What is authorization rate in payments?

Authorization rate is the percentage of payment attempts that are approved by the issuing bank. It is calculated as approved transactions divided by total attempted transactions. A high authorization rate means more of your customers' payments are successfully processed.

What causes low authorization rates?

Low authorization rates are caused by several factors: insufficient funds (soft declines), issuer fraud model rejections (do not honor), expired or invalid card credentials, poor transaction data quality (missing AVS or CVV data), lack of network tokenization for stored cards, and aggressive retry behavior that flags your merchant ID as high-risk.

How can I improve my authorization rate?

The most impactful ways to improve authorization rate are: implementing network tokenization (Visa Token Service or Mastercard MDES) for stored credentials, improving transaction data quality (accurate billing address, CVV, cardholder name), optimizing retry logic to avoid retrying hard declines, using intelligent payment routing across multiple processors, enrolling in card updater programs (VAU/ABU), and implementing 3DS2 for risk-based authentication.

What is a good authorization rate for online payments?

A good authorization rate for online payments typically ranges from 90% to 97%, depending on the business model, card mix, and geographies served. Domestic transactions from established merchants with good data quality often achieve 95%+. Cross-border and new merchant accounts typically see lower rates. Anything below 85% consistently indicates systematic issues that should be investigated.

Payments

Authorization Rate Optimization: A Payments PM’s Complete Guide

Authorization rate is one of the most important metrics in payments — and one of the least understood outside of payments teams. A small improvement in auth rate can mean millions in recovered revenue. A persistent decline can silently kill a product.

This guide covers what authorization rate actually means, what moves it, and how payments product managers can systematically improve it.

What Is Authorization Rate?

Authorization rate is the percentage of payment attempts that are approved by the issuing bank. It measures how often your customers’ transactions succeed at the bank level — before any of your own business logic runs.

The formula is simple: approved transactions divided by total attempted transactions. If 92 out of 100 payment attempts are approved, your authorization rate is 92%.

This metric is distinct from conversion rate (which includes the checkout experience) and from settlement rate (which deals with funds capture). Auth rate is specifically about what happens between the moment a card is submitted and the moment the issuer responds.

Why Authorization Rate Matters

For most online merchants, authorization rates sit somewhere between 85% and 97% depending on the business model, geography, card mix, and transaction type. The gap between 88% and 94% might not sound dramatic, but at meaningful transaction volume it’s enormous.

Consider a business processing $10M per month in payment attempts. Moving from 88% to 94% auth rate means recovering $600,000 in monthly revenue from transactions that previously declined. Annualized, that’s $7.2M — from an improvement that requires no new customers, no marketing spend, and no product changes visible to the user.

Auth rate also affects customer retention in ways that are hard to measure. A declined card is embarrassing and frustrating. Many customers don’t retry, don’t call support, and don’t return. Involuntary churn from failed payments is a significant hidden cost for subscription businesses.

The Authorization Flow: What Actually Happens

Understanding auth rate optimization starts with understanding the authorization flow itself. When a customer submits a payment:

Your payment gateway or processor formats and transmits the transaction to the card network (Visa, Mastercard, etc.)
The card network routes the authorization request to the issuing bank
The issuer’s authorization engine evaluates the request against its risk rules, fraud models, and account status
The issuer returns an approval or decline response code
The response travels back through the network to your system

This entire round trip typically takes under two seconds. The issuer’s decision is what determines your authorization rate. You cannot directly control that decision — but you can significantly influence it.

Why Transactions Decline

Decline reasons fall into several categories, and knowing which category is driving your declines is the first step to optimization.

Soft Declines (Retriable)

Soft declines are temporary and retriable. Common causes include insufficient funds at the moment of charge, velocity limits triggered by multiple attempts in a short window, temporary issuer system issues, and requests for step-up authentication. Soft declines often resolve on retry, sometimes within minutes.

Hard Declines (Not Retriable)

Hard declines are terminal. The card is lost or stolen, the account is closed, the transaction type is blocked by the issuer, or the card has expired. Retrying a hard decline immediately wastes money, signals fraud to networks, and can get your merchant ID flagged. You need to distinguish these and handle them differently.

Do Not Honor (Generic Declines)

“Do not honor” (decline code 05) is the most common generic decline code. It means the issuer’s fraud model rejected the transaction without providing a specific reason. These are often the most recoverable declines — and the most important to understand, because they’re driven by issuer risk models that respond to how you present transactions.

