Auths expire with Curve after 7 days, so on the 8th day. It’s not Curves fault but the merchant to send an AUTH and a seperate offline transaction as a new transaction and not removing the auth.
Curve is actually good with removing auths after 7 days, i.e. the German bank Fidor only removes auths after 30days.
It’s one of these things where you think, wow, the merchant can get away with this? Yes, they can.
Example: you buy biz class tickets for 4 adults of 3k€ each = 12k€ in total.
The airlines puts an AUTH of 12k€ on your card. If it’s a debit card, it gets instantly taken out of your bank account.
If it’s a credit, it just lowers your allowance of 12k€
Not a few days later the airlines sends 4 seperate transactions of each 3k€ to the same card and captures the funds. They do not remove the previous auth of 12k€, so now you’re out of pocket of 24k€.
If you call the airline then and ask them to remove the auth they can’t do anything. If you call the bank, they say get it resolved with the merchant or wait for the auth to expire, but again, this can take up to a month.
Even if you only have a limit of 12k€ on your card or you have the card disabled, due to the nature of an offline transaction they can always take your funds.
This way you could easily go overdraft and pay heavy fines with the banks.
Luckily, curve removes these auths exactly 7 days later (right at midnight) or if you send them an email when the offline transaction hits they remove the auth manually.
Don’t ask me how/why airlines get away with this and how it’s not violating any MC/visa rules. It’s just the way it is.