From Swipe to Sale - What "AUTH" stands for in transactions?

Few days ago colleague asked me to explain what 'pre-auth' is. I've come across it in payment systems and it could refer to both pre-authorization and pre-authentication. However, when 'pre-auth' is used in the context of payments, it's typically refers to pre-authorization, not pre-authentication.

Lets start from the beginning. When you think of transactions, either in-store or online, 'behind the scenes' there is a sophisticated architecture at play. There are layers of checks that are there to secure the integrity of the payments process, one being authentication and the other authorization.

Authentication is the first barrier. It's a process to verify the individual's identity, and it does so with use of passwords, PINs, biometric data (like fingerprint or facial recognition), OTPs sent via SMS or email. Once identity is authenticated, we move into authorization, which determines what resources or actions the user is allowed to perform.

For example, at early stage of transaction, first the identity of the user is verified with authentication and nanosecond later, the authorization process verifies whether there are necessary funds available and whether a customer can make a purchase.

In payments context, in both online and instore channels, there are multiple levels of authorization and authentication.

For in-store transactions, we have two key levels of authorization:

A) Bank terminal authorization - the first level of checks that occurs at the point of sale device.

• Card validation - The bank terminal confirms the authenticity of the payment card with card number, expiry date, and security features (CVV or chip), from SE (secured element integrated in the Card).
• Transaction verification - The terminal validates the transaction details, purchase amount, merchant identification, and other relevant data.
• Connection to processor - The terminal sets up a secure connection with the payment processor, which acts as a channel between the merchant and the card issuer.
• Authorization request - Finally, the terminal sends an authorization request, including the transaction details and the customer's card information, to the payment processor.

B) Card issuer authorization - next level of checks carried out by the card issuer.

• Cardholder verification - The issuer verifies the cardholder's information, possibly with steps like PIN verification or an OTP sent to the cardholder's registered device.
• Available funds check - The issuer ensures that the cardholder has sufficient funds or credit to cover the transaction.
• Risk assessment - Potential risk factors are screened for to detect any possible fraudulent activity.
• Decision and response - Based on the above steps, the issuer either approves or declines the transaction, with the response sent back to the payment processor and the merchant's bank terminal.

In the case of online transactions, a similar process is followed, with slight changes due to the transaction's remote nature.

A) Transaction details collection & transmission to payment gateway (PG) - The merchant's website collects the necessary transaction details and transmits this information to the payment gateway using encryption protocols.

B) Payment Gateway (PG) authorization - This involves several steps, including data validation, connection to the card issuer, risk assessment, and potentially 3D Secure authentication for additional verification (like Verified by Visa or Mastercard Secure Code).

C) Card issuer authorization - Similar to the in-store process, this involves cardholder authentication, account verification, risk analysis, and a final decision and response.

The final step for both online and instore includes settlement. Once the issuer approves the transaction, the settlement initiates the transfer of funds from the cardholder's account to the merchant's account. This process could happen in real-time or in batch, depending on the payment system and agreement between the merchant and the acquiring bank, typically T+1 (within one day from when the transaction occurred).

Coming back to the question, 'pre-auth' typically stands for 'pre-authorization'. It is a common practice with debit and credit card transactions, where a certain amount is temporarily 'blocked' to ensure the customer has funds or credit limit to cover the transaction. And some of the use cases (that you for sure had experienced at least once) are hotel bookings, car rentals etc..