Currently, WHMCS does Auth+Capture via the Authorize.Net API. A rash of
skilled credit card thieves recently plowed through WHMCS and got past
both of the anti-fraud modules. These must have been particularly
skilled criminals with a large database of working stolen cards. Not
capturing payments immediately would be helpful to hosting companies who are
less lucky than others.