Credit Card Authorisation In Australia: Legal Requirements For Businesses

If you run a small business, getting paid reliably matters. But so does doing it properly - especially when you’re dealing with customer card payments and any related personal information.

That’s where credit card authorisation often comes in. Whether you’re taking a deposit, charging a cancellation fee, holding a bond, or billing ongoing services, an authorisation can help you manage cashflow and reduce “no show” risk.

At the same time, this can be a high-risk area if you don’t set it up carefully. A poorly worded authorisation, unclear customer consent, or unsafe handling of card details can lead to chargebacks, complaints, and (in some cases) issues with regulators and/or your payment provider.

Below, we’ll break down how credit card authorisation works in Australia, the legal and compliance issues you should be thinking about, and the practical steps you can take to protect your business while staying customer-friendly. This article is general information only and isn’t legal, financial or security advice.

What Is Credit Card Authorisation (And How Is It Different To A Pre-Authorisation Or A Deposit)?

In plain terms, credit card authorisation is a customer giving you permission to charge their credit (or debit) card under agreed conditions.

You’ll commonly see it used in situations like:

• taking a booking deposit for services;
• charging a cancellation or no-show fee;
• charging for damage, late returns, or additional time (for hire businesses);
• billing invoices on completion (for example, after a consult, delivery, or milestone);
• recurring billing (subscription-style services).

Authorisation vs “Pre-Authorisation Hold”

A pre-authorisation (often called a “hold”) is when a certain amount is temporarily reserved on the customer’s card, but not actually charged yet. This is common in accommodation, car hire, and some event-based businesses.

Whether your payment provider can do a “hold” depends on the provider, card type, and settings. From a compliance and dispute-prevention perspective, the key issue is that customers should be told clearly:

• that a hold may be placed;
• the amount;
• how long it may remain pending; and
• when it could become an actual charge (and why).

Authorisation vs Deposit

A deposit is usually an amount actually charged upfront. Deposits can be refundable, partially refundable, or (in limited circumstances) potentially kept if a customer cancels - but you generally need clear terms and you must still comply with Australian Consumer Law (ACL).

If you’re relying on deposits and cancellation terms, it’s worth checking your approach aligns with cancellation fees principles under the ACL.

When Should Your Business Use Credit Card Authorisation?

Credit card authorisation can be useful, but it shouldn’t be your default solution for every situation. The best approach depends on your business model, your customers, and how you deliver your product or service.

Common Use Cases For Small Businesses

• Bookings-based services: salons, clinics, coaching, tradies, photographers, consultants.
• Hire and rental businesses: equipment hire, party hire, vehicle hire, short-term rentals.
• Online and phone orders: custom goods, made-to-order products, backordered stock.
• Memberships and subscriptions: recurring service delivery with monthly billing.

A Quick “Should We Use It?” Checklist

Credit card authorisation tends to make sense if:

• you incur real costs when a customer cancels late or doesn’t show;
• final charges can’t be calculated until after delivery (for example, time-based work or variable usage);
• you’re exposed to damage/loss risk (bond-style arrangements); or
• you need a smoother payment process (for example, post-service billing) without chasing invoices.

On the other hand, if you can take payment at checkout easily, you may be better off using clear payment terms and invoices instead. Setting strong payment processes upfront (including due dates and late payment consequences) is often simpler than collecting or storing card details - for example, through clear invoice payment terms.

What Laws And Rules Apply To Credit Card Authorisation In Australia?

When you use credit card authorisation, you’re dealing with more than just a “signed form”. You’re also dealing with consumer law, privacy and data handling obligations, and your payment provider/card scheme rules.

1) Australian Consumer Law (ACL): Clear Terms, Fair Practices

If you supply goods or services to customers in Australia, you generally need to comply with the ACL. In a credit card authorisation context, this often shows up in disputes about:

• cancellation fees and no-show fees;
• refunds and disputes over what was agreed;
• misleading pricing statements (for example, “$0 cancellation” marketing, followed by a fee); and
• whether a term is unfair (particularly for standard form consumer contracts, where unfair contract term rules can apply).

If you offer warranties or talk about “warranty periods” in your policies (including for services bundled with products), make sure your statements don’t cut across consumer guarantees. A common point of confusion is “two-year warranty” messaging - your obligations may still extend depending on the goods, so it’s worth understanding the ACL warranty landscape.

2) Privacy And Data Security: Handling Card Details Carefully

Credit card details are highly sensitive. Whether or not your business is covered by the Privacy Act 1988 (Cth) will depend on your circumstances (for example, many private sector businesses with annual turnover of $3 million or less are not covered, but there are important exceptions). Regardless, you should treat card data as confidential and apply strong security practices.

The big risk areas are:

• collecting more information than you need;
• storing card details in unsafe places (for example, spreadsheets, email inboxes, paper forms left in a drawer);
• keeping details for longer than necessary; and
• not telling customers clearly how their information will be used and stored.

If you collect personal information as part of the authorisation process (name, contact details, booking details), having a clear Privacy Policy is often a key part of setting expectations and reducing complaints.

Card storage is a topic where small “admin shortcuts” can create big legal and reputational risk. If you’re thinking about storing card details at all, it’s worth reading about storing credit card details and the compliance steps businesses commonly need.

3) Payment Provider And Card Scheme Rules (Including PCI DSS)

Even where Australian legislation doesn’t spell out every operational requirement for card handling, your payment provider agreement and the card scheme rules (and security standards like PCI DSS) often impose strict requirements. These requirements are usually contractual/industry standards (through your provider and the card networks), not “Australian laws” as such - but they can still have serious consequences if you breach them.

