Skip to main content

Alright, ecommerce noobs, let’s get you paid! When launching your business, one of the first things you will tackle is figuring out how to manage ecommerce transactions with payment processing. Something that often causes confusion when you enter this world is the difference between credit card authentication and authorization.

In simple terms, authorization verifies the transaction's feasibility, while authentication confirms the identity of the person making the purchase. 

Let’s assume that in return for selling stuff in your ecommerce business you actually want to see some juicy payments appear in your bank account. Understanding the nuances of credit card processing systems is essential to being a successful online business…it’s probably the most essential thing to be honest!

Two terms that often come up and get confused, especially for new  small business owners, are 'authorization' and 'authentication'. While they might sound similar, their roles in the transaction process are distinct.


Credit Card Authorization: This is the process where a transaction gets preliminary approval. It checks if the cardholder's account has sufficient funds and ensures the credit card number is valid.

Credit Card Authentication: This step is about verifying the user’s identity. It ensures that the person making the online purchase is the legitimate cardholder.

Stay in the loop! Discover what’s new in the world of ecommerce.

Stay in the loop! Discover what’s new in the world of ecommerce.

  • Hidden
  • Hidden
  • By submitting this form, you agree to receive our newsletter, and occasional emails related to The Ecomm Manager. For more details, please review our Privacy Policy. We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • This field is for validation purposes and should be left unchanged.

Understanding Authorization

When a customer initiates an online transaction, the transaction details, including the billing address, are sent to the issuing bank or card issuer. The bank checks the cardholder’s account status and balance. An authorization process then verifies if there are sufficient funds. A response is sent back, either approving or declining the transaction. For ecommerce businesses, it's crucial to ensure every transaction is properly authorized to prevent chargebacks.

Here's a more detailed breakdown of how authorization works:

  1. Initiation: When a customer decides to make a purchase, they provide their credit card details at the point of sale, which could be a physical terminal or an online checkout page.
  2. Transmission: The merchant's payment system sends the transaction details, including the purchase amount and credit card information, to their acquiring bank or payment processor.
  3. Routing: The payment processor or acquiring bank routes the transaction details to the card network (e.g., Visa, MasterCard, Discover).
  4. Request to Issuing Bank: The card network then forwards the transaction details to the issuing bank, which is the financial institution that issued the credit card to the customer.
  5. Verification: The issuing bank checks several factors:
    • Funds Availability: It verifies if the cardholder's account has sufficient funds or available credit to cover the purchase.
    • Card Validity: It checks if the card is valid, not expired, and not reported as lost or stolen.
    • Security Checks: The bank may also perform additional security checks, such as matching the billing address provided with the one they have on file or verifying the CVV (Card Verification Value).
  6. Response: After verification, the issuing bank sends a response back through the card network to the payment processor or acquiring bank. This response can be:
    • Approved: The transaction can proceed, and the purchase amount is reserved or "held" against the cardholder's credit limit or account balance.
    • Declined: The transaction cannot proceed, usually because of insufficient funds, a security concern, or another issue with the card.
    • Referral: In rare cases, the response might ask the merchant to contact the card issuer for further instructions.
  7. Merchant Notification: The merchant receives the response (either approval or decline) and completes the transaction accordingly. If approved, the sale is finalized, and the customer receives their goods or services. If declined, the customer is notified, and an alternative payment method may be requested.
  8. Settlement: At the end of the business day, the merchant sends all approved authorizations in a batch to their acquiring bank or payment processor for settlement. The funds are then transferred from the issuing banks to the merchant's bank account, typically within a few days.


Authentication is about confirming the customer’s identity. Common authentication methods include:

  • PIN: An identification number entered during checkout.
  • Signature: Less common now but still used, especially for larger online purchases.
  • CVV (Card Verification Value): The three-digit code on the back of most credit cards.
  • 3D Secure (3DS): Developed by major card networks like Visa, MasterCard, and American Express, 3D Secure stands for "Three-Domain Secure." The three domains refer to:
    1. Acquiring Domain: This is the merchant and the acquiring bank. The acquiring bank is the financial institution that processes credit or debit card payments on behalf of a merchant.
    2. Issuing Domain: This refers to the bank that issued the credit or debit card to the cardholder.
    3. Interoperability Domain: This domain includes the infrastructure provided by the card networks to support the 3D Secure protocol. It ensures the correct and secure transmission of authentication data between the acquiring and issuing domains.
    When a cardholder makes an online purchase, the merchant's website can redirect the cardholder to the card issuer's website. Here, the cardholder may be asked to enter additional authentication details, such as a password, a one-time code sent to their mobile phone, or even biometric verification. Once the card issuer confirms the cardholder's identity, the transaction proceeds.The primary benefit of 3D Secure is that it adds an extra layer of security, ensuring that the person making the purchase has the right to use the card. This reduces the risk of fraudulent transactions and chargebacks. For consumers, it provides peace of mind, knowing that their card details are more secure. For merchants, it can lead to higher authorization rates and reduced fraud-related costs.
  • Security Questions: Often asked by financial institutions to verify the cardholder's identity.
  • Biometric: Methods like facial recognition or fingerprints.
  • Two-factor and Multi-factor Authentication: These involve a combination of something the user knows (like a password), something the user has (like a mobile phone), and something the user is (like biometrics).
  • CHAP (Challenge-Handshake Authentication Protocol): While more commonly associated with network protocols and VPNs, CHAP is a method that periodically verifies the identity of a user or device through a three-way handshake. In the context of e-commerce, it can be seen as an added layer of security for online transactions, ensuring both parties in a transaction are legitimate.
  • Geolocation: By tracking the geographical location of the transaction initiator, businesses can add an extra layer of security. Geolocation can help in identifying suspicious activities, like if a transaction is initiated from a location far from the cardholder's usual place of residence or business.

Best Practices for Small Businesses

Navigating the ecommerce payment world can be stressful. Here are some best practices to lower your risk and fight the good fight against fraud:

  • Stay Updated: Ensure your payment processor and software are up-to-date.
  • Employee Training: Train staff on the importance of the authentication process and payment authorization.
  • Multi-layered Security: Implement multi-factor authentication and two-factor methods.
  • Regular Audits: Review your payment processing and merchant account regularly.
  • Secure Infrastructure: Use secure connections like HTTPS and consider an Address Verification System (AVS) to prevent card fraud.


For those venturing into ecommerce, understanding the difference between credit card authorization and authentication is crucial. Your business's financial integrity is worth it. Need more support? Check out our ecommerce credit card processing guide.

Shopping for solutions? You're going to want to head on over to our credit card processing tools report!

Francois Marchand
By Francois Marchand

Francois Marchand is passionate about helping and educating business leaders, ecommerce professionals, and digital marketers grow their skill sets to stay ahead of the competition. Francois holds a BA Specialization in Communication Studies & Journalism from Concordia University (Montreal, QC) and 20+ years of experience in ecommerce, marketing, traditional and digital media, and public relations, including The Vancouver Sun, National Post, CBC/Radio-Canada, Unbounce, and Vancouver Film School.