Payments, where the cardholder is not involved, is usually referred to as recurring, subscriptions or merchant initiated transactions.
Things you should be aware of:
Your flow should gracefully handle failures and allow users to pay with another card and as a regular transaction.
Due to some banks not accepting recurring payments (CVC-less) by default a transaction is more likely to be successful with a regular payment thus you should favor regular transactions and use our “new transaction from existing” as an optimization - don’t save card details upfront if you can avoid it, that’s also good conversion karma.
Present the user with the initial payment (regular transaction with CVC) and ask your user whether they want to subscribe to future payments. On the next payment try creating a transaction - if it fails, ask the user to do the payment manually (with CVC) and restart the process.
An example flow could look like this:
|1.||Client||A payment popup is shown or a payment link is generated|
|2.||Client||The user is asked whether to save their card for future payments|
|4.||Server/async||Capture the transaction. This step should be completed only when your services or your goods are dispatched to the customer.|
|5.||Server/async||Recurring payment. Create a transaction based on the previous transaction ID saved in 3. and capture it, if it fails for whatever reason (expired, not supported, insufficient funds, etc.), notify the customer by email or other means and restart the process from 1.|
You do not need to do clever stuff about expiration if you follow this flow - cards will fail for whatever reason and be replaced by the customer.
You could enhance the flow by creating recurring payments a bit earlier to warn the user if an upcoming payment will fail and needs to be completed manually. Delay the capture for the actual renewal date.
If you are using 3-D Secure you should be aware that the protocol only supports a transaction and not saving a card thus you cannot use 3-D Secure for recurring payments, but you will have a much stronger case if the first transaction is a regular 3-D Secure protected one.