Well-Architected Review - Credit Card Entry Store

• Overview
• 1. Operational Excellence
  • 1.1 Charge Calculation and Order Delegation Operations
  • 1.2 Shopper Authorization and Risk Management Operations
  • 1.3 Bad Debt Lifecycle Operations
  • 1.4 Bad Debt Resolution and Recovery Operations
  • 1.5 Bad Debt Escalation and Repeat Offender Operations
  • 1.6 Payment Lifecycle Operations
  • 1.7 Adjust Charge Operations
  • 1.8 Cancel Charge Operations
  • 1.9 Capture Charge Operations
  • 1.10 Refund Operations
  • 1.11 Transactional Data and Shopper Identity Operations
  • 1.12 Retry and Error Handling
  • 1.13 Observability, Deployment, and Readiness
  • 1.14 Monitoring and Change Management
  • 1.15 Change Management Readiness
    • 1.15.1 Change Control Process
    • 1.15.2 Charge Calculation and Order Delegation Changes
    • 1.15.3 Payment Lifecycle Logic Changes
    • 1.15.4 Infrastructure and API Changes
    • 1.15.5 Testing and Validation
    • 1.15.6 Rollback and Recovery
    • 1.15.7 Communication and Coordination
• 2. Security
  • 2.1 Payment Data Security
  • 2.2 Shopper Authorization and Risk Data Security
  • 2.3 Bad Debt Data Security
  • 2.4 Charge Calculation Data Security
  • 2.5 Shopper Identity Protection
  • 2.6 Transactional Data Security
  • 2.7 API Authentication and Authorization
  • 2.8 Security Events, Data Classification, and Incident Response
• 3. Reliability
  • 3.1 Charge Calculation Reliability
  • 3.2 Shopper Authorization Reliability
  • 3.3 Payment Lifecycle Reliability
  • 3.4 Bad Debt Tracking and Resolution Reliability
  • 3.5 Transactional Data and Shopper Identity Reliability
  • 3.6 End-to-End Resilience
  • 3.7 Data Protection and Fault Tolerance
  • 3.8 Backup and Recovery
• 4. Performance Efficiency
  • 4.1 Charge Calculation Performance
  • 4.2 Shopper Authorization Performance
  • 4.3 Payment Operations Performance
  • 4.4 Data Retrieval Performance
  • 4.5 Bad Debt Processing Performance
  • 4.6 Rate Limiting
  • 4.7 Demand Management
• 5. Cost Optimization
  • 5.1 Compute and Infrastructure
  • 5.2 Payment Processing Costs
  • 5.3 Shopper Authorization Costs
  • 5.4 Bad Debt and Recovery Costs
  • 5.5 API and Data Transfer Costs
• 6. Store Reporting
  • 6.1 Reporting Mode Selection
  • 6.2 Merchant Portal Reporting
  • 6.3 Event Feed Reporting Operations
  • 6.4 Reporting Data Integrity
  • 6.5 Reporting Security and Access
• 7. Post-Purchase Operations
  • 7.1 Receipt Generation and Delivery
  • 7.2 Receipt Lookup
  • 7.3 Refund Processing
  • 7.4 Bad Debt Identification and Recording
  • 7.5 Bad Debt Feedback to Amazon
  • 7.6 Bad Debt Entry Denial
  • 7.7 Bad Debt Resolution and Shopper Re-Entry
  • 7.8 Bad Debt Escalation and Repeat Offenders
  • 7.9 Bad Debt Write-Off and Reporting
• 8. Shopper Self-Service Portal
  • 8.1 Portal Availability and Operations
  • 8.2 Portal Authentication and Shopper Identity
  • 8.3 Receipt Lookup and Download
  • 8.4 Refund Request Processing
  • 8.5 Outstanding Balance View and Debt Payoff
  • 8.6 Portal Security and PII Protection
  • 8.7 Portal Performance and Scalability
  • 8.8 Portal Change Management
• 9. Sustainability
  • 9.1 Resource Efficiency
  • 9.2 Data Lifecycle Management
  • 9.3 Network and Transfer Optimization

Disclaimer: This document contains sample content for illustrative purposes only. Organizations should follow their own established best practices, security requirements, and compliance standards to ensure solutions are production-ready.

