TL;DR

Approval rate optimization is the work of getting more of your legitimate card transactions authorized by issuers on the first attempt. The average U.S. card-not-present merchant sits around 85 to 92 percent approval; high-performing operations close most of the remaining gap. That 8 to 12 point spread is recovered revenue, not new sales. The first move this week: pull the decline reason code report from your acquirer, separate soft declines from hard ones, and enroll in network tokens.

What this actually is

Approval rate, sometimes called authorization rate or auth rate, is the percentage of card transaction attempts that an issuing bank approves. The math is straightforward: approved authorizations divided by total auth attempts in a window, usually a month.

The Federal Reserve Payments Study tracks aggregate authorization data across U.S. card networks. Card-present transactions clear at high rates. Card-not-present sits closer to 85 percent on average, with subscription and digital goods merchants often running lower because of recurring card-on-file failures and aggressive issuer fraud scoring on virtual-goods MCCs.

Visa's authorization rules and Mastercard's Authorization Best Practices documents both spell out the issuer's decision criteria: the auth message contents, the merchant's history with that issuer, transaction size relative to the cardholder's typical pattern, and whether the merchant submitted enriched data such as network tokens, 3D Secure cryptograms, or recurring billing indicators.

The benchmark varies by vertical. Subscription SaaS sits 88 to 92 percent. E-commerce physical goods runs 90 to 94 percent. Digital goods and downloadable products often run 80 to 86 percent because of the elevated fraud rate on the underlying MCCs. Travel and event ticketing fluctuate based on cardholder reissue cycles and seasonal risk windows.

An approval is not the same as a settlement. An auth that clears can still be reversed, charged back, or refunded later. Approval rate measures the gate at the issuer, not downstream losses. Every decline at that gate is a sale that never happened, and the gap between your rate and your vertical's benchmark is recoverable.

Approval rate optimization is raising the share of legitimate card transactions issuers authorize on first attempt via better data, timing, and trust signals.

How it works under the hood

An authorization is a real-time message that travels through five parties in roughly 300 milliseconds: your checkout, your gateway, your acquirer, the card network (Visa, Mastercard, Amex, Discover), and the issuing bank. The issuer is the only party that approves or declines; everyone else is plumbing.

The issuer's decision engine weighs the auth message against several inputs:

  1. Cardholder velocity. How many transactions has this PAN seen in the last 60 minutes, 24 hours, and 7 days? A spike triggers fraud rules.
  2. Fraud scoring. FICO Falcon, Visa Advanced Authorization, and Mastercard Decision Intelligence each score the transaction risk between 0 and 999 before the issuer ever sees it. Issuers weight these scores heavily.
  3. BIN-level rules. Some issuers cap CNP transactions on certain BIN ranges, especially debit and prepaid cards.
  4. AVS and CVV match. Issuers see whether your gateway passed billing address and CVV, and whether those matched. A no-match does not always decline, but it adds risk weight.
  5. 3D Secure data. A 3DS 2.0 authenticated transaction with a successful liability shift signals lower risk; issuers approve these at higher rates and lower interchange.
  6. Network tokens versus raw PAN. A token is bound to a specific merchant and device; issuers trust them more. Mastercard and Visa both document approval lift on tokenized transactions relative to raw PAN.
  7. MCC reputation. Your merchant category code carries a fraud risk profile. A miscoded MCC, common after a vertical pivot, can drag approval by 3 to 5 points.
  8. Recurring indicators. If your transaction is a subscription renewal, the auth message must carry the recurring transaction indicator and either a stored credential framework reference or a network transaction ID from the original cardholder-initiated auth. Without these, issuers treat the renewal as a fresh CNP transaction and decline more aggressively.

The auth response carries a reason code. ISO 8583 response codes break into two operational categories: soft declines (code 05, 41, 51, 65, 91) where the issuer may approve on retry, and hard declines (code 04, 14, 54, 78) where retry is forbidden by network rules.

Beyond the response code, the auth message returns an AVS result code, a CVV result code, and, when applicable, a network token cryptogram verification. Each flows into your downstream analytics. A pattern of "declined with AVS mismatch but valid CVV" is recoverable through customer outreach. A pattern of "declined with no AVS attempted" is a misconfigured checkout, not an issuer problem.

Operator note

Every approval has both an interchange cost and an opportunity cost. A token-authenticated, 3DS-verified transaction typically clears at lower interchange than a raw PAN authorization. Approval lift and interchange reduction compound on the same volume.

Where it goes wrong for operators

Five patterns account for most of the gap between actual approval rate and the achievable rate.

1. Soft declines treated as hard. A merchant with $500K monthly volume and 88 percent approval has roughly $60K in declined attempts. If 35 percent of those are soft declines (typical), that is $21K of recoverable volume. Naive checkout flows show the customer a "card declined" screen and let them abandon. A retry on the same card 24 hours later, with the soft decline retry flag set, recovers 40 to 60 percent of these. That is $8K to $12K in recovered revenue every month.

2. No network tokens. Card networks have pushed token adoption since 2018. Issuers reward tokenized transactions with measurably higher approval rates than raw PAN, plus interchange savings on qualifying transactions. Stripe, Adyen, and Braintree all offer Visa Token Service and Mastercard Digital Enablement Service enrollment. Many merchants are not enrolled, often because the platform requires explicit activation. Even a modest few-point uplift at $1M monthly volume translates into tens of thousands in recovered transactions monthly.

