Handle Stripe SCA/3DS authentication failures and implement compliant retry logic

Verified steps

1. Detect a 3DS challenge requirement: when confirming a PaymentIntent, a status of 'requires_action' with next_action.type 'use_stripe_sdk' or 'redirect_to_url' means the card issuer requires authentication — surface this to the user immediately.
2. On the client, call stripe.handleNextAction() (Stripe.js) or equivalent mobile SDK method to present the 3DS challenge iframe or redirect; on completion the PaymentIntent status transitions to 'requires_confirmation' or directly to 'succeeded'.
3. If authentication fails, the PaymentIntent moves to 'requires_payment_method' with last_payment_error.code 'authentication_required' — do not retry the same PaymentIntent; instead detach the failed method and prompt the user to re-enter payment details.
4. For off-session recurring charges that fail with 'authentication_required', send the customer an email with a link to a hosted payment page (use Stripe's hosted invoice or a custom page) where they can complete the 3DS challenge on-session.
5. Use Smart Retries (enabled by default on subscriptions) for soft declines, but for hard authentication failures always require explicit customer action rather than automatic retry.
6. Log 'last_payment_error.decline_code' and 'last_payment_error.payment_method.card.three_d_secure_usage.supported' to distinguish cards that never support 3DS (and may need exemption requests) from transient failures.