Overview

This questionnaire is designed for Just Walk Out store implementations that use credit card entry with the retailer managing the full payment lifecycle through Amazon's Payment Service APIs. Amazon handles shopper identity at the gate and charge calculation, while the retailer orchestrates the payment flow (adjust, capture, cancel, refund) and retrieves transactional and shopper identity data for receipts and reconciliation. The following APIs are in scope:

• Adjust Charge API (POST /v1/adjust/charge)
• Cancel Charge API (POST /v1/cancel/charge)
• Capture Charge API (POST /v1/capture/charge)
• Refund Charge API (POST /v1/refund)
• Get Transactional Data API (POST /v1/payment/transactional-data)
• Get Shopper Identity API (POST /v1/identity/shopper)
• Create Purchases API (POST /v1/order/purchases) — Order Delegation
• Shopper Authorization API (POST /v1/fraudandabuse/shopperauthorization) — Risk Overview | API Reference
• Report Payment Status API (POST /v1/feedback/payment-status) — API Reference

---

1. Operational Excellence

1.1 Charge Calculation and Order Delegation Operations

• How do you monitor Create Purchases API success/failure rates and response times?
• How do you validate that charge calculations return accurate pricing, promotions, and tax for each cart?
• What monitoring detects charge calculation latency spikes or failures?
• How do you handle carts with unidentifiable SKUs routed to the bad cart process?
• How do you handle empty carts (return empty purchaseId, trigger pre-auth cancellation)?
• How do you ensure all requests are handled idempotently using the idempotentShoppingTripId?
• What alerting is in place when carts are received but not priced before the pre-auth expiration window?
• What is your process for updating pricing rules, promotions, or tax configurations in your POS system?
• How do you handle different cart item types (SKU, SCANCODE) and quantity units (unit, weight-based)?
• How do you process group shopping trips with multiple authEvents?

1.2 Shopper Authorization and Risk Management Operations

• How do you monitor the Shopper Authorization API (POST /v1/fraudandabuse/shopperauthorization) success/failure rates and response times?
• What strategy have you selected for outstanding balance management (Amazon-managed via Feedback API, bring your own, or none)?
• If using Amazon's outstanding balance tracking, how do you ensure the Report Payment Status API (POST /v1/feedback/payment-status) is called after every payment outcome (capture, decline, partial settlement)?
• How do you monitor the timeliness and accuracy of payment status feedback sent to Amazon?
• What alerting is in place when payment feedback calls fail, potentially leaving stale outstanding balance data?
• How do you handle Amazon's risk recommendation (accept, override to deny, override pre-auth amount) in your Fraud and Abuse Connector?
• What business rules govern when you override Amazon's shopperAuthorized recommendation?
• How do you track and report on override rates (accept vs. deny vs. amount adjustment) to evaluate risk strategy effectiveness?
• What monitoring detects anomalies in shopper risk profiles (e.g., sudden spike in high-risk shoppers, unusual shopperRisks distribution)?
• How do you handle all gateAuthenticationEvent types (CREDIT_CARD, AMAZON_ONE, QR, MOBILE_WALLET, UNRECOGNIZED) in your authorization logic?
• What is the process for updating risk thresholds or authorization business rules without disrupting active gate operations?
• How do you ensure the Fraud and Abuse Connector responds within the gate SLA (< 2 seconds) to avoid gate timeouts?

1.3 Bad Debt Lifecycle Operations

• What process identifies all bad debt scenarios (fully declined adjustment, partial capture shortfall, failed capture after retries, pre-auth token expiration)?
• How do you record and track bad debt incidents with sufficient detail (shoppingTripId, cart total, settled amount, outstanding amount, root cause, timestamp)?
• How do you determine whether to write off the full cart amount or attempt a partial capture when an adjustment is declined?
• What business rules govern the incremental adjustment strategy (e.g., retry at lower amounts to find the maximum approved amount)?
• How do you ensure the Report Payment Status API is called after every bad debt event to keep Amazon's outstanding balance tracking current?
• What monitoring detects shopping trips where payment feedback was not successfully reported to Amazon after a bad debt event?
• How do you track the outstanding balance per shopper across multiple shopping trips?
• What process links bad debt incidents to the Shopper Authorization API to ensure shoppers with outstanding balances are denied or conditionally authorized on their next visit?
• How do you monitor the time between a bad debt event and the corresponding entry denial to confirm the feedback loop is working?
• What alerting is in place when a shopper with outstanding balance is incorrectly allowed entry (feedback loop failure)?

