Before finalizing a transaction, the merchant must submit an authorization request to the customer’s issuer. The issuer will respond with an alphanumeric message called an authorization code. In conjunction with the authorization code, the issuer may provide an authorization response, which could include one of the following:
- Approved indicates the card has not been reported lost or stolen, the account is in good standing, and the account has sufficient funds to cover the transaction.
- Declined indicates the card has been reported lost or stolen, the account is not in good standing, or there aren’t sufficient funds available to cover the transaction.
- Referral or Call indicates the issuer would like to discuss the situation with the merchant before proceeding.
- Hold or Pick Up Card indicates the card should be removed from circulation.
- Invalid Account Number indicates the issuer doesn’t have an account on file that matches the account number provided.
- Expired Card indicates the card is no longer valid.
Only transactions with an approved authorization code should be completed. The transaction should be terminated if any of the other codes are returned.
What Does the Authorization Process Entail?
Authorization is a conversation that happens between the issuer and merchant to determine whether the transaction should be approved or declined.
It is important to note that an “approved” authorization response simply indicates the account is in good standing, has enough funds or credit available to cover the transaction, and that the card hasn’t been reported lost or stolen. A transaction may be approved by the issuer, but still be reported as unauthorized by the cardholder if permission wasn’t granted to make the purchase.
Funds don’t move from the cardholder’s account to the merchant’s until the transaction is settled with the acquirer. However, the authorization process will freeze the cardholder’s credit or fund while available so the transaction can be finalized at a later time.
Transactions that are processed without authorization are susceptible to chargebacks.
Also referred to as:
- Issuer’s Response Code
- Authorization Response Code