Fraud-Related Declines

Issuers decline transactions they believe are fraudulent, based on behavioral signals, device fingerprints, location mismatches, and transaction velocity. Many legitimate transactions get caught in this net — so-called false positives — particularly for cross-border transactions and new cardholders.

The Key Levers for Authorization Rate Optimization

1. Transaction Data Quality

Issuers make better decisions when they have more accurate data. The most impactful data fields are billing address, CVV/CVC, cardholder name, and email address. Sending accurate billing address data and enabling Address Verification Service (AVS) matching consistently improves auth rates, particularly for card-not-present transactions.

Descriptor optimization also matters. The merchant name that appears in the authorization request should match what the cardholder expects to see. Mismatches between what a customer thinks they’re buying and what shows up in the auth request trigger legitimate-but-wrong fraud flags at the issuer.

2. Network Tokenization

Network tokens replace the raw PAN (Primary Account Number) with a token tied to the specific merchant-device-card combination. When a card is reissued — which happens millions of times per year due to fraud, expiry, or portfolio migrations — the network token automatically updates. Raw PANs become invalid and generate declines. Tokens stay current.

The auth rate lift from network tokenization is consistently measurable. Visa and Mastercard both report 2-4 percentage point improvements in authorization rates for tokenized transactions versus raw PANs. For subscription businesses with stored credentials, this is one of the highest-ROI improvements available.

3. 3D Secure Optimization

3DS2 (the modern version of 3D Secure) is a two-edged tool. Implementing it reduces fraud, which should improve long-term auth rates. But a poorly implemented 3DS flow increases friction, reduces conversion, and can actually hurt auth rates if you’re triggering authentication challenges unnecessarily.

The goal with 3DS is frictionless flow — where the issuer approves the transaction via passive risk signals without requiring the customer to complete a challenge. Frictionless 3DS typically adds less than 100ms to the payment flow and carries strong liability shift. For regulated markets like Europe (PSD2), getting 3DS right is non-negotiable; for others, it should be deployed strategically based on issuer response patterns.

4. Retry Logic and Intelligent Routing

Not all declines are final. A smart retry strategy — knowing which decline codes to retry, when to retry, and how to modify the retry attempt — can recover a meaningful percentage of initially declined transactions.

The key principles: never immediately retry hard declines (you’ll get flagged), space retries across soft declines (typically 24-72 hours), vary the payment amount if appropriate for your business model, and consider routing the retry through a different acquirer or processor if you have that capability.

Intelligent routing — selecting which processor or acquirer to send a transaction through based on real-time success rate data — is the most sophisticated lever here. Different processors have different network relationships, routing rules, and issuer preferences. A transaction that declines through one route may approve through another. Payment orchestration platforms make this kind of dynamic routing practical at scale.

5. Stored Credential Frameworks

For recurring billing and subscriptions, how you signal stored credential usage to the network directly affects auth rates. MIT (Merchant-Initiated Transaction) flags, CIT (Customer-Initiated Transaction) flags, and proper use of the stored credential framework (SCF) all tell the issuer’s system how to evaluate the transaction.

An improperly flagged recurring transaction looks like a one-off card-not-present transaction with elevated fraud risk. A properly flagged MIT with the correct original transaction reference gets evaluated as the expected, pre-authorized recurring charge it actually is. The issuer’s risk model responds accordingly.

6. Issuer Partnerships and Visa/Mastercard Programs

At sufficient volume, direct issuer outreach is worth pursuing. Major issuers have merchant engagement programs — particularly for large recurring billers — where they can whitelist specific merchant category codes or adjust decline thresholds. This is a relationship-based effort that takes time, but for businesses processing hundreds of thousands of transactions per month with specific issuers, it can move the needle significantly.

Card network programs like Visa Account Updater (VAU) and Mastercard Automatic Billing Updater (ABU) automatically update stored card credentials when cards are reissued. If you’re not enrolled and you’re storing cards for recurring billing, you’re generating avoidable declines every time a card is reissued.

Measuring and Tracking Authorization Rate

To optimize auth rate, you need to measure it correctly. The most important breakdowns are by decline code, by issuer, by card type (credit vs debit, consumer vs commercial), by geography, and by transaction type (first-time purchase vs recurring).

