Payment authorization: How it works, why it fails, and what it costs
Payments 101
Updated 22 May 2026
7 min
Andrii Kononenko
Head of Merchant Operations, Solidgate
Here's what actually happens in the seconds between a customer hitting pay and your system seeing a result.
If you're looking into payment authorization, something in your payments stack isn't performing the way it should. Maybe it's a decline rate that won't budge, revenue that keeps slipping through without a clear reason, or customers dropping off at checkout with valid cards.
Whatever the symptom, the root cause almost always sits in the authorization chain. Across Solidgate merchants, authorization rates vary by double-digit points between best and worst corridors – and most teams can't trace why.
This guide covers how the authorization chain works, why transactions get declined, and what authorization performance means for fraud, checkout conversion, and subscription retention.
TL;DR
- Payment authorization is the issuing bank's real-time decision to approve or decline a transaction – funds are reserved at this stage, not moved. Settlement happens separately.
- What the issuer decides depends on what your infrastructure sends. Acquirer selection, credential quality, and authentication signals all shape the outcome before the issuer makes its call.
- Soft declines account for 70–90% of failed transactions in subscription businesses and are recoverable with smart routing and retry logic. Hard declines aren't – retrying them damages your future approval rates with that issuer.
- Authorization failures affect fraud liability, checkout conversion, and subscription retention simultaneously – not just the transaction in front of you.
What is payment authorization?
Payment authorization is the real-time process by which a card network and issuing bank verify that a transaction is valid, the cardholder has sufficient funds or credit, and nothing about the request signals fraud.
No money moves during authorization. It's a verification step, not a transfer.
The issuing bank reviews the request and returns one of three responses: approved, declined, or referred for further authentication. Only authorized transactions can proceed toward settlement, which happens separately.
This distinction matters. Authorization sits at the front of the payment chain. It's where legitimate transactions clear, fraudulent ones get stopped, and unnecessary declines create revenue losses that never appear as chargebacks.
How the payment authorization process works
Every card transaction follows the same sequence before any money changes hands. Here's how it runs:
Step 1: The customer initiates a payment. At checkout, the customer submits card details or selects a digital wallet. In card-not-present environments, a or software development kit (SDK) captures and tokenizes the data before it leaves the browser or app.
Step 2: The payment gateway forwards the request. The gateway packages the transaction data – card details, amount, currency, and merchant information – and sends it to the acquiring bank.
Step 3: The acquiring bank routes through the card network. The acquirer forwards the authorization request through the card scheme (Visa, Mastercard, or a local network), which routes it to the issuing bank.
Step 4: The issuing bank makes the authorization decision. The issuer validates the card, checks available funds, and runs fraud scoring across behavioral patterns, velocity signals, and geography. In Europe, Payment Services Directive 2 (PSD2) – and its upcoming successor – may require Strong Customer Authentication (SCA) via 3D Secure 2 (3DS2) at this stage. The issuer then returns an authorization code or a decline reason.
Step 5: The response travels back. The code passes through the card network, acquirer, and gateway to the merchant's system. The customer sees the outcome in seconds.
Core insight: The issuer decides at Step 4 but the quality of signals sent in Steps 1–3 shapes what the issuer sees. Card data format, acquirer selection, and authentication signals all influence the outcome before the issuer makes its call.
Payment authorization vs authentication vs capture
Three terms that frequently get conflated – each describes a different step in the transaction lifecycle.
| Term | What it means | When it happens |
| Authentication | Verifying the cardholder's identity (e.g., via a 3DS2 challenge or frictionless flow) | Before or during authorization, on high-risk or SCA-regulated transactions |
| Authorization | The issuer's real-time approval – funds reserved, not moved | At checkout, in real time |
| Capture | Capture converts an authorized payment into an actual transfer of funds | After fulfillment, or simultaneously with authorization in a one-step flow |
The authorization–capture split matters most when the final charge amount isn't confirmed at the moment of checkout. For instance, a marketplace that authorizes when an order is placed but captures only once the seller confirms or a platform that authorizes at trial start and captures when the trial converts. In these cases, authorization holds the funds; capture finalizes the amount once it's known.
For a deeper look at how payment pre-authorization holds work in practice, see our guide on.
For subscription businesses, the authentication–authorization relationship has a direct effect on renewal revenue. Under PSD2, the first charge on a subscription requires the customer to complete a Strong Customer Authentication (SCA) challenge – typically a 3DS2 prompt. Once that's done, all subsequent renewals qualify as merchant-initiated transactions and are exempt from further challenges.
Core insight: Authentication proves who the cardholder is. Authorization checks whether the transaction can proceed. Capture moves the money. Each step has different rules, different timing, and different consequences when it fails.
Why payment authorizations get declined
Payment authorizations get declined when the issuing bank decides the transaction doesn't meet its approval criteria. That can happen for a range of reasons:
Soft declines (temporary). The card is valid, but something situational blocked the authorization. These can be insufficient funds at the moment of the attempt, a fraud score triggered by an unusual pattern, or a network interruption mid-request. Soft declines account for 70–90% of all failed transactions in subscription businesses – and most of them are recoverable.
Hard declines (permanent). The card itself is the problem: it's been reported stolen, the account is closed, or the cardholder has explicitly cancelled recurring charges. Every retry attempt incurs card scheme fees and signals poor payment hygiene to the issuer – tightening their approval criteria on your future transactions.
Authorization rates typically run 85–90% for most merchants; well-optimized stacks reach 92–95%. Knowing which declines are worth pursuing and which ones to stop at the first attempt helps merchants improve their auth rates.
