Implement SCA step-up via 3DS2 for recurring mandates under PSD2

Verified steps

1. Perform full SCA at mandate setup (the initial CIT): authenticate the cardholder using 3DS2 with the recurring mandate framing; obtain CAVV and ECI and store the network transaction ID returned in the authorization response.
2. For all subsequent recurring MITs, flag the transaction as merchant-initiated with the appropriate recurring indicator and reference the original network transaction ID from mandate enrollment — subsequent MITs do not require SCA.
3. If an issuer returns authentication_required on a subsequent MIT (indicating the issuer requires fresh SCA), this is a step-up request; flag the transaction for cardholder re-engagement rather than retrying as MIT.
4. When the cardholder next accesses your application (next CIT session), initiate a new 3DS2 authentication in the context of the existing mandate: use the mandate's stored credential framework indicators and re-authenticate to satisfy the issuer's step-up requirement.
5. After successful step-up authentication, update your stored mandate record with the new network transaction ID and CAVV from the fresh authentication; resume subsequent MITs using this updated reference.
6. Log all step-up events and resulting authentications for compliance audit trails under PSD2 record-keeping obligations.