Inferensys

Glossary

Authorization Flow

The real-time communication path between a merchant, acquirer, and issuer where a transaction is approved or declined based on available funds and risk assessment.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
PAYMENT NETWORK FUNDAMENTALS

What is Authorization Flow?

The real-time communication path between a merchant, acquirer, and issuer where a transaction is approved or declined based on available funds and risk assessment.

The authorization flow is the synchronous, real-time messaging sequence initiated when a cardholder presents a payment instrument. The transaction request travels from the merchant to the acquirer, through the card network, to the issuing bank, which validates the account status, available balance, and risk score before returning an approval or decline code—all within milliseconds.

In modern fraud detection architectures, the authorization flow is the critical decision boundary where online inference occurs. The issuer's risk scoring engine evaluates the transaction against machine learning models and velocity checks during this brief window, making it the primary point for blocking fraudulent activity before funds are committed.

AUTHORIZATION FLOW

Frequently Asked Questions

Essential questions about the real-time communication path between merchants, acquirers, and issuers where transactions are approved or declined based on available funds and risk assessment.

An authorization flow is the real-time communication path between a merchant, acquirer, and issuer where a transaction is approved or declined based on available funds and risk assessment. The flow begins when a cardholder presents payment, triggering the merchant to send an authorization request through their acquirer (merchant's bank) to the card network. The network routes this request to the issuer (cardholder's bank), which validates the card, checks the account balance, and applies fraud detection rules. The issuer returns an authorization response code—typically an approval or decline—which propagates back through the network and acquirer to the merchant's point-of-sale terminal. This entire process must complete within sub-second latency, typically under 100-300 milliseconds, to avoid customer friction. The authorization places a hold on funds but does not transfer money; the actual settlement occurs later during clearing and settlement. Modern authorization flows incorporate real-time fraud scoring where machine learning models evaluate transaction risk before the issuer's final decision, adding layers of velocity checks, device fingerprinting, and behavioral anomaly detection to the traditional balance verification.

TRANSACTION LIFECYCLE

Key Characteristics of Authorization Flows

The authorization flow is the critical real-time decision path where a transaction is either approved or declined. Each characteristic below defines a distinct technical or operational dimension of this high-stakes process.

01

The Four-Party Model

The foundational structure of a payment authorization involves four distinct entities communicating in a precise sequence:

  • Cardholder: Initiates the transaction at the point of sale.
  • Merchant (Acquirer): The business accepting the payment, whose bank forwards the request.
  • Acquiring Processor: The merchant's financial institution that routes the authorization request.
  • Issuing Processor: The cardholder's bank that holds the funds and makes the final approve/decline decision. This model ensures liability and risk are distributed across known, authenticated parties.
< 3 seconds
Typical Total Round-Trip
02

ISO 8583 Message Structure

The universal standard for financial transaction messaging. An ISO 8583 message is a tightly packed binary or ASCII frame containing:

  • Message Type Indicator (MTI): A 4-digit code defining the message function (e.g., 0100 for an authorization request, 0110 for a response).
  • Bitmaps: A binary map indicating which data elements are present, enabling efficient parsing.
  • Data Elements: Standardized fields like Processing Code (DE 3), Transaction Amount (DE 4), and Response Code (DE 39). This strict schema allows heterogeneous systems across global networks to interoperate without ambiguity.
03

Online vs. Offline Authorization

Not all authorizations require a live connection to the issuer. The flow bifurcates based on connectivity and risk:

  • Online Authorization: A real-time request is sent to the issuer for a definitive approve/decline. Required for most card-not-present transactions.
  • Offline Authorization: The terminal itself makes a decision using risk parameters stored on the chip card and floor limits. Common in transit systems with low connectivity.
  • Stand-In Processing (STIP): The network acts as a proxy issuer when the issuer's system is unavailable, applying pre-agreed risk thresholds to prevent service disruption.
04

The Authorization Response Codes

The issuer's decision is communicated via a standardized numeric code in the response message. Critical categories include:

  • Approval (00): Transaction honored. Funds are earmarked for capture.
  • Soft Decline (e.g., 51, 65): Insufficient funds or limit exceeded. The merchant can retry with a lower amount or different tender.
  • Hard Decline (e.g., 05, 41): Do not honor or lost card. Retries are forbidden, and the card may be retained.
  • Referral (01): The issuer requires the merchant to call for voice authentication before proceeding. These codes directly trigger the point-of-sale experience and fraud workflow.
05

Dual-Message vs. Single-Message

The authorization flow is decoupled from the financial settlement in most card networks, creating two distinct processing paradigms:

  • Dual-Message System: Authorization (0100/0110) and Clearing (0220/0230) are separate transactions. The merchant authorizes first, then submits a batch for settlement later. This is the standard for credit cards.
  • Single-Message System: The authorization request simultaneously triggers the financial transaction and settlement. Used for PIN-based debit networks where funds are debited immediately. This distinction impacts liquidity, reversals, and the timing of fraud detection windows.
06

Fallback and Exception Handling

A robust authorization flow must gracefully degrade when primary paths fail. Key mechanisms include:

  • Chip-to-Magstripe Fallback: If the EMV chip is unreadable, the terminal falls back to reading the magnetic stripe, shifting liability to the merchant.
  • Circuit Breaker Pattern: If the fraud scoring engine times out, the system defaults to a safe mode—typically declining the transaction or routing to a static rules engine.
  • Idempotency Keys: A unique key generated by the acquirer ensures that a retried authorization request does not result in a duplicate charge, maintaining exactly-once semantics.
PAYMENT LIFECYCLE STAGES

Authorization Flow vs. Capture vs. Settlement

A technical comparison of the three distinct stages in card payment processing, from initial approval to final fund transfer.

FeatureAuthorization FlowCaptureSettlement

Primary Function

Approve or decline a transaction in real-time based on funds availability and risk assessment

Instruct the issuer to transfer funds by finalizing an authorized transaction

The actual interbank movement of funds from the issuer to the acquirer to complete the transaction

Timing

Real-time, sub-second (< 100ms P99 latency)

Deferred, typically end-of-day batch processing

Deferred, typically 1-3 business days after capture

Funds Movement

Funds Impact on Cardholder

Temporary hold placed on available balance

Hold converts to a pending charge

Charge posts to statement; balance permanently reduced

Key Messaging Protocol

ISO 8583 (0100 Authorization Request / 0110 Authorization Response)

ISO 8583 (0220 Advice / 0230 Advice Response) or batch file

Automated Clearing House (ACH) or card network settlement file

Fraud Scoring Window

Online inference with full feature store enrichment and risk scoring engine

Limited; post-auth fraud checks and velocity recalculation

Post-mortem analysis and chargeback monitoring

Reversibility

Fully reversible via void or reversal message (ISO 8583 0400)

Reversible via void before settlement batch closes

Irreversible; requires a separate refund transaction or chargeback

Idempotency Requirement

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.