In the first lesson we treated the checkout as a P&L. The single largest leak in that P&L usually is not the cart abandoner who never typed a card number. It is the authorization that reached the issuer, got a response code back, and failed. That failure is invisible on most dashboards because the customer saw a generic "your card was declined" and left, and the merchant logged one number: approval rate.
Approval rate is the ratio of approved authorizations to total authorization attempts on valid card volume. A point or two of movement here is worth more than almost any front-end conversion experiment, because it acts on transactions the customer already wanted to make. The work of this lesson is to take that one blunt number apart and find the parts you can actually move.
The funnel inside the funnel
Every card-not-present authorization passes through a chain: your gateway, the acquirer, the card network, and the issuer's authorization system. A decline can originate at any stage, but the large majority come from the issuer, and the issuer tells you why through a response code.
The first job is to stop reading approval rate as one number and start reading the decline distribution underneath it. Two merchants can both sit at 85 percent approval and have completely different problems: one is bleeding insufficient-funds declines on a subscription book, the other is getting fraud-suspicion declines on a thin data profile. The fix is different in each case, so the diagnosis has to come first.
Hard declines versus soft declines
The most useful cut is hard versus soft. A hard decline is a permanent "no": lost or stolen card (codes 41 and 43), expired card (54), invalid card number (14), closed or restricted account. Retrying a hard decline does nothing except waste an authorization attempt and, on some codes, raise a fraud flag.
A soft decline is a temporary "no" that may clear on its own: insufficient funds (51), issuer or network timeout (91), system malfunction (96), and the catch-all "do not honor" (05). Industry estimates put soft declines at roughly 80 to 90 percent of card-not-present failures, which is exactly why retry strategy is built around them.
The "do not honor" problem
Code 05, do not honor, is the response that most frustrates practitioners because it is a deliberate non-answer. The issuer has decided not to approve and is not telling you the real reason, which could be internal risk scoring, a velocity limit, a mismatch in the data it received, or genuine suspected fraud.
You cannot fix a 05 by reading the 05. You fix it by improving what you send the issuer before the 05 happens: cleaner cardholder data, network tokens instead of raw PANs (lesson 4), and richer authentication signals through 3DS 2 (lesson 6). Adyen and others note that better data quality and authentication move 05 declines more than any retry trick does.
Retry, but inside the rules
The reflex on a soft decline is to retry. The discipline is to retry on a schedule the networks permit, because both Visa and Mastercard now penalize blind reattempts.
The networks send a retry instruction with the decline. Mastercard maps responses to Merchant Advice Codes: MAC 01 means updated information is needed, MAC 02 means try again later, and MAC 03 means do not retry because the account is closed or fraudulent. A resubmission after a MAC 03 inside a 30-day window draws a fee. Visa runs an equivalent regime through its decline category codes and its Excessive Reattempts policy, in force since April 2022, which assesses fees on reattempts against accounts that will never approve.
So the rule is simple to state and easy to get wrong: read the advice code, never retry a hard decline or a MAC 03, and space soft-decline retries rather than hammering them. Recovery on soft declines drops sharply after the first few attempts, and most practitioners settle on three to five attempts spread over roughly 10 to 14 days, aligned where possible to a likely payday for insufficient-funds cases.
A worked example
Take a subscription business running 100,000 monthly recurring charges at an 84 percent first-attempt approval rate. That is 16,000 declines.
Pull the distribution and suppose it splits 70 percent soft (11,200) and 30 percent hard (4,800). The 4,800 hard declines are not a retry problem; they are an account-updater problem, because a large share are expired or reissued cards that network tokenization and account updater (lesson 4) would refresh automatically.
On the 11,200 soft declines, a coded retry policy that respects MACs and spaces attempts typically recovers a meaningful fraction rather than the headline "60 to 70 percent of all declines" figure vendors quote, which assumes ideal conditions. Even at a conservative 35 percent recovery on the soft bucket, that is roughly 3,900 charges saved per month. At a $40 average ticket, that is about $156,000 in monthly revenue that was sitting inside the response codes, not on the landing page.
The point of the example is the sequencing. You sort hard from soft first, route the hard bucket to data hygiene and account updater, and only then apply retry logic to the soft bucket within the rules. Run it in the wrong order and you pay reattempt fees to recover charges that were never recoverable.
Where the lift actually hides
Approval-rate lift rarely comes from one heroic change. It comes from three places, in rough order of payoff.
First, data quality: sending the issuer complete, accurate, tokenized data so fewer transactions get a soft decline in the first place. Network features that improve the data shared with issuers commonly cite a 1 to 2 percent authorization uplift on eligible volume, which is the realistic ceiling for most of these levers, not a 10 percent miracle.
Second, decline-aware retries: recovering the soft bucket without tripping network penalties. Third, keeping credentials current so the hard bucket shrinks before it ever reaches a retry queue.
The takeaway is that approval rate is a diagnostic, not a metric. Watching the single number tells you nothing actionable. Decomposing it into hard versus soft, then into response codes and merchant advice codes, tells you exactly which of the three levers to pull and how much it is worth. The funnel after the click is where the recoverable money lives, and the response code is the map to it.