Authorization and Capture
Before diving into auth and capture, understand:
- Payments overview and how money moves
- Decline codes for when things fail
- Settlement and reconciliation (what happens after capture)
- Authorization = "Can this cardholder pay?" (issuer checks credit limit, fraud risk, account status)
- Capture = "Actually move the money" (triggers clearing and settlement)
- Auth hold = Temporary hold on funds; expires if not captured (typically 7-30 days)
- The gap between auth and capture is your fraud review window - use it wisely
On this page
- The Authorization-Capture Flow
- What is Authorization?
- What is Capture?
- Combined vs. Separated
- Why Separate Auth and Capture?
- The Fraud Review Window
- Authorization Windows
- Why Fast Capture Sometimes Wins
- When to Use Which Approach
- Industry-Specific Patterns
- Pre-Authorization Holds
- Authorization Expiration and Re-Authorization
- Partial Authorization
- Partial Captures (Split Shipments)
- Operational Best Practices
- Void vs. Refund: Which To Use
- Next Steps
- See Also
The Authorization-Capture Flow
What is Authorization?
Authorization is asking: "Can this card pay for this?"
When you request authorization, the issuer checks:
- Does this card exist and is it valid? (Not expired, not reported stolen)
- Is the account in good standing? (Not frozen, not over limit, not flagged for fraud)
- Are there sufficient funds or credit available?
If all three answers are yes, the issuer sends back an approval code - a 6-digit alphanumeric promise: "We've verified the funds and are holding them for you."
An authorization is not a charge. No money has moved. The issuer has placed a "hold" on that amount, temporarily reducing available credit. Think of a hotel putting a hold on your card at check-in - they haven't charged you yet.
What is Capture?
Capture (also called "presentment" or "clearing") is when you say: "Okay, now actually take the money."
This is when the transaction becomes real:
- You submit the transaction for settlement
- The issuer debits the cardholder's account
- Funds flow: Issuer → Network → Acquirer → You
After capture, the "pending" charge becomes a "posted" charge. The transaction is complete.
Combined vs. Separated
Combined (Auth + Capture together): Most retail transactions. Tap your card at a coffee shop, and auth/capture happen simultaneously.
Separated (Auth now, Capture later): Some businesses deliberately separate them. This is "manual capture" or "auth-only" followed by capture.
Why Separate Auth and Capture?
1. Final Amount Unknown
| Industry | Why |
|---|---|
| Hotels | Don't know final bill until checkout (minibar, room service, extended stay) |
| Restaurants | Tip added after authorization |
| Gas stations | Auth fixed amount ($100-150), capture actual pump amount |
| Vehicle rentals | Auth estimated, capture based on actual duration, fuel, tolls |
2. Fulfillment Not Complete
| Scenario | Approach |
|---|---|
| E-commerce | Auth at order, capture at shipment |
| Pre-orders | Auth to validate card, capture when item ships |
| Custom goods | Auth confirms payment ability, capture when ready |
3. Fraud Review Window
This is the big one for fraud teams. The window between authorization and capture is your opportunity to review before committing.
Why this matters: Once you capture, reversing requires a refund:
- Costs you interchange fees you don't get back
- Creates accounting complexity
- May take days to post to customer's account
- Looks bad if customer disputes instead
But if you void before capture, the hold simply releases. Cleaner operationally and financially.
The Fraud Review Window
What You Can Do During the Window
| Check | Purpose |
|---|---|
| Velocity checks | Card used at unusual speed? Multiple orders quickly? |
| Device fingerprinting | Device matches previous fraud patterns? VPN/proxy? |
| AVS/CVV verification | Billing matches issuer records? Shipping to reshipping service? |
| Manual review | High-risk orders flagged for human review |
| 3D Secure step-up | Challenge with additional authentication |
| Behavioral analysis | Session recordings, mouse movements, typing patterns |
Void vs. Decline Decision
Decline at authorization: Transaction never approved. Customer sees "card declined." Clean, but friction for legitimate customers.
Approve, then void before capture: Authorization succeeds, but you cancel before capturing. Hold releases. Softer approach - you're giving yourself time to investigate without hard-declining at checkout.
Segment Your Approach
| Risk Level | Capture Timing |
|---|---|
| Low-risk orders | Capture immediately (no review needed) |
| Medium-risk orders | Capture same-day after automated checks |
| High-risk orders | Hold for manual review, capture next day if approved |
Authorization Windows
Authorizations don't last forever. Each network sets validity windows:
| Network | Standard Window |
|---|---|
| Visa | 7 days CNP, 5 days card-present |
| Mastercard | 7 days final auth, 30 days preauth |
| Amex | 7 days standard |
Miss the window? Auth expires, hold releases, you need to re-authorize (might fail if card is now maxed/closed/stolen).
