How Card Authorization Works: From Merchant to Issuer
A technical guide explaining how card authorization works across merchants, acquirers, card networks, and issuing banks, and why authorization performance matters in modern payment infrastructure.
How Card Authorization Works: From Merchant to Issuer
Every card payment begins with a real-time authorization decision: approve or decline.
This decision occurs inside the card authorization process - a distributed interaction between the merchant, payment processor, acquiring bank, card network, and issuing bank. Within a few hundred milliseconds, these systems exchange transaction data that determines whether a payment is accepted or rejected.
Understanding this process is critical for payment providers, acquirers, PayFacs, and merchants because authorization performance directly impacts revenue, customer experience, and fraud exposure.
This article explains how card authorization works from the moment a merchant initiates a payment request to the issuer returning a decision - and why understanding this flow is essential for optimizing payment infrastructure.
Quick Answer: How Card Authorization Works
Card authorization is the real-time process that determines whether a payment card transaction is approved or declined.
When a customer initiates a payment, the transaction request travels through multiple participants in the payments ecosystem before reaching the issuing bank, which makes the final approval decision.
The authorization flow typically follows this path:
Merchant → Payment Processor / Gateway → Acquirer → Card Network → Issuer → Response returned to merchant
The issuer evaluates the request using risk models, card status, available balance or credit, and transaction context. It then returns an approval or decline response that travels back through the same network path.
The entire process typically completes in 300–1,500 milliseconds, depending on network latency and issuer processing time.
Card authorization is only the first stage of the card payment lifecycle. After authorization, the transaction must still go through capture, clearing, and settlement before funds reach the merchant.
The Millisecond Timeline of Authorization
Although authorization feels instantaneous to customers, it is actually a coordinated interaction between several independent payment systems.
A typical authorization request passes through multiple infrastructure layers operated by different organizations:
1. Merchant initiation
The merchant sends a transaction request when the customer submits payment.
2. Processor or gateway formatting
The payment processor formats the request according to card network message standards.
3. Acquirer submission
The acquiring bank forwards the authorization request to the relevant card network.
4. Network routing
The card network identifies the issuing bank and routes the authorization message.
5. Issuer decisioning
The issuer evaluates the transaction using automated risk and account validation systems.
6. Response returned
The issuer’s approval or decline response travels back through the card network and acquirer to the merchant.
Visa’s acquiring documentation describes this request-response model, where authorization messages are routed through network infrastructure to the issuing bank and returned with an approval or decline decision.
Authorization vs Clearing vs Settlement
Card authorization is only the first stage of the payment lifecycle.
Mastercard describes the card transaction process as consisting of three distinct phases:
- Authorization - verification that the cardholder and funds are valid
- Clearing - exchange of transaction data between the acquirer and issuer
- Settlement - transfer of funds between financial institutions
Authorization determines whether the transaction is allowed to proceed, but it does not transfer funds to the merchant.
Funds move later during clearing and settlement once the merchant submits the approved transaction for capture.
This distinction matters because an approved authorization does not guarantee final settlement if subsequent processing steps fail.
The Participants in the Authorization Chain
A card authorization request typically involves four primary participants in the payment ecosystem.
Merchant
The business accepting payment from the customer.
Acquirer
The financial institution that processes card payments on behalf of the merchant.
Card Network
The payment scheme (such as Visa or Mastercard) that routes transactions between acquirers and issuers.
Issuer
The bank that issued the payment card and ultimately decides whether to approve the transaction.
The PCI Security Standards Council defines an acquirer as the entity responsible for processing payment card transactions for merchants and ensuring compliance with network rules.
Card networks provide the infrastructure that connects acquirers and issuers globally for transaction processing.
Step 1: The Merchant Creates the Authorization Request
The authorization process begins when a customer initiates a payment.
This can occur when a shopper:
• clicks Pay during online checkout
• taps a contactless card
• inserts a chip card into a terminal
• enters card details manually
The merchant system constructs an authorization request message containing key transaction data such as:
• transaction amount
• card credentials
• merchant identifier
• transaction timestamp
• transaction channel information
This message is sent to the merchant’s payment processor or gateway, which prepares it for transmission to the acquiring bank.
Visa’s payment processing documentation identifies the merchant request as the first step in the authorization lifecycle.
