TL;DR: Transaction authorization and merchant approval are separate decisions at checkout, and banks often decline good customers because they lack richer context while sophisticated fraud still gets through, according to Signifyd. The governance problem is not just fraud scoring but decision quality at each control point, where thin data creates revenue loss, chargebacks, and avoidable customer friction.
At a glance
What this is: This is a fraud and commerce analysis of how bank authorization and merchant approval differ, and why thin issuer data creates false declines and fraud leakage.
Why it matters: It matters to identity and security practitioners because checkout trust, risk scoring, and access to richer signals increasingly shape whether legitimate users and hostile actors are allowed through.
By the numbers:
- In fact, according to Signifyd data, 15% of orders are falsely declined for authorization by banks.
- A healthy approval rate is highly variable, depending on vertical, product mix and risk appetite, but if your approval rate falls out of the mid-to-upper 90% range, it may signal overly strict fraud filters.
- In card-not-present transactions, authorization rates for online transactions are roughly 10 percentage points lower than for in-store transactions.
- 85%, le a good bank authorization rate sits at around 85%, even a modest 1% to 2% lift can have a big impact on your bottom line over time.
👉 Read Signifyd's analysis of approval vs. authorization transactions
Context
Transaction authorization is the issuer-side decision about whether a card payment can proceed, while approval is the merchant-side decision about whether the order should be fulfilled. The gap between those steps matters because fraud, false declines, and revenue leakage often arise when each party sees only part of the transaction story.
For practitioners working in fraud, identity verification, and payment risk, the key issue is decision quality under incomplete context. The article’s core claim is that richer pre-authorization signals can improve issuer decisions, which makes this a governance problem as much as a checkout optimisation problem.
Key questions
Q: What breaks when payment authorization data is too thin?
A: When issuers only see basic transaction fields, they are more likely to decline good customers and miss sophisticated fraud patterns. The result is a double loss: revenue falls because legitimate orders are blocked, and risk rises because complex fraud can still reach fulfilment. The control gap is incomplete context at the point of decision.
Q: Why do merchants need to care about issuer authorization decisions?
A: Because issuer decisions directly affect conversion and revenue before the merchant ever makes an approval call. If the bank declines a legitimate order, the merchant loses the sale even if its own fraud controls would have accepted it. Merchants therefore need visibility into authorization reasons, not just downstream chargebacks.
Q: How do you know if approval controls are too strict?
A: Look for approval rates that drift below expected ranges for your vertical, rising manual-review queues, and a growing share of legitimate customers being blocked. Those signals indicate that fraud controls may be overfitted to risk and are suppressing revenue. The right test is whether rejected orders later prove to have been good customers.
Q: Who is accountable when false declines and chargebacks rise?
A: Accountability is shared, but it is not ambiguous. The issuer owns the authorization decision, the merchant owns the approval decision, and both should be measured against the quality of the data they use. A governance model that assigns ownership for each stage makes root-cause analysis and remediation far more effective.
Technical breakdown
Authorization vs. approval: why the two decisions are not the same
Authorization happens at the issuer after the payment request travels through the gateway and card network. The issuer checks card status, funds, location, and basic fraud indicators, then returns an authorization code or decline. Approval happens later on the merchant side, where the order is assessed for deeper fraud signals, inventory constraints, and fulfilment risk before capture. The distinction matters because a bank can authorize a payment that the merchant should still stop, and a merchant can approve a bank-authorized order that later becomes a dispute.
Practical implication: map issuer decision points and merchant decision points separately, then measure where bad orders enter and where good orders are blocked.
Why thin issuer data drives false declines and fraud leakage
Issuers make rapid decisions with limited context, so they lean heavily on generic fraud rules and available balance checks. That approach is strong against obvious card issues, but weaker against account takeover, triangulation fraud, and other patterns that require behavioural or merchant-context signals. The result is a structural tradeoff: some legitimate orders are falsely declined, while some sophisticated fraud still clears the first gate and reaches fulfilment. This is a data-quality problem, not just a scoring problem.
Practical implication: enrich bank-facing decision data with behavioural and order-context signals before authorization where you can.
Pre-authorization as a data-enrichment control for payment decisions
Pre-authorization sits between the merchant and the issuer to filter out obvious fraud and add context before the bank makes its call. In practice, that means screening risky traffic early, sharing device and order history signals, and sending cleaner transactions to the issuer so its decision is based on a fuller picture. The control does not eliminate fraud liability, but it can reduce fees on doomed attempts and improve the quality of the authorization pool that reaches the bank.
Practical implication: treat pre-authorization as a control layer, then test whether it improves approval quality without pushing manual-review bottlenecks upstream.
Threat narrative
Attacker objective: The attacker objective is to validate stolen payment credentials or complete fraudulent purchases while avoiding early detection.
- Entry occurs when attackers submit card-testing or account-takeover transactions into the checkout flow, often as small, repeated payment attempts.
- Escalation follows when thin issuer data lets more sophisticated fraud pass the initial authorization screen and reach merchant approval or fulfilment.
- Impact is realised through chargebacks, authorization fees on doomed transactions, and lost revenue from false declines that block good customers.