By directing each transaction to the right acquirer before the first attempt, you’re reducing preventable declines at source. By timing retries to the decline code and the cardholder's billing cycle, you’re recovering the soft declines that do occur – an average LTV lift of +11.6% across Solidgate merchants.
For the full four-layer framework, see our guide.
Core insight: A decline is a signal, not a verdict. Reading it correctly – and acting accordingly – is where most of the recoverable revenue sits.
The critical role of payment authorization for your transactions
Authorization is decided in a second, but its consequences play out across your entire payment stack.
Fraud prevention and chargeback exposure
Payment authorization is where the issuing bank evaluates every transaction for fraud risk before funds move. Fraudulent payments that trigger a hard decline get stopped at this stage – before settlement, before a chargeback is filed. But authorization alone doesn't catch everything. Fraud that gets through authorization still results in chargebacks, and the question of who absorbs that cost depends on what authentication was applied.
When 3DS2 authentication is completed under SCA, liability shifts from the merchant to the issuer. If a fraudulent transaction passes authentication and the real cardholder disputes it, the issuing bank absorbs the chargeback – not the merchant.
The found that card payment fraud within the EEA was 17 times higher when the counterpart was outside the EEA, where SCA isn’t legally required.
For merchants, that means fewer chargebacks, lower dispute management costs, and less risk of breaching the card scheme thresholds that put merchant accounts under acquirer review.
Checkout conversion
Authorization decisions directly determine. A submitted payment that doesn't clear registers the same way in your analytics: a dropped checkout, indistinguishable from someone who changed their mind. Two distinct failures create that outcome.
False declines. These are legitimate transactions declined for the wrong reason – routing mismatches, credential quality issues, or MCC alignment problems. They run at 2–5% for most merchants, and with no way to know the problem is on the merchant's side, most customers abandon rather than retry.
Teams spend months optimizing UX while the fix sits in the infrastructure. A layer handles all three:
- Smart routing to the acquirer most likely to approve each transaction;
- Credential quality improvements;
- Selective 3DS2 application where the risk profile warrants it.
Authorization speed. Customers expect a near-instant outcome. A response that stalls at the gateway, processor, or issuer level introduces uncertainty – on mobile especially, customers don't wait. Abandonment happens before the result even arrives, for a transaction that might have cleared. Here too, the solution is infrastructure – routing to acquirers with consistently fast response times.
Subscription retention
On average, 7.2% of subscribers are at risk of being lost each month to involuntary churn based on our survey of 1,200 subscription businesses. Cards get reissued, accounts get updated, and the stored credentials your system holds become stale without the merchant knowing.
The structural fix is network tokenization. VTS and MDES tokens update automatically when a card is reissued – maintaining billing continuity without any action from the customer or merchant.
What that looks like in practice: Zeely, an AI-powered marketing platform processing across the US, UK, Canada, and Australia, experienced an unexpected acquirer closure. VTS/MDES tokenization protected their entire recurring subscriber base. Active subscriptions transferred to new acquirers with near-zero loss – no customer was asked to re-enter payment details.
→ Read the full
Across Solidgate merchants, delivers acceptance rate improvements of up to +15% and retention gains of up to +7.5%.
Core insight: Authorization affects fraud liability, checkout conversion, and subscription retention – simultaneously. Most of what determines an authorization outcome is decided before the request reaches the issuer.
Payment authorization determines more than a single transaction
Authorization performance reflects the cumulative effect of decisions made before and during each transaction:
- How credentials are stored;
- Which acquirer the request reaches;
- What authentication logic applies;
- How declines are categorized and handled afterward.
Most businesses only control one or two of those systematically. The result is authorization variance they can see in the numbers but can't trace to a cause.
addresses the two biggest levers directly – routing each transaction to the acquirer most likely to approve it, and recovering soft declines automatically when the first attempt fails.
If your authorization rate varies across markets or acquirers and your team can't trace why, to map your current setup and identify where the gap is.
Frequently asked questions
Payment authorization is the real-time process by which an issuing bank confirms a card transaction is valid, the account has sufficient funds, and the transaction doesn't trigger a fraud flag. It reserves the funds but doesn't transfer them – settlement does that later. Authorization is the verification decision at the front of every card transaction.
In most cases, the full authorization chain completes in one to three seconds. Delays can occur at the gateway, acquirer, or issuer level. Slow responses raise checkout abandonment, particularly on mobile, where customers are more likely to leave before the result appears.
Authentication verifies the customer's identity – typically through 3DS2 in card-not-present transactions. Authorization verifies card validity and available funds. Authentication happens first; authorization follows. A transaction can pass authentication and still decline at authorization – for insufficient funds, for example.
Yes. A like Solidgate handles authorization logic across web, mobile, in-app, and recurring billing channels through a single API. Smart routing, soft decline retry logic, token-based recurring authorization, and adaptive 3DS2 all run automatically based on transaction context and risk profile.
Beyond the immediate lost sale, declines have downstream effects. For subscription businesses, a failed renewal creates involuntary churn – the subscriber is lost not because they cancelled, but because the charge didn't go through. Repeated hard decline retries to a specific issuer tighten that issuer's approval criteria for all your future transactions.
Start by segmenting your declines by acquirer, card type, Bank Identification Number (BIN) range, market, and decline reason. Identify whether you're dealing with hard declines (don't retry), soft declines (retry intelligently), or false declines (routing and configuration problem). Then address each category with the right lever: smart routing, network tokenization, retry logic, or MCC alignment.
Recent articles