Why this step matters
Authorization performance is influenced not only by issuer decisioning but also by the quality and completeness of the authorization request.
Incomplete or poorly structured transaction data can increase issuer uncertainty and raise the probability of a decline.
As a result, many large merchants treat authorization performance as a technical optimization discipline, not just a financial metric.
Step 2: The Acquirer and Card Network Route the Request
After receiving the merchant request, the payment processor sends the transaction to the acquiring bank.
The acquiring bank then submits the authorization request to the appropriate card network.
Card networks are responsible for:
• identifying the correct issuing bank
• routing the authorization message
• applying network rules
• ensuring interoperability between payment systems
Mastercard’s transaction processing rules require acquirers to recognize valid card ranges and obtain authorization responses from issuers when processing transactions.
Visa’s network infrastructure similarly determines the correct issuer destination and routes authorization messages accordingly.
Although largely invisible to merchants, this routing layer influences how authorization requests are presented to issuers and can materially affect approval performance.
Step 3: The Issuer Evaluates the Transaction
The issuing bank receives the authorization request and evaluates it using internal decision systems.
According to Mastercard, authorization involves verifying:
• cardholder identity
• card validity
• available balance or credit
• transaction risk
Issuers typically rely on automated risk engines that analyze multiple signals including:
• spending patterns
• account status
• merchant category
• fraud indicators
• geographic data
These systems operate as automated decision engines designed to balance fraud prevention, regulatory requirements, and cardholder experience.
Based on these inputs, the issuer returns one of several possible outcomes:
• Approved
• Declined
• Partially approved
• Authentication required
The issuer decision is then transmitted back through the card network to the acquiring bank.
Step 4: The Response Returns to the Merchant
Once the issuer returns a decision, the card network routes the authorization response back through the same path used for the request.
Visa describes this as matching the response message to the original authorization request and returning it to the merchant through the network infrastructure.
The payment processor then converts the network message into a simplified response format for the merchant system.
Issuers typically return detailed authorization response codes, but these codes are often translated into simplified categories by acquirers or payment processors.
Global Payments notes that issuer authorization codes may be mapped to simplified merchant-facing response codes for easier integration.
While this abstraction simplifies merchant integration, it can also hide useful diagnostic information about the underlying decline reason.
Authorization Does Not Mean Revenue
A common misconception in payments is that an approved authorization equals completed revenue.
In reality, authorization only confirms that the issuer is willing to honor the transaction.
The merchant must still perform capture, which initiates clearing and settlement.
Visa’s merchant documentation explains that capture processing is the step where approved transactions are submitted for financial settlement.
Only after clearing and settlement are funds transferred between issuing and acquiring institutions.
Why Understanding Authorization Matters
For payment providers and merchants operating at scale, authorization performance directly affects revenue.
Even small improvements in approval rates can significantly increase captured volume without requiring additional customer acquisition.
Understanding the authorization flow allows payment teams to:
• diagnose decline causes
• optimize routing and transaction data quality
• identify recoverable transactions
• improve payment infrastructure performance
Because multiple independent systems influence the issuer decision, effective payment optimization requires visibility across the entire authorization chain.
Where Better Fits
Better operates as a real-time payment recovery infrastructure layer designed to capture recoverable authorization failures during the authorization window.
Rather than replacing issuer decisioning, Better focuses on transactions that fail authorization but remain recoverable under the right conditions.
By operating inside the authorization window and applying advanced decisioning models, Better enables payment providers and merchants to recover legitimate transactions that would otherwise be lost revenue.
In practice, this means Better complements existing payment infrastructure:
• orchestration determines routing paths
• authorization determines the issuer decision
• recovery infrastructure captures recoverable transactions
More at:
https://www.bettercharge.ai/
The Operational Takeaway
Card authorization is the decision point at the heart of every payment transaction.
The process follows a consistent sequence:
Merchant request
→ Acquirer submission
→ Network routing
→ Issuer decision
→ Response returned to the merchant
Each participant in this chain performs a specific role, and understanding these roles is essential for diagnosing declines, improving approval rates, and optimizing payment infrastructure.
For payment organizations, authorization performance is more than an operational metric.
It is a direct driver of revenue performance.
Organizations that understand the authorization process deeply are often the ones that capture the most value from it.