For detailed network-specific windows, see Authorization Windows Reference.
Why Fast Capture Sometimes Wins
Delayed capture isn't free:
Customer Confusion
Statements don't clearly distinguish pending vs. posted. Customer might see:
- "Pending" charge when they order
- Pending disappears (auth expired/voided)
- New charge appears (re-authorized and captured)
To the customer: looks like double charge. They call support. Or worse, file a dispute.
Authorization Decay
The longer you wait, the more likely something changes:
- Customer spends available credit elsewhere
- Card reported lost/stolen
- Account closed or flagged for fraud
Reconciliation Complexity
Every auth-capture pair is two events to track in settlement:
- Did this auth get captured?
- Did this capture match the right auth?
- Partial captures? Split shipments?
When to Use Which Approach
Use Immediate Capture When:
- Transaction is low-risk (known customer, low value, consistent pattern)
- Goods/services delivered immediately
- Customer experience is priority
- Reconciliation simplicity matters
Use Delayed Capture When:
- You need time for fraud review
- Fulfillment is delayed (pre-orders, backorders, custom items)
- Final amount isn't known yet
- Regulatory or business rules require it
Industry-Specific Patterns
| Industry | Auth | Capture | Special Rules |
|---|---|---|---|
| Hotels | At check-in (estimated + buffer) | At checkout (actual) | Extended auth windows (30 days) |
| Vehicle Rentals | At pickup (estimated + deposit) | At return (actual charges) | Can capture more than auth for fuel/tolls |
| E-commerce | At checkout | At shipment | 7-day window typically |
| Restaurants | Pre-tip amount | With tip added | Can exceed auth by tip tolerance (~20%) |
| Subscriptions | $0 or $1 validation | At billing period start | Specific recurring indicators required |
Pre-Authorization Holds
When you authorize but don't immediately capture, customers see a "pending" or "hold" on their account. This confuses customers and drives support calls.
How Holds Appear to Customers
| What You Did | What Customer Sees | Duration |
|---|---|---|
| Auth only | "Pending: $X" | Until capture or expiration |
| Auth + void | "Pending" then disappears | 1-7 days to clear |
| Auth expired | "Pending" then disappears | 7-30 days depending on issuer |
| Auth + capture | "Pending" becomes "Posted" | 1-3 days |
The problem: Customers don't understand "pending." They see the charge, assume they were billed, and when the pending disappears (auth expired), they think they got a free refund. Then the real charge posts and they dispute for "duplicate billing."
Industries That Create Holds
| Industry | Hold Amount | Why |
|---|---|---|
| Hotels | Room rate × nights + 20-50% buffer | Incidentals, minibar, damages |
| Gas stations | $100-150 fixed | Unknown pump amount |
| Car rentals | Daily rate × days + $200-500 | Fuel, tolls, damages |
| Restaurants | Bill amount | Tip to be added |
Managing Customer Expectations
Best practices for hold-heavy businesses:
□ Disclose hold amount at point of sale
□ Explain when and how holds release
□ Provide hold reference on receipt
□ Train support staff on hold timing
□ Consider email/SMS when hold releases
Hold Release Timing
You don't control when holds release. The issuer does.
| Card Type | Typical Release Time |
|---|---|
| Debit cards | 1-3 business days after void/expiration |
| Credit cards | Up to 7 days after void/expiration |
| Prepaid cards | Up to 10 days (highly variable) |
Debit card pain: For debit cards, holds reduce actual available cash, not credit limit. A $500 hotel hold on a debit card with $600 balance leaves the customer with $100 accessible. This generates the angriest calls.
For high-hold industries: capture as quickly as possible. A captured transaction posts faster than a voided authorization releases. If the final amount is known, capture immediately rather than holding.
Authorization Expiration and Re-Authorization
Authorizations expire. If you don't capture in time, the hold releases, and you need to re-authorize. This creates risk and customer confusion.
