Authorization Basics (Operator Field Manual)
Every card transaction starts with authorization. Get it wrong and you lose the sale or eat the chargeback. Understand the request/response cycle, what the codes mean, and how to handle edge cases.
Last verified: Dec 2025. Response codes and rules evolve; confirm with your processor.
What Matters (5 bullets)
- Authorization is permission, not payment. Auth reserves funds; settlement moves money.
- Always authorize before capture. Processing without auth = automatic chargeback liability.
- Response codes tell you why it failed. Soft vs hard declines need different handling.
- Authorizations expire. Protection periods vary by transaction type; clear within window.
- Match auth amount to capture amount. Tolerance limits exist, but exceeding them creates disputes.
How Authorization Works
The Authorization Flow
Time elapsed: 1-3 seconds typically
What's in an Auth Request
| Field | Purpose |
|---|---|
| Card number (PAN) | Identifies account |
| Expiration | Validates card currency |
| CVV | Proves card possession (CNP) |
| Amount | Funds to reserve |
| Currency | Which currency |
| MCC | Merchant category |
| AVS data | Address verification |
| 3DS data | Authentication results |
What's in an Auth Response
| Field | Meaning |
|---|---|
| Response code | Approve, decline, or refer |
| Authorization code | Approval reference (if approved) |
| AVS result | Address match result |
| CVV result | CVV match result |
| Network transaction ID | For tracking |
Authorization vs Capture vs Settlement
| Stage | What Happens | When |
|---|---|---|
| Authorization | Issuer reserves funds | At checkout |
| Capture | Merchant claims the auth | At fulfillment |
| Settlement | Money moves | Batch processing (daily) |
Pre-Authorization vs Final Authorization
| Type | Use Case | Protection Period |
|---|---|---|
| Pre-auth | Estimate before final (hotels, car rental) | 30 days (Mastercard) |
| Final auth | Exact amount known | 7 days typical |
| Incremental auth | Adding to existing (hospitality) | Varies |
Response Codes
Common Approval Codes
| Code | Meaning |
|---|---|
| 00 | Approved |
| 10 | Partial approval (debit) |
| 85 | No reason to decline (card verification) |
Soft Declines (Retry May Work)
| Code | Meaning | Action |
|---|---|---|
| 05 | Do not honor | Retry later or different card |
| 51 | Insufficient funds | Retry later |
| 61 | Exceeds withdrawal limit | Retry smaller amount |
| 65 | Exceeds frequency limit | Retry later |
| N7 | CVV mismatch | Ask customer to re-enter |
Hard Declines (Don't Retry)
| Code | Meaning | Action |
|---|---|---|
| 04 | Pick up card | Do not process |
| 07 | Pick up card (fraud) | Do not process |
| 14 | Invalid card number | Check entry |
| 41 | Lost card | Do not process |
| 43 | Stolen card | Do not process |
| 54 | Expired card | Request valid card |
| 57 | Transaction not permitted | Different payment needed |
Referrals
| Code | Meaning | Action |
|---|---|---|
| 01 | Refer to issuer | Voice authorization available |
| 02 | Refer to issuer (special) | Voice authorization available |
Authorization Protection Periods
Authorizations expire. Clear transactions within the protection window or risk chargebacks.
Visa
| Transaction Type | Protection Period |
|---|---|
| Standard | 7 days |
| Hotels/car rental | 31 days |
| Cruise lines | 31 days |
Mastercard
| Transaction Type | Protection Period |
|---|---|
| Final authorization | 7 days |
| Pre-authorization | 30 days |
| India domestic | 4 days |
Best Practice
- Capture as close to auth as possible
- Set alerts before protection expires
- Re-authorize if you'll exceed the window
Amount Tolerance
The capture amount can differ from auth amount within limits.
Visa Tolerances
| Transaction Type | Tolerance |
|---|---|
| Standard retail | 0% |
| US restaurants | 20% (for tips) |
| Hotels | 15% |
| Car rental | 15% |
Mastercard Tolerances
| Transaction Type | Tolerance |
|---|---|
| Chip + PIN | 0% |
| Contactless | 0% |
| US card-present | 30% |
| US CNP (restaurants) | 30% |
| Other card-present | 20% |
Currency Conversion
10% tolerance for FX rate differences between auth and clearing.
Common Authorization Issues
No Authorization Obtained
Problem: Transaction processed without auth Result: Automatic chargeback liability (11.3, 4808) Prevention: Always require online auth; no offline processing
Declined But Processed
Problem: Auth declined, transaction still processed Result: Automatic chargeback liability (11.2) Prevention: Never override declines; no "force" without real approval
Authorization Expired
Problem: Too long between auth and capture Result: Chargeback (12.1 late presentment) Prevention: Track auth dates; capture within window
Amount Exceeded Tolerance
Problem: Captured more than allowed variance Result: Chargeback for overage Prevention: Know tolerance by transaction type; re-auth if needed
Voice Authorization
When to use voice authorization:
- System timeout with customer present
- Referral response (01, 02)
- POS failure with customer waiting
Voice Auth Process
- Call acquirer's voice auth center
- Provide card details verbally
- Receive approval code
- Enter approval code in terminal
- Document the call
Voice Auth Risks
- Fraudsters can obtain voice auths on stolen cards
- No CVV/AVS protection
- Higher scrutiny in disputes
- Document everything
Authorization Best Practices
Always Do
- Get real-time authorization - Never process without auth
- Match amounts - Auth and capture should align
- Capture promptly - Don't let auths expire
- Handle declines gracefully - Good UX for soft declines
- Log everything - Auth code, timestamp, response
Never Do
- Force transactions - Don't override declines
- Process offline - Unless absolutely necessary with proper procedures
- Exceed tolerances - Re-auth if amount increases
- Ignore response codes - Each code means something
- Delay capture - Risk expiration and chargebacks
Scale Callout
| Volume | Focus |
|---|---|
| Under $100k/mo | Basic auth handling; never override declines; capture same-day |
| $100k-$1M/mo | Track auth expiration; implement retry logic for soft declines; monitor response code distribution |
| Over $1M/mo | Issuer-level auth analysis; optimize retry timing; network tokenization for recurring |
Where This Breaks
- Offline terminals - No real-time auth check; creates liability
- Staff override culture - "Just run it through" = chargebacks
- Long fulfillment - Auth expires before shipping
- Manual processes - Voice auth without documentation
- Amount changes - Final differs from estimate without re-auth
Next Steps
Understanding authorization?
- Learn the flow - Request to response
- Know auth vs capture vs settlement - Each stage
- Understand protection periods - 7-31 days by type
Handling declines?
- Check soft vs hard - Retry vs don't retry
- Use appropriate retry logic - When to try again
- Handle referrals - Voice auth when needed
Avoiding authorization issues?
- Follow best practices - Always do, never do
- Know common issues - Expired, exceeded, declined
- Capture within tolerance - Know the limits