Practically, this can mean:

• you may be prohibited from storing full card numbers and/or CVV details;
• you may need to use tokenisation or a secure vault provided by your payment provider;
• you may need to meet data security standards and reporting requirements; and
• you may be exposed to chargebacks if the authorisation is unclear or disputed.

It’s also why many businesses choose to avoid handling raw card details entirely, and instead use secure payment links, invoices, or direct debit arrangements.

4) Pricing And Surcharges: Don’t Surprise Customers

If your authorisation includes surcharges (for example, “a 1.5% card fee will apply”), be careful. In Australia, card payment surcharges generally must not be excessive (they should reflect the cost of acceptance), and customers should be told about them clearly before they pay.

As a general rule, you want customers to understand what they’ll pay, when they’ll pay it, and any fees that may apply. If you advertise prices, ensure your approach aligns with advertised price laws.

How Do You Set Up A Compliant Credit Card Authorisation Process?

A good authorisation process is not just “paperwork”. It’s a customer communication and risk management system.

Here’s a practical way to build a process that is clearer, safer, and easier to enforce if something goes wrong.

1) Be Specific About What The Customer Is Agreeing To

Your authorisation should clearly state:

• Who is authorising the charge (customer name);
• What card will be charged (ideally through a secure payment method rather than writing details on a form);
• What amounts may be charged (or how they will be calculated);
• When the charge may happen (for example, “if you cancel within 24 hours”); and
• Why the charge may happen (for example, “to cover reserved staff time and preparation costs”).

If your terms are vague - like “we may charge your card for any costs” - you’re more likely to face disputes and chargebacks.

2) Make Consent Active (Not Hidden)

From a practical enforcement standpoint, you want evidence the customer actively agreed. Depending on your sales channel, that might be:

• a tick box at checkout referencing your cancellation policy and payment authority;
• an online form with a clear authorisation statement;
• an email confirmation where the customer replies “I agree”; or
• a signed paper form (used carefully, with strong security).

Where possible, avoid “buried consent” where the authorisation is hidden inside long terms no one reads. Clarity now prevents arguments later.

3) Use Secure Collection And Storage Methods

If you can avoid collecting raw card details, do it. Common safer options include:

• payment links sent by your payment provider;
• tokenised card storage (where the provider stores the card and you store a token);
• direct debit arrangements for ongoing billing; or
• invoice-based payment with clear due dates and follow-up.

If you’re considering direct debit instead of card authorisation (especially for recurring services), make sure your sign-up flow and wording align with direct debit laws.

4) Build In A Fair Dispute-Handling Pathway

Even with the best paperwork, disputes happen. You’ll want a process that:

• gives the customer a clear way to raise issues;
• documents your decision-making (what happened, what you charged, why); and
• supports a reasonable resolution (partial refunds, rescheduling options, credits) where appropriate.

This matters not only for customer trust, but also because chargeback processes often look at whether the merchant’s policies were disclosed, understood, and applied consistently and fairly.

What Legal Documents And Clauses Should You Have In Place?

A credit card authorisation form on its own is often not enough. The authorisation should sit inside a broader set of terms that govern the customer relationship.

Depending on your business, you may want to consider the following documents.

• Service terms (or customer contract): This sets out the scope of what you provide, payment timing, deposits, cancellation rules, and limits on disputes. For online bookings and service delivery, well-drafted Website Terms and Conditions can be a key foundation.
• Cancellation and refund policy: This is where you explain notice periods, no-show fees, rescheduling rules, and how refunds/credits work. It’s also where you reduce risk of disputes by being upfront.
• Privacy Policy: If you’re collecting personal information (and most businesses do), a Privacy Policy helps explain what you collect, why, how you store it, and how customers can contact you about privacy concerns.
• Ecommerce or online checkout terms: If customers can purchase or book online, your E-commerce Terms and Conditions should align with the authorisation language (especially around timing of charges, pre-orders, and cancellations).
• Payment and invoicing terms: If you charge on completion (or use card authorisation as a backup to invoice payment), make sure your payment timing is clear and consistent. Often, clear invoice payment terms help reduce the temptation to store card details “just in case”.
• Internal staff procedures: This isn’t always a legal document, but it’s crucial. Your team should know when they can take an authorisation, how it is stored, who can access it, and how long it is retained.

Clauses That Often Matter Most

If your business relies on credit card authorisation for common risk points, you’ll usually want to ensure your broader terms address:

• Authority to charge: clear permission and circumstances for charging.
• Cancellation windows: how many hours/days’ notice is required, and what happens if the customer cancels late.
• No-show policy: whether a fee applies, and how it’s calculated.
• Damage/loss liability: if you hire goods, how you assess and charge for damage.
• Refund approach: when you refund, when you offer credit, and how the ACL is handled.
• Dispute process: how customers can raise issues before escalating to chargebacks.

The goal is that your customer can read your terms once and understand exactly what will happen - which makes the authorisation more enforceable and reduces friction.

Key Takeaways

• Credit card authorisation is a customer giving permission for you to charge their card under agreed conditions - it’s common for deposits, cancellations, variable charges, and bookings-based businesses.
• To reduce disputes and chargebacks, your authorisation should be specific about the amount (or calculation method), timing, and reason for charges.
• In Australia, your process needs to align with the Australian Consumer Law, including transparency around cancellation fees and refund rights (and being mindful of unfair contract term risks, especially in standard form consumer contracts).
• Data handling is a major risk area - avoid storing card details unless you genuinely need to, and use secure, provider-supported methods wherever possible. Also remember that PCI DSS and card scheme rules are usually enforced through your payment provider agreement.
• Authorisation works best when it is supported by broader terms, such as website/ecommerce terms, cancellation policies, and a clear Privacy Policy.

If you’d like a consultation on setting up a credit card authorisation process (including your customer terms, cancellation policy, and privacy compliance), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.