Network Expiration Windows
| Network | Card-Present | Card-Not-Present | Extended (Hotels/Rentals) |
|---|---|---|---|
| Visa | 5 days | 7 days | 31 days (with proper MCC/indicator) |
| Mastercard | 7 days | 7 days | 30 days (preauthorization) |
| Amex | 7 days | 7 days | Varies by agreement |
| Discover | 10 days | 10 days | Extended available |
What Happens at Expiration
Re-Authorization Risks
| Risk | What Happens |
|---|---|
| Card maxed | Customer spent available credit elsewhere |
| Card closed | Account closed, reported lost/stolen |
| Fraud flag | Second auth attempt triggers fraud decline |
| Customer confusion | Two "pending" charges visible |
| Higher decline rate | Re-auths have ~5-15% lower approval vs. original |
Preventing Auth Expiration
| Strategy | Implementation |
|---|---|
| Track auth timestamps | Alert before expiration window |
| Capture earlier | Ship faster or capture at earlier fulfillment stage |
| Use proper indicators | Extended windows for hotels/rentals |
| Incremental auth | For changing totals, use incremental instead of full re-auth |
| Customer communication | If re-auth needed, warn customer |
When Re-Authorization Is Required
| Scenario | Action |
|---|---|
| Auth expired, need to charge | Re-authorize with customer notification |
| Auth amount increased | Incremental auth (if supported) or void + new auth |
| Long fulfillment delay | Consider auth closer to ship date |
| Subscription renewal | New auth each period (not re-auth) |
"Are we tracking authorization timestamps? Do we have alerts for approaching expiration? What's our re-authorization decline rate?"
Partial Authorization
Sometimes the card doesn't have enough available credit for the full amount, but the issuer approves a partial amount. You decide what to do with the remainder.
How Partial Auth Works
When Partial Auth Happens
| Scenario | Example |
|---|---|
| Prepaid cards | Card has $60 balance, purchase is $100 |
| Debit cards | Account has $60, purchase is $100 |
| Credit at limit | Available credit is $60, purchase is $100 |
| Gift cards | Remaining balance less than purchase |
Handling Partial Authorization
| Option | When to Use | UX Consideration |
|---|---|---|
| Accept partial | Low-friction preferred | Customer pays remainder with second method |
| Void and retry | Single payment required | Customer must use different card |
| Split tender | POS supports it | Smooth for in-person, complex online |
| Decline entire | Simplicity over conversion | Bad UX, customer frustrated |
Processor Support
Not all processors handle partial auth the same way:
| Processor Behavior | What You See |
|---|---|
| Returns partial | Auth response includes partial amount approved |
| Auto-declines | Returns decline if full amount unavailable |
| Configurable | You choose whether to accept partials |
Online vs. In-Person
| Environment | Partial Auth Handling |
|---|---|
| Card-present (POS) | Display approved amount, prompt for second payment method |
| E-commerce | More complex - must handle in checkout flow |
| Mobile app | Similar to e-commerce, needs UI support |
| Unattended (kiosk/gas pump) | Often auto-accepts partial for prepaid |
Implementation Considerations
Partial auth checklist:
□ Does your processor support partial auth responses?
□ Can your checkout flow handle split payments?
□ What's your policy: accept partial or decline?
□ How do you handle partial for digital goods (can't partial-deliver)?
□ Staff training for in-person split tender?
Prepaid cards are the main source of partial authorizations. If you sell to demographics that use prepaid heavily (gift recipients, unbanked customers, teens), build proper partial auth handling into your checkout flow.
Partial Captures (Split Shipments)
Partial capture lets you capture less than the authorized amount. This is essential for split shipments and order modifications.
When to Use Partial Capture
| Scenario | How It Works |
|---|---|
| Split shipment | Auth $100, ship item A ($60), capture $60. Ship item B ($40), capture $40. |
| Item out of stock | Auth $100 for 2 items, one unavailable, capture $50 for delivered item. |
| Order modification | Customer removes item after auth, capture reduced amount. |
| Partial fulfillment | Service partially delivered, capture proportional amount. |
Partial Capture Flow
Network Rules for Multiple Captures
| Network | Multiple Captures | Notes |
|---|---|---|
| Visa | Supported | Must complete within auth window |
| Mastercard | Supported | Final capture should close auth |
| Amex | Limited | Check with processor |
| Discover | Supported | Standard window applies |
Accounting Implications
| Consideration | Impact |
|---|---|
| Revenue recognition | Recognize when captured, not authorized |
| Refund complexity | Partial captures + partial refunds = reconciliation headaches |
| Interchange | Each capture may incur separate fees |
| Reporting | One order = multiple settlement records |
Implementation Checklist
Partial capture readiness:
□ Does your processor support multiple captures per auth?
