resources (credit card or bank balance) to fund the transaction. Payment capture, on the other hand, is when the approved transaction amount is pulled from the customer’s source of funds and sent to the merchant’s account through the payment processor.  

How does payment authorization work?

Payment authorization is the verification and approval portion of the payment process. The payment gateway collects and encrypts the data while the payment processor sends the data to (1) the card network to validate and (2) the issuer’s bank to fund the transaction.

Every payment method undergoes some form of payment authorization, which has several stages for authenticating the transaction and verifying the source of funds.  

Key components

The following are factors that play key roles in payment authorization:

  • Payment gateway: A form where a customer’s payment information is entered. This happens through POS software, an ecommerce website, or a virtual terminal.  
  • Merchant acquirer: The financial institution that provides the business with a merchant account through a partner payment processing service provider. 
  • Payment processor: A software service that provides the technology to transmit transaction data and funding information. 
  • Card network (for credit cards): A network of brands that provide credit card services to customers through a partner bank.
  • ACH (for direct bank debits): A financial institution that validates and processes ACH payments such as direct debits and echecks.
  • Customer’s issuing bank: A bank that partners with card networks to issue credit cards to consumers.

Payment authorization process

Payment authorization process flow in 3 stages
Three stages of payment processing for approved credit card transactions.

Stage 1: Payment data collection

Customer provides their payment information

The data is captured by the payment gateway, which is programmed to: 

  • Ensure that the customer’s payment information is legitimate through fraud detection tools
  • Secure the payment information with encryption and tokenization tools

Once done, the payment gateway initiates the authorization process.

Payment gateway creates the authorization request

The payment authorization request is created and sent to the payment processor along with the related transaction details and the encrypted customer payment information. Note that if the payment gateway uses 3D Secure technology for fraud detection, it will also include the results of the fraud detection check in the information sent to the payment processor.

Stage 2: Payment authorization

Payment processor verifies the transaction

The payment processor receives the authorization request from the payment gateway and verifies the validity of the transaction based on the terms and conditions that the merchant agreed to when they signed up for the merchant account. The payment processor then checks and routes the information to the card brand specified on the customer’s payment details.

Card brand applies interchange fees

Once received, the card brand reviews the customer’s credit card information and transaction data. It then assigns the interchange fees based on its interchange rate matrix. The applied interchange fees will vary based on a number of factors, including card and transaction type. Afterwards, the card brand sends all the information to the customer’s issuing bank.  

Note that the ACH network performs a similar function to that of the card brand when the customer uses an echeck or ACH debit as their form of payment instead of a credit card.

Issuing bank approves or declines the payment authorization request

Next, the customer’s bank checks its records to ensure that it does have a card or bank account holder under the customer’s name. Once verified, the bank confirms the customer has a sufficient balance on their credit card or bank account. 

Based on these two factors, the customer’s bank either approves or rejects the payment authorization request and relays the result back to the payment processor. The payment processor, in turn, sends the information to the payment gateway where the result is displayed on the checkout screen. 

If approved, the payment authorization stage ends and the settlement stage begins. Otherwise, the customer will be prompted to provide a different payment method to complete the transaction and the payment authorization process is repeated.

Stage 3: Payment settlement

Capturing, settlements, and holds

While the scope of payment settlement stage goes beyond this article, it’s important to briefly discuss what happens after the payment authorization is approved.

customer account and merchant account showing the status of the same transaction highlighted in red border
How an approved transaction is reflected in a customer bank statement and merchant sales records.

It should be clearly pointed out that what customers and merchants see on the checkout screen is the approve/reject payment response sent back by the customer’s issuing bank. This completes the transaction at the front end. However, the transaction is reflected as “Pending” on the customer’s credit card statement and “Authorized” on the merchant’s sales records.  

The payment settlement is then initiated, where: 

  1. The approved funds are immediately put on hold, which simply means that the authorized transaction amount is now reserved and deducted from the customer’s credit or bank balance. 
  2. The temporary hold is in effect until the merchant processor asks for the payment to be released or captured.
  3. The customer’s bank sends the amount to the merchant via the payment processor for settlement. The amount that the merchant receives is already net of the transaction fees imposed by the card network, the banks, and the payment processor. 
  4. The transaction’s status in the customer’s credit card statement is replaced with the actual date that the payment was posted to the merchant’s account. 

Read more: How to accept payments online and our guide to ecommerce payments.

Payment authorization for subscription-based businesses

Subscription-based businesses — those that collect payments in the form of membership fees, professional retainers, utility bills, and video streaming platforms — handle two different types of payment authorization:

  1. A formal document signed by the customer giving the merchant permission to charge the customer’s specified card or bank for future payments.
  2. A request initiated every billing cycle that is sent to the customer’s issuing bank.

The payment authorization form is a requirement by the Payment Card Industry Data Security Standard (PCI DSS) for businesses that intend to store customer payment data. Once the billing date arrives, the payment processor includes this document in the payment authorization request sent to the customer’s issuing bank for approval.

PCI-compliant payment processing is a tedious process. The fastest and most efficient solution is to sign up with a payment processor, such as Stripe, Square, and PayPal, offering these services.  

Read more: Stripe vs Square, Square vs PayPal, Stripe Alternatives

Importance of credit card authorization 

The credit card authorization process is not just for the benefit of the business. The approval process protects all involved parties—banks, payment processors, and customers.  

  • For the customer: Payment authorization ensures their credit card details are not used for suspicious transactions. It also prevents the customer’s source of funds from being overdrawn.
  • For card issuers: Payment authorization helps issuing banks minimize the risk it has accepted when they provided the customer with a credit card.
  • For the merchant: Credit card authorization includes a series of validation and authentication checks which provides the merchant with a level of protection from the risk of fraud and chargeback claims.
  • For the merchant acquirer/payment processor: Payment authorization keeps the risk of fraudulent transactions to a minimum and helps build the provider’s reputation as an efficient payment processing service. 
  • For the card network: Payment authorization helps card networks collect accurate credit card processing data to improve their rates and services.

FAQs

The entire process of payment authorization can be completed in seconds with the help of payment processors that connect the merchant to the customer’s issuing bank.

A payment authorization form is a formal document that merchants ask customers to fill out when purchasing a product or service that requires future one-time or recurring payments. This is used by subscription-based businesses.

The most common general reasons for declined transactions are (1) insufficient funds and (2) failure to authenticate the payment information. These two can be broken down into different types such as exceeded volume limits, frozen accounts, incorrect CVV codes, and incorrect address among others.