I'm not sure about "best practise", more like "stuff I've learnt the hard way...." :-)

The HSBC API is less than ideal, we've had a lot of experience dealing with inadequate APIs on Payment Gateways in our time.

Pre-auth as mentioned above is an older technology which unforuntately did leave a shadow on the card with the appearance of multiple transaction. The more recent technology is Authenticate and Authorise, which does a similar thing to Pre-auth but without the consequences of the old pre-auth.

Unfortauntely HSBCs API is a bit out of date and fairly limited compared to more flexible systems such as SagePay direct.

The advent of PCI compliance has also meant authorising banks have tightened up on security and declines are more common. AVS, CV2 and 3D Auth security checks on registered UK maestro and mastercards mean you will undoubtably see an increase in declines. Not necessarily, it has to be said, because the card is fraudulent or that the card can't take the hit, but normally because the invoice address isn't quite right.

However, these are hard times for many people, so I guess you do also have to expect that people will be trying to pay for items online on already stretched credit.

I would also recommend looking into taking payment post-order but pre-dispatch to ensure the funds are taken before delivering items. It will save a lot of headaches. This doesn't necessarily mean that you have to take payment on order.