The Authorization Process for Credit Cards

Every time a credit card purchase is made, different financial institutions communicate with one another to make sure the payment is processed. This process is called authorization, and it's the first step in the credit card processing work flow, before batching and settlement. Credit card authorization is a data-intensive process that adheres to strict security protocols.


A merchant account is required for a business to authorize credit card sales. A merchant account verifies credit card purchases and allows sales proceeds to be deposited into a business bank account. Merchant account costs can include setup fees, a credit card terminal, a flat fee for each credit card transaction and a fixed percentage of each credit card purchase.


The credit card authorization process begins when credit card data is given to a merchant for a purchase. The merchant account then sends the card number, transaction amount and merchant ID to a card association network like VISA or MasterCard. The card association network sends the purchase information to the bank that issued the card, and the bank checks to see that the card is in good standing and has enough credit available to make the purchase. The bank either accepts or rejects the transaction and then sends this decision through the association network back to the merchant.


Merchants have to authorize credit card purchases in different ways. Merchants are categorized as card-present and card-not-present retailers. Card-present retailers use a physical terminal and card-not-present retailers accept credit card payments by mail order, phone, or over the Internet. Card-not-present retailers take additional steps to verify data in the authorization process. Card-not-present retailers have higher rates of charge-backs and have to pay higher merchant account fees as a result.


Industry standards have evolved to help protect merchants, banks and payment networks to prevent fraud in the authorization process. All merchants have to abide by the PCI Data Security Standard, which is a three-step process that monitors how a merchant verifies card holder information, stores financial data and reports security breaches. The electronic transfer association describes merchant processing risk programs as "dynamic and adaptable to combat the latest criminal tactics."