Aggregate auth rate hides the signal. A 91% overall rate might be masking a 76% auth rate on cross-border transactions and a 97% rate on domestic ones. The cross-border declines are the problem — but you’d never see it without the breakdown.

Most payment processors provide decline code data. The challenge is that decline codes are inconsistent — issuers don’t always return granular codes, and processors sometimes remap codes. Building a reliable decline analysis capability often requires working directly with your processor’s analytics team or using a payments intelligence platform that normalizes codes across networks.

Key metrics to track alongside raw auth rate: decline rate by code category, retry success rate, network tokenization coverage percentage, 3DS frictionless rate, and auth rate by issuer BIN range.

Authorization Rate vs. Approval Rate vs. Acceptance Rate

These terms are used inconsistently in the industry, which causes confusion. For clarity: authorization rate measures issuer approval of the transaction request. Approval rate is often used synonymously with auth rate. Acceptance rate sometimes refers to the broader funnel including checkout abandonment before a payment is even attempted.

When someone gives you a number without defining what it measures, ask: does this include soft declines? Does it include transactions that never reached the network? Is it calculated on unique customers or total attempts? The answers matter significantly for benchmarking and optimization.

Common Authorization Rate Optimization Mistakes

The biggest mistake is retrying too aggressively. Excessive retries on hard declines train issuer fraud models to treat your MID as a high-risk merchant, which depresses future auth rates on legitimate transactions. Card networks monitor retry behavior and can penalize merchants that abuse it.

A close second is ignoring the decline code data. Many teams track top-line auth rate without drilling into why transactions are declining. “Do not honor” at 12% of your transaction volume means something different from “insufficient funds” at 12%. The remediation is completely different.

Third: treating 3DS as a binary switch. Turning on 3DS everywhere reduces fraud but adds friction and can hurt conversion on low-risk transaction segments. The right approach is risk-based authentication — using 3DS selectively based on transaction risk signals, exemptions, and issuer preferences.

A Practical Authorization Rate Optimization Roadmap

For a product manager inheriting a payments system with suboptimal auth rates, here’s a prioritized starting point:

First, get the data. Pull 90 days of decline code data, segmented by issuer, card type, and geography. Identify the top three decline code categories by volume. This is where you’ll find the highest-leverage opportunities.

Second, audit your transaction data quality. Check AVS field coverage, CVV submission rates, and billing name accuracy. Fix any gaps. This is low-effort and has high impact.

Third, implement or audit network tokenization. If you’re not using Visa Token Service (VTS) or Mastercard Digital Enablement Service (MDES) for stored credentials, this is the highest-ROI initiative available for most subscription businesses.

Fourth, review your retry logic. Map your current retry behavior against decline code categories. Ensure you’re not retrying hard declines, and that your soft decline retry windows are appropriately spaced.

Fifth, evaluate payment orchestration. If you’re processing through a single processor, assess whether intelligent routing across multiple processors would materially improve your decline recovery on key routes.

Sixth, enroll in card updater programs. VAU and ABU should be active if you’re storing credentials for recurring billing.

Seventh, review 3DS strategy. If you’re in a regulated market, ensure compliance. If you’re not, assess whether selective deployment on high-risk transactions would improve your overall issuer relationship.

What a 6% Authorization Rate Improvement Looks Like

Sustained authorization rate improvement of several percentage points is achievable through the combination of network tokenization, data quality improvements, retry logic optimization, and intelligent routing. The work is methodical rather than dramatic — it’s the compounding effect of eliminating avoidable declines across each category.

The most important insight is that auth rate optimization is not a one-time project. Issuer models change, card mix shifts, transaction patterns evolve. The merchants with the highest sustained authorization rates are those who treat it as an ongoing operational discipline rather than a quarterly initiative.

Summary

Authorization rate optimization is one of the highest-leverage activities available to payments product managers. It requires no new customer acquisition, improves without adding friction to the user experience, and compounds over time as improvements to data quality, tokenization, and routing stack on top of each other.

The fundamentals are: understand why you’re declining, fix your data quality, implement network tokenization, tighten your retry logic, and route intelligently. Start with the data — the decline code breakdown will tell you exactly where to focus.

For a detailed breakdown of individual decline codes and recovery strategies, see Payment Decline Codes Explained.

June 3, 2026 Anatoli Shevtsov

Anatoli Shevtsov