The authorization flow is the synchronous, real-time messaging sequence initiated when a cardholder presents a payment instrument. The transaction request travels from the merchant to the acquirer, through the card network, to the issuing bank, which validates the account status, available balance, and risk score before returning an approval or decline code—all within milliseconds.
Glossary
Authorization Flow

What is Authorization Flow?
The real-time communication path between a merchant, acquirer, and issuer where a transaction is approved or declined based on available funds and risk assessment.
In modern fraud detection architectures, the authorization flow is the critical decision boundary where online inference occurs. The issuer's risk scoring engine evaluates the transaction against machine learning models and velocity checks during this brief window, making it the primary point for blocking fraudulent activity before funds are committed.
Frequently Asked Questions
Essential questions about the real-time communication path between merchants, acquirers, and issuers where transactions are approved or declined based on available funds and risk assessment.
An authorization flow is the real-time communication path between a merchant, acquirer, and issuer where a transaction is approved or declined based on available funds and risk assessment. The flow begins when a cardholder presents payment, triggering the merchant to send an authorization request through their acquirer (merchant's bank) to the card network. The network routes this request to the issuer (cardholder's bank), which validates the card, checks the account balance, and applies fraud detection rules. The issuer returns an authorization response code—typically an approval or decline—which propagates back through the network and acquirer to the merchant's point-of-sale terminal. This entire process must complete within sub-second latency, typically under 100-300 milliseconds, to avoid customer friction. The authorization places a hold on funds but does not transfer money; the actual settlement occurs later during clearing and settlement. Modern authorization flows incorporate real-time fraud scoring where machine learning models evaluate transaction risk before the issuer's final decision, adding layers of velocity checks, device fingerprinting, and behavioral anomaly detection to the traditional balance verification.
Key Characteristics of Authorization Flows
The authorization flow is the critical real-time decision path where a transaction is either approved or declined. Each characteristic below defines a distinct technical or operational dimension of this high-stakes process.
The Four-Party Model
The foundational structure of a payment authorization involves four distinct entities communicating in a precise sequence:
- Cardholder: Initiates the transaction at the point of sale.
- Merchant (Acquirer): The business accepting the payment, whose bank forwards the request.
- Acquiring Processor: The merchant's financial institution that routes the authorization request.
- Issuing Processor: The cardholder's bank that holds the funds and makes the final approve/decline decision. This model ensures liability and risk are distributed across known, authenticated parties.
ISO 8583 Message Structure
The universal standard for financial transaction messaging. An ISO 8583 message is a tightly packed binary or ASCII frame containing:
- Message Type Indicator (MTI): A 4-digit code defining the message function (e.g.,
0100for an authorization request,0110for a response). - Bitmaps: A binary map indicating which data elements are present, enabling efficient parsing.
- Data Elements: Standardized fields like Processing Code (DE 3), Transaction Amount (DE 4), and Response Code (DE 39). This strict schema allows heterogeneous systems across global networks to interoperate without ambiguity.
Online vs. Offline Authorization
Not all authorizations require a live connection to the issuer. The flow bifurcates based on connectivity and risk:
- Online Authorization: A real-time request is sent to the issuer for a definitive approve/decline. Required for most card-not-present transactions.
- Offline Authorization: The terminal itself makes a decision using risk parameters stored on the chip card and floor limits. Common in transit systems with low connectivity.
- Stand-In Processing (STIP): The network acts as a proxy issuer when the issuer's system is unavailable, applying pre-agreed risk thresholds to prevent service disruption.
The Authorization Response Codes
The issuer's decision is communicated via a standardized numeric code in the response message. Critical categories include:
- Approval (00): Transaction honored. Funds are earmarked for capture.
- Soft Decline (e.g., 51, 65): Insufficient funds or limit exceeded. The merchant can retry with a lower amount or different tender.
- Hard Decline (e.g., 05, 41): Do not honor or lost card. Retries are forbidden, and the card may be retained.
- Referral (01): The issuer requires the merchant to call for voice authentication before proceeding. These codes directly trigger the point-of-sale experience and fraud workflow.
Dual-Message vs. Single-Message
The authorization flow is decoupled from the financial settlement in most card networks, creating two distinct processing paradigms:
- Dual-Message System: Authorization (0100/0110) and Clearing (0220/0230) are separate transactions. The merchant authorizes first, then submits a batch for settlement later. This is the standard for credit cards.
