Authorization Decisioning
Before understanding authorization decisioning, know:
- Auth optimization merchant perspective
- Issuer perspective on fraud
- Decline codes and meanings
- Risk scoring concepts
- Issuers must decide approve or decline in milliseconds using limited data
- Decisions combine rules, ML models, and velocity checks, similar to merchant fraud systems
- Key signals: cardholder history, transaction patterns, device/location, merchant reputation
- Generic "Do Not Honor" declines often hide fraud suspicion behind a catch-all code
- Merchants can improve authorization rates by sending cleaner traffic and richer data
When you submit a transaction for authorization, the card network routes it to the cardholder's issuing bank. That bank has milliseconds to decide: approve or decline. Understanding how issuers make that decision helps explain why good transactions sometimes get declined, and what you can do about it.
What Happens During Authorization
The authorization flow looks simple from the outside, but inside the issuer, a complex decisioning process happens in under 100 milliseconds:
The fraud check is where merchant transactions often get caught.
Signals Issuers Use
Issuers evaluate a combination of factors. Here's what they typically look at:
Cardholder History
- Typical spending patterns (amounts, frequencies, categories)
- Geographic usage patterns (where has this card been used before?)
- Previous fraud claims filed by this cardholder
- Account age and status
Transaction Characteristics
- Amount (unusually large for this cardholder?)
- Merchant category (high-risk MCC?)
- Time of day (consistent with cardholder behavior?)
- Card-present vs. card-not-present
Merchant Signals
- Merchant reputation (historical fraud and chargeback rates)
- AVS result (address match?)
- CVV result (code match?)
- 3DS authentication result
Device and Location
- IP geolocation (does it match cardholder's typical locations?)
- Distance from last transaction (impossible travel?)
- Device fingerprint (if available through enhanced data sharing)
Rules vs. Models
Like merchant fraud systems, issuers combine rules-based checks with machine learning:
Rules-based checks:
- Hard limits: "Decline if card has been used more than 10 times in 1 hour"
- Category restrictions: "Decline if merchant is in blocked MCC list"
- Geographic rules: "Decline if transaction is in country where cardholder has never been"
ML models:
- Pattern recognition across the cardholder's full history
- Comparison to similar cardholders' behavior
- Real-time scoring (typically 0-1000 scale)
Network-level fraud scoring services like Visa Advanced Authorization (VAA) and Mastercard Decision Intelligence analyze hundreds of signals and return a risk score in under a millisecond. Issuers can incorporate these scores into their own decisioning.
Velocity Limits
Velocity checks are particularly important for issuers because they protect against rapid fraud escalation:
| Velocity Type | Example |
|---|---|
| Transaction count | Max 5 transactions per hour |
| Daily spend limit | Max $2,000 per day |
| Geographic velocity | Can't transact in two distant cities within an hour |
| Decline count | Too many declines in short period triggers lockout |
| MCC velocity | Unusual concentration in high-risk categories |
When you see "card_velocity_exceeded" or similar decline codes, the cardholder has hit one of these limits. These aren't negotiable. The cardholder needs to contact their bank.
Decline Reason Codes
Issuers communicate decline reasons through response codes. Unfortunately, many issuers hide behind generic codes:
| Code | Meaning | What's Really Happening |
|---|---|---|
| 05 | Do Not Honor | Could be anything: fraud suspicion, velocity, internal policy |
| 14 | Invalid Card Number | Card number doesn't exist or has a typo |
| 41 | Lost Card | Cardholder reported card lost |
| 43 | Stolen Card | Cardholder reported card stolen |
| 51 | Insufficient Funds | Not enough balance available |
| 54 | Expired Card | Card is past expiration date |
| 57 | Transaction Not Permitted | Card restricted for this MCC or transaction type |
| 61 | Exceeds Withdrawal Limit | Hit a daily or transaction limit |
| 65 | Exceeds Activity Count | Hit a velocity limit |
The infamous "05 - Do Not Honor" accounts for a huge share of declines. It's a catch-all that issuers use when they don't want to reveal the specific reason, often because the reason is fraud suspicion and they don't want to tip off potential fraudsters.
Important: "05 - Do Not Honor" can represent either a soft or hard decline depending on the issuer. Treat it cautiously. Limited retries are reasonable, but aggressive retry loops will likely make things worse.
Soft vs. Hard Declines
Not all declines are equal:
Soft declines are temporary and can be retried:
- Insufficient funds (customer might add money)
- Velocity exceeded (limit might reset)
- Issuer system unavailable (try again later)
Hard declines are permanent and shouldn't be retried:
- Invalid card number
- Lost or stolen card
- Account closed
- Fraud confirmed
Retrying hard declines wastes money (you still pay network fees) and can trigger fraud flags if done excessively.
Retry guidance: As a rule of thumb, don't retry a decline more than 2-3 times, and space retries out (e.g., on the next day or billing cycle), not within seconds.
Improving Authorization Rates
Merchants can influence authorization outcomes:
Send Better Data
The more context you provide, the better the issuer's decision:
- Full billing address for AVS
- CVV for every first-time transaction
- Merchant name that matches your billing descriptor
- Level 2/3 data for B2B transactions
Use Enhanced Data Sharing
Some networks, processors, and acquirers offer enhanced data-sharing programs where your fraud assessment (risk scores, model output, 3DS results) is shared directly with issuers. When an issuer can see that a trusted third party has already vetted the transaction, they're more likely to approve it.
Examples include network-level scoring services like Visa Advanced Authorization (VAA) and Mastercard Decision Intelligence, plus issuer-linking programs offered by some acquirers and PSPs.
Authenticate When Appropriate
3D Secure shifts liability but also improves approval rates. When the issuer has authenticated the cardholder themselves, they're confident the transaction is legitimate.
Keep Credentials Updated
Account updater services automatically refresh expired or reissued card numbers. Using network tokens instead of raw PANs also helps. Tokens stay valid when cards are reissued.
Don't Hammer Declines
Aggressive retry logic looks like fraud. Most issuers track retry patterns and will increasingly decline transactions from merchants who don't respect initial decline decisions.
What You Can't Control
Some decline factors are beyond your influence:
- Cardholder's account status (frozen, closed, restricted)
- Cardholder's available balance
- Issuer's global risk policies
- International restrictions
When these cause declines, the only solution is for the customer to contact their bank or use a different payment method.
See Also
- The Issuer Perspective - How issuers think about fraud
- AVS & CVV - Verification signals you control
- 3D Secure - Shifting liability through authentication
- Risk Scoring - Merchant-side fraud scoring
- Decline Codes - Full decline code reference
- Auth Optimization - Improving approval rates
- Velocity Rules - Rate limiting patterns
- Portfolio Monitoring - Issuer portfolio view
- Network Programs - Fraud thresholds
- Card Testing - Understanding retry abuse
- Increase Auth Rates - Authorization optimization playbook
- Fix Declining Auth Rates - Diagnosing auth drops