Skip to main content

Authorization and Capture

Prerequisites

Before diving into auth and capture, understand:

TL;DR
  • Authorization = "Can this cardholder pay?" (issuer checks credit limit, fraud risk, account status)
  • Capture = "Actually move the money" (triggers clearing and settlement)
  • Auth hold = Temporary hold on funds; expires if not captured (typically 7-30 days)
  • The gap between auth and capture is your fraud review window - use it wisely

The Authorization-Capture Flow

What is Authorization?

Authorization is asking: "Can this card pay for this?"

When you request authorization, the issuer checks:

  1. Does this card exist and is it valid? (Not expired, not reported stolen)
  2. Is the account in good standing? (Not frozen, not over limit, not flagged for fraud)
  3. Are there sufficient funds or credit available?

If all three answers are yes, the issuer sends back an approval code - a 6-digit alphanumeric promise: "We've verified the funds and are holding them for you."

Key Concept

An authorization is not a charge. No money has moved. The issuer has placed a "hold" on that amount, temporarily reducing available credit. Think of a hotel putting a hold on your card at check-in - they haven't charged you yet.

What is Capture?

Capture (also called "presentment" or "clearing") is when you say: "Okay, now actually take the money."

This is when the transaction becomes real:

  1. You submit the transaction for settlement
  2. The issuer debits the cardholder's account
  3. Funds flow: Issuer → Network → Acquirer → You

After capture, the "pending" charge becomes a "posted" charge. The transaction is complete.

Combined vs. Separated

Combined (Auth + Capture together): Most retail transactions. Tap your card at a coffee shop, and auth/capture happen simultaneously.

Separated (Auth now, Capture later): Some businesses deliberately separate them. This is "manual capture" or "auth-only" followed by capture.

Why Separate Auth and Capture?

1. Final Amount Unknown

IndustryWhy
HotelsDon't know final bill until checkout (minibar, room service, extended stay)
RestaurantsTip added after authorization
Gas stationsAuth fixed amount ($100-150), capture actual pump amount
Vehicle rentalsAuth estimated, capture based on actual duration, fuel, tolls

2. Fulfillment Not Complete

ScenarioApproach
E-commerceAuth at order, capture at shipment
Pre-ordersAuth to validate card, capture when item ships
Custom goodsAuth confirms payment ability, capture when ready

3. Fraud Review Window

This is the big one for fraud teams. The window between authorization and capture is your opportunity to review before committing.

Why this matters: Once you capture, reversing requires a refund:

  • Costs you interchange fees you don't get back
  • Creates accounting complexity
  • May take days to post to customer's account
  • Looks bad if customer disputes instead

But if you void before capture, the hold simply releases. Cleaner operationally and financially.

The Fraud Review Window

What You Can Do During the Window

CheckPurpose
Velocity checksCard used at unusual speed? Multiple orders quickly?
Device fingerprintingDevice matches previous fraud patterns? VPN/proxy?
AVS/CVV verificationBilling matches issuer records? Shipping to reshipping service?
Manual reviewHigh-risk orders flagged for human review
3D Secure step-upChallenge with additional authentication
Behavioral analysisSession recordings, mouse movements, typing patterns

Void vs. Decline Decision

Decline at authorization: Transaction never approved. Customer sees "card declined." Clean, but friction for legitimate customers.

Approve, then void before capture: Authorization succeeds, but you cancel before capturing. Hold releases. Softer approach - you're giving yourself time to investigate without hard-declining at checkout.

Segment Your Approach

Risk LevelCapture Timing
Low-risk ordersCapture immediately (no review needed)
Medium-risk ordersCapture same-day after automated checks
High-risk ordersHold for manual review, capture next day if approved

Authorization Windows

Authorizations don't last forever. Each network sets validity windows:

NetworkStandard Window
Visa7 days CNP, 5 days card-present
Mastercard7 days final auth, 30 days preauth
Amex7 days standard

Miss the window? Auth expires, hold releases, you need to re-authorize (might fail if card is now maxed/closed/stolen).

For detailed network-specific windows, see Authorization Windows Reference.

Why Fast Capture Sometimes Wins

Delayed capture isn't free:

Customer Confusion

Statements don't clearly distinguish pending vs. posted. Customer might see:

  1. "Pending" charge when they order
  2. Pending disappears (auth expired/voided)
  3. New charge appears (re-authorized and captured)

To the customer: looks like double charge. They call support. Or worse, file a dispute.

Authorization Decay

The longer you wait, the more likely something changes:

  • Customer spends available credit elsewhere
  • Card reported lost/stolen
  • Account closed or flagged for fraud

Reconciliation Complexity

Every auth-capture pair is two events to track in settlement:

  • Did this auth get captured?
  • Did this capture match the right auth?
  • Partial captures? Split shipments?

When to Use Which Approach

Use Immediate Capture When:

  • Transaction is low-risk (known customer, low value, consistent pattern)
  • Goods/services delivered immediately
  • Customer experience is priority
  • Reconciliation simplicity matters

Use Delayed Capture When:

  • You need time for fraud review
  • Fulfillment is delayed (pre-orders, backorders, custom items)
  • Final amount isn't known yet
  • Regulatory or business rules require it

Industry-Specific Patterns

IndustryAuthCaptureSpecial Rules
HotelsAt check-in (estimated + buffer)At checkout (actual)Extended auth windows (30 days)
Vehicle RentalsAt pickup (estimated + deposit)At return (actual charges)Can capture more than auth for fuel/tolls
E-commerceAt checkoutAt shipment7-day window typically
RestaurantsPre-tip amountWith tip addedCan exceed auth by tip tolerance (~20%)
Subscriptions$0 or $1 validationAt billing period startSpecific recurring indicators required

Operational Best Practices

For Merchants

  1. Track authorization timestamps. Know exactly when each auth expires.
  2. Build automated capture triggers. When order ships, capture immediately.
  3. Void unused authorizations. Don't let them expire - release holds faster for customers.
  4. Use proper transaction indicators. Ensure processor flags transactions correctly for extended windows.

For Fraud Teams

  1. Segment by risk for capture timing. Not every transaction needs review.
  2. Set review SLAs inside the auth window. 7-day auth = 5-day max review SLA.
  3. Use void wisely. Softer than decline at auth for uncertain cases.
  4. Track void reasons. Analyze why transactions are voided to improve upstream detection.

Next Steps

Just learning auth/capture?

  1. Check your processor's default behavior - auth-only or combined?
  2. Understand your auth validity window
  3. Learn what happens after capture

Optimizing your flow?

  1. Review auth optimization to improve approval rates
  2. Consider separated auth/capture for fraud review
  3. Track auth-to-capture timing to stay within windows

Troubleshooting issues?

  1. "Ghost charges" on statements - check if auths are being voided properly
  2. Declined at capture - auth expired or amount mismatch; see decline codes
  3. Amount mismatches - verify industry tolerance rules (tips, fuel, hotels)

See Also