- Single-Message System: The authorization request simultaneously triggers the financial transaction and settlement. Used for PIN-based debit networks where funds are debited immediately. This distinction impacts liquidity, reversals, and the timing of fraud detection windows.
Fallback and Exception Handling
A robust authorization flow must gracefully degrade when primary paths fail. Key mechanisms include:
- Chip-to-Magstripe Fallback: If the EMV chip is unreadable, the terminal falls back to reading the magnetic stripe, shifting liability to the merchant.
- Circuit Breaker Pattern: If the fraud scoring engine times out, the system defaults to a safe mode—typically declining the transaction or routing to a static rules engine.
- Idempotency Keys: A unique key generated by the acquirer ensures that a retried authorization request does not result in a duplicate charge, maintaining exactly-once semantics.
Authorization Flow vs. Capture vs. Settlement
A technical comparison of the three distinct stages in card payment processing, from initial approval to final fund transfer.
| Feature | Authorization Flow | Capture | Settlement |
|---|---|---|---|
Primary Function | Approve or decline a transaction in real-time based on funds availability and risk assessment | Instruct the issuer to transfer funds by finalizing an authorized transaction | The actual interbank movement of funds from the issuer to the acquirer to complete the transaction |
Timing | Real-time, sub-second (< 100ms P99 latency) | Deferred, typically end-of-day batch processing | Deferred, typically 1-3 business days after capture |
Funds Movement | |||
Funds Impact on Cardholder | Temporary hold placed on available balance | Hold converts to a pending charge | Charge posts to statement; balance permanently reduced |
Key Messaging Protocol | ISO 8583 (0100 Authorization Request / 0110 Authorization Response) | ISO 8583 (0220 Advice / 0230 Advice Response) or batch file | Automated Clearing House (ACH) or card network settlement file |
Fraud Scoring Window | Online inference with full feature store enrichment and risk scoring engine | Limited; post-auth fraud checks and velocity recalculation | Post-mortem analysis and chargeback monitoring |
Reversibility | Fully reversible via void or reversal message (ISO 8583 0400) | Reversible via void before settlement batch closes | Irreversible; requires a separate refund transaction or chargeback |
Idempotency Requirement |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the critical components and patterns that interact with the authorization flow to enable real-time fraud detection and reliable transaction processing.
Risk Scoring Engine
A specialized software component that aggregates multiple analytical signals and applies machine learning models to calculate a numerical score representing the probability of fraud for a given transaction. It operates within the strict latency budget of the authorization window.
- Combines velocity checks, device fingerprints, and behavioral models
- Returns a score typically between 0 and 1000 to the authorization system
- Must execute with P99 latency under 50ms to avoid customer friction
Idempotency Key
A unique value generated by the client to ensure that a single operation is executed exactly once, preventing duplicate side effects in the event of network retries. Critical for payment authorization where a retry could result in a double charge.
- Typically a UUID v4 or a hash of the transaction payload
- Stored by the server and checked on subsequent requests
- Enables safe retry logic without risking duplicate financial postings
Circuit Breaker Pattern
A software design pattern that prevents a system from repeatedly trying an operation likely to fail, allowing it to fail fast and gracefully degrade when an external service is unavailable. In authorization flows, this protects the payment ecosystem from cascading failures.
- Three states: Closed (normal), Open (failing), Half-Open (testing recovery)
- Prevents resource exhaustion when the issuer or network is unresponsive
- Often paired with a fallback mechanism like stand-in processing
Data Enrichment
The process of augmenting a raw transaction event in real-time with additional contextual data from external services. This transforms a basic authorization request into a feature-rich event for accurate risk assessment.
- Adds device fingerprinting data to identify returning devices
- Incorporates geolocation and IP intelligence for velocity checks
- Joins against watchlists and known fraud indicators via stream-table joins
Backpressure Handling
A flow control mechanism that prevents a fast data producer from overwhelming a slower consumer by applying a feedback signal to slow down or buffer the incoming data stream. Essential when authorization traffic spikes during peak shopping periods.
- Implemented via reactive streams or message queue depth monitoring
- Prevents out-of-memory errors in scoring engines
- Can trigger adaptive throttling to maintain system stability

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us