NHI Mgmt Group analysis
Transaction authorization is a decision-quality problem, not just a fraud-score problem. Banks decide with limited context, so false declines and missed fraud are both predictable outcomes of thin data. That makes the governance question less about any single model and more about where richer signals should enter the control chain. Practitioners should evaluate authorization as a layered decision workflow, not a single pass or fail event.
Payment trust is increasingly a data-governance issue. The article shows that issuer decisions improve when merchants supply more context before the bank acts. That pattern mirrors broader security governance: controls fail when one party is asked to decide with incomplete evidence. For identity and fraud teams, the lesson is to treat behavioural and device signals as decision inputs with clear ownership, not as optional telemetry. Practitioners should define which signals are authoritative and when they are safe to share.
False declines are an operational risk with direct customer impact. When mid-to-upper 90% approval rates slip, teams should assume friction is being introduced somewhere in the decision chain, not that all declines are justified. Merchants need governance around manual review thresholds, issuer feedback loops, and post-decline analysis. The practical conclusion is that conversion protection and fraud control must be measured together.
Pre-authorization belongs in the broader identity and trust architecture. Even though this article sits in commerce risk, it intersects with identity verification because the signals being exchanged are used to judge whether a shopper is trustworthy. That boundary matters for practitioners in fraud, IAM, and trust and safety: the quality of the identity signal determines the quality of the transaction decision. Teams should therefore manage pre-auth data as part of a formal trust framework, not as a marketing or checkout tweak.
What this signals
Authorization quality will keep converging with identity and trust telemetry. As merchants and issuers rely on richer behavioural context, fraud teams will need clearer governance over which signals are authoritative, how long they are retained, and how they are shared across decision systems. The practical shift is toward controlled data enrichment, not simply tighter rules.
False-decline management is becoming a revenue-protection discipline. Organisations that still treat declines as a pure fraud metric will miss the operational cost of blocking good customers. That creates pressure to align checkout risk controls with customer identity confidence, appeal workflows, and post-decline analysis, especially where high-value orders are involved.
For practitioners
- Define separate issuer and merchant control objectives Document which decisions belong to the bank and which belong to the merchant, then assign explicit success metrics for each stage. Use authorization rate, approval rate, and chargeback rate as different control indicators rather than one blended KPI.
- Enrich pre-authorization signals before sending transactions upstream Pass device, order-history, and behavioural context into the pre-authorization path so issuers can distinguish legitimate customers from risky traffic with more confidence.
- Tune fraud filters against false-decline thresholds Review manual-review queues and fraud rules when approval rates fall below expected ranges, and compare decline reasons against customer value segments to find avoidable friction.
- Measure bank-side and merchant-side loss separately Track fees on doomed transactions, false declines, and chargebacks independently so you can see whether the problem is issuer conservatism, merchant over-filtering, or both.
- Create issuer feedback loops for declined legitimate orders Feed confirmed-good decline cases back into the authorization strategy so banks can improve future decisions and reduce recurring false declines for known customers.
Key takeaways
- Payment authorization and merchant approval solve different problems, and treating them as one control hides where losses actually occur.
- Signifyd cites 15% false declines and roughly 10 percentage points lower online authorization rates, showing that thin issuer data has measurable revenue consequences.
- Merchants that enrich pre-authorization signals and measure issuer and merchant outcomes separately are better positioned to reduce both fraud leakage and avoidable customer friction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access and transaction decisions depend on trustworthy identity and entitlement signals. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator and identity signal integrity affects whether transactions are trusted. |
| GDPR | Art.32 | Where behavioural or device data is used for fraud decisions, protection of personal data matters. |
Assess retention and sharing of checkout signals against Art.32 security and processing requirements.
Key terms
- Authorization Rate: The percentage of transactions that an issuing bank allows to proceed. It reflects how often issuer-side checks accept a payment request, and it is shaped by funds availability, card validity, location signals, and fraud filtering.
- Approval Rate: The share of bank-authorized transactions that a merchant chooses to fulfil. It is a merchant-side control outcome that depends on risk appetite, fraud review depth, inventory status, and operational thresholds for manual review or decline.
- False Decline: A legitimate transaction that is rejected by the issuer or merchant despite posing no real fraud risk. False declines create avoidable revenue loss and customer frustration, and they usually signal that decision makers lacked enough context to judge the transaction accurately.
- Pre-authorization: A process that enriches or filters payment data before the issuer makes its authorization call. It is used to remove obvious fraud early and provide additional context such as behaviour, device, or order history so that the bank can make a better decision.
What's in the full article
Signifyd's full article covers the operational detail this post intentionally leaves for the source:
- Detailed walkthroughs of authorization and approval decision flow, including who acts first and what signals each party can see.
- The article's full breakdown of authorization rate, approval rate, and chargeback rate calculations for ecommerce teams.
- Examples of how pre-authorization changes issuer decision quality and reduces fees on doomed transactions.
- Further explanation of why card-not-present commerce creates lower authorization rates than in-store transactions.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It gives identity and security practitioners a common control language for managing access, trust, and governance across modern programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org