#bops-sca

yes passing off_session when confirming a PaymentIntent is how you flag to use the payment is merchant initiated so we can try to claim that exemption

in theory you just do an off-session payment for the penalties and if you get the exemption then the payment goes through, if not, you need to get the customer back to authenticate.

You might guard against some of the risk by using https://stripe.com/docs/payments/capture-later to authorise a little more than you actually need for the very first payment(since you're at least guaranteed to be able to capture that up to that amount without needing a new payment attempt)

thank you. there is a test card that always triggers SCA, even for off-session attached-to-customer PaymentMethods. in practice, this should not happen very often, right?

every card except the 3155 one(which is the one that supports the concept of being set up for MITs) works that way yep, needs authentication every time.
In practise if you integrate appropriately then you have the best chance of those payments not requiring authentication yes! it's always up to the bank but it should work for the most part(but you do explicitly need to have a recovery flow for when it doesn't)