Network tokens lift approval rates and cut interchange on qualifying volume. Most U.S. merchants are eligible and not yet enrolled.

3. Account updater not enabled. When a cardholder gets a new card, the issuer ships the new PAN to the networks' updater services (Visa Account Updater, Mastercard Automatic Billing Updater). If your processor is enrolled and you have opted in, the new credentials flow into your vault before the next billing cycle. Skipping this drives churn that looks like voluntary customer cancellation but is actually a hard decline on an expired card.

4. Wrong MCC. A SaaS company classified as "5734 Computer Software Stores" sees higher decline rates than the same business under "5817 Digital Goods Media" or a more accurate vertical code. A bookkeeping audit of your MCC against your actual product mix can recover 1 to 3 approval points.

5. Retry logic that triggers issuer blocks. Hitting the same card five times in 10 minutes after a 05 decline gets the BIN flagged, and every transaction on that BIN from your merchant ID declines for 24 hours. Visa's stored credential reattempt framework caps the number of retries within a defined window; exceeding the cap triggers an automatic issuer block.

Watch out

A naive retry loop can take down approval rates on hundreds of customers at once. Visa's reattempt cap applies at the BIN and merchant ID level, not the cardholder level. Once tripped, every active subscriber on that BIN declines for 24 hours.

Worked example with real numbers

Profile: a B2B SaaS company billing monthly subscriptions. Monthly card volume of $800,000, average ticket of $89, current approval rate of 89 percent on renewals.

Total monthly attempts: $800,000 / $89 = approximately 8,989 transactions, of which 11 percent (988) decline. That is $87,932 in declined volume every month.

How declines compound across an $800K monthly volume SaaS business.
Real-world example

Decline breakdown on this profile typically looks like: 35 percent soft declines (code 05, 51, 91), 25 percent expired card (code 54), 20 percent insufficient funds (code 51 repeats), 15 percent hard fraud declines (code 04, 43, 57), 5 percent stolen or restricted (code 41, 43). The 35 percent soft and 25 percent expired buckets are the recoverable ones.

Soft decline recovery via 24-hour retry: 35 percent of $87,932 = $30,776. At a 50 percent retry recovery rate: $15,388 recovered monthly.

Expired card recovery via account updater: 25 percent of $87,932 = $21,983. With a strong ABU recovery rate on B2B cards, roughly $16,500 recovered monthly in this scenario.

Network token uplift across all transactions: a modeled 3 percentage points on $800K volume = $24,000 in additional approvals monthly (illustrative, not guaranteed).

Total recovered: approximately $55,875 per month, or $670,500 per year, on a customer base of roughly 8,500 paying accounts.

Net of processing fees, the operator keeps the large majority of the recovered volume. That is more revenue than most companies recover from a full year of growth marketing spend at the same volume tier.

The fixed cost to capture it: network token enrollment (free through major processors), account updater enrollment (small per-update fees through most processors), and a checkout retry policy (engineering work, one to two weeks).

Operator playbook

Run this sequence in order. Each step takes a day or less, except step 5.

  1. Pull a 90-day decline reason code report from your acquirer. The report should break out every declined transaction by ISO 8583 response code, BIN range, and dollar amount. Ask for it by name: "decline reason code report by BIN." If your processor refuses, that is itself a signal to renegotiate.
  2. Segment the report into soft, hard, and recoverable buckets. Soft: 05, 41, 51, 65, 91. Hard: 04, 14, 54, 78. Expired (recoverable via updater): 54. Calculate the dollar value per bucket.
  3. Enroll in network tokens. On Stripe, this is one toggle in the dashboard under Payments > Settings. On Adyen, it is a request to your account manager. On Braintree, it is an API parameter. Confirm enrollment by checking that token_type appears as "network" in the auth response.
  4. Enable account updater. Visa Account Updater and Mastercard Automatic Billing Updater carry small per-update fees through most acquirers. The ROI is typically strong in the first month.
  5. Build retry logic that respects network rules. Soft declines: retry once at 24 hours, once at 72 hours. Hard declines: no retry. Recurring transactions: tag with the stored credential framework reference and the original network transaction ID. Cap retries to stay inside Visa's stored credential reattempt framework.
  6. Audit your MCC. Pull your merchant agreement, find the assigned MCC, and compare it against the Visa MCC list. If your business model has shifted (vertical pivot, new product line), request a reclassification. Approval rate typically moves 1 to 3 points within 30 days.
  7. Add CVV and AVS to every transaction. Some checkouts skip CVV on returning customers; that is a 2 to 4 point penalty on approval rates from issuers who weight CVV match heavily.
  8. A/B test 3DS 2.0 on borderline transactions. Apply 3DS only to transactions over a risk threshold (large amount, new device, mismatched AVS). The liability shift improves issuer trust and approval rates on the next renewal for that same cardholder.

Two cautions before you start: do not enable retry logic without rate caps, and do not enroll in network tokens without testing your vault migration path first. A botched token migration can take an entire customer base offline for renewals.