□ Can your OMS track remaining auth balance?
□ How do you handle auth expiration mid-shipment?
□ Does your accounting system handle split captures?
□ What's your policy if remaining items are cancelled?
Common Pitfalls
| Pitfall | Prevention |
|---|---|
| Capturing more than auth | Track remaining balance |
| Auth expires between shipments | Re-authorize or ship faster |
| Lost track of captures | Single source of truth for auth state |
| Customer confusion | Explain multiple charges upfront |
"Can we do multiple captures against a single authorization? How do we track remaining authorized balance? What happens if we try to capture more than the remaining amount?"
Operational Best Practices
For Merchants
- Track authorization timestamps. Know exactly when each auth expires.
- Build automated capture triggers. When order ships, capture immediately.
- Void unused authorizations. Don't let them expire - release holds faster for customers.
- Use proper transaction indicators. Ensure processor flags transactions correctly for extended windows.
For Fraud Teams
- Segment by risk for capture timing. Not every transaction needs review.
- Set review SLAs inside the auth window. 7-day auth = 5-day max review SLA.
- Use void wisely. Softer than decline at auth for uncertain cases.
- Track void reasons. Analyze why transactions are voided to improve upstream detection.
Void vs. Refund: Which To Use
One of the most expensive mistakes SMBs make is refunding when they should have voided. The cost difference is real.
The Decision Tree
Cost Comparison
| Action | What Happens | Your Cost |
|---|---|---|
| Void (before capture) | Authorization hold releases. Transaction never settles. | $0 |
| Void (same-day after capture) | Some processors allow. Transaction reverses before settlement. | $0 - $0.10 |
| Refund (after settlement) | New transaction crediting the customer. Original interchange not returned. | Original interchange + refund fee (~$0.30) |
Real Money Example
A $100 order with 2.9% + $0.30 processing:
- Void before capture: You pay $0
- Refund after settlement: You pay $3.20 (interchange) + $0.30 (refund fee) = $3.50 lost
At 100 refunds per month, that's $350/month you could save by voiding earlier.
When to Void
| Scenario | Action |
|---|---|
| Order cancelled before fulfillment | Void |
| Fraud detected before capture | Void |
| Customer changes mind same day | Void (if still possible) |
| Duplicate authorization | Void the duplicate |
| Wrong amount authorized | Void and re-authorize |
When to Refund
| Scenario | Action |
|---|---|
| Customer returns product days later | Refund (partial or full) |
| Service complaint after delivery | Refund |
| Chargeback prevention (already settled) | Refund |
| Order already shipped | Refund (void not possible) |
Processor-Specific Behavior
Not all processors handle voids the same way:
| Processor Type | Same-Day Void | Next-Day Void |
|---|---|---|
| PayFac (Stripe, Square) | Usually works | Usually works (before batch close) |
| Traditional processor | Works before batch | Depends on settlement timing |
| Gateway + Processor | Check both systems | May need to void in gateway |
"What's our batch settlement schedule? Can we void transactions after capture but before batch close? What's the cutoff time?"
Operational Practice
- Build void-first workflows. When cancelling orders, check if void is possible before issuing refund.
- Track batch timing. Know your daily cutoff for same-day voids.
- Train support staff. "Can we void this?" should be the first question.
- Monitor void-to-refund ratio. High refund rate when voids were possible = money leak.
Next Steps
Just learning auth/capture?
- Check your processor's default behavior - auth-only or combined?
- Understand your auth validity window
- Learn what happens after capture
Optimizing your flow?
- Review auth optimization to improve approval rates
- Consider separated auth/capture for fraud review
- Track auth-to-capture timing to stay within windows
Troubleshooting issues?
- "Ghost charges" on statements - check if auths are being voided properly
- Declined at capture - auth expired or amount mismatch; see decline codes
- Amount mismatches - verify industry tolerance rules (tips, fuel, hotels)
See Also
- Authorization Windows Reference - Detailed network-specific timing
- Capture Operations - Holds, voids, partial captures
- Settlement & Reconciliation - Where money flows after capture
- Decline Codes - Why transactions fail
- Fraud Prevention - Using the auth-capture window for fraud review
- Chargeback Lifecycle - When auth timing affects disputes
- Auth Optimization - Improving approval rates
- Subscriptions & Recurring - Recurring billing patterns
- Processor Management - Multi-processor strategy
- Manual Review - Fraud review workflows
- Velocity Rules - Detection during auth window
- 3D Secure - Authentication step-up