1.4 Bad Debt Resolution and Recovery Operations

• What self-service or assisted process allows shoppers to pay off their outstanding balance (e.g., online payment portal, customer service, in-store kiosk)?
• How do you confirm that a shopper's payment has been received and applied to the correct outstanding shopping trip(s)?
• After a shopper resolves their outstanding balance, how do you ensure the Report Payment Status API is called with the updated settledAmount to clear the balance in Amazon's system?
• What is the expected turnaround time from debt resolution to the shopper being re-authorized for store entry?
• How do you handle partial debt payoffs where the shopper resolves some but not all outstanding trips?
• What monitoring confirms that a shopper who resolved their debt is successfully authorized on their next visit (end-to-end resolution validation)?
• How do you handle disputes where a shopper claims they have paid but the outstanding balance has not been cleared?
• What communication channel notifies shoppers that they have an outstanding balance and provides instructions for resolution?
• What communication confirms to shoppers that their debt has been resolved and they can return to the store?

1.5 Bad Debt Escalation and Repeat Offender Operations

• What thresholds trigger escalation when a shopper accumulates multiple bad debt incidents (e.g., 2+ incidents, cumulative amount > $X)?
• How do you differentiate between a one-time payment failure (e.g., temporary insufficient funds) and a pattern of non-payment?
• What process flags repeat offenders for permanent or extended entry denial?
• How do you feed repeat offender data back into the Shopper Authorization Connector to ensure escalated risk levels (e.g., NonpaymentHighRisk) are applied?
• What write-off process and approval workflow governs unrecoverable bad debt after all recovery attempts are exhausted?
• How do you track bad debt aging (time since incurred) and escalate aged unresolved debt?
• What fraud investigation process is triggered when bad debt patterns suggest intentional abuse rather than payment issues?

1.6 Payment Lifecycle Operations

• How do you monitor the full payment lifecycle (adjust → capture or cancel) for each shopping trip?
• What dashboards track success/failure rates for each Payment Service API (adjust, capture, cancel, refund)?
• What alerting is in place for stuck or incomplete payment lifecycles (e.g., adjusted but not captured)?
• How do you reconcile captured charges against cart totals on a daily basis?
• What is your process for handling declined adjustments (DECLINED status) or pending adjustments (PENDING status)?

1.7 Adjust Charge Operations

• How do you monitor Adjust Charge API success rates and response times?
• How do you handle the incremental adjustment logic (difference between cart total and initial pre-auth)?
• What alerting is in place when adjust calls return DECLINED or PENDING status?
• What is your process for retrying PENDING adjustments until a terminal state (APPROVED or DECLINED) is reached?

1.8 Cancel Charge Operations

• How do you determine when to cancel a charge (e.g., empty cart, shopper did not take items)?
• What monitoring confirms cancel operations complete successfully (200 response)?
• What alerting is in place when cancel calls fail?
• How do you prevent cancellation of an already-captured charge?

1.9 Capture Charge Operations

• How do you monitor Capture Charge API success rates?
• What is the expected time between a successful adjust and the capture call?
• What alerting is in place when captures fail after a successful adjustment?
• How do you ensure capture amounts match the adjusted authorized amount?

1.10 Refund Operations

• How do you monitor Refund API success rates and processing times?
• What process handles each refund reason code (DAMAGED_ITEM, EXPIRED_ITEM, UNWANTED_ITEM, JWO_TECH_ERROR, OTHER)?
• How do you enforce the 30-day refund window?
• How do you ensure refund idempotency using unique refundRequestId values?
• What alerting is in place for abnormal refund rates?

1.11 Transactional Data and Shopper Identity Operations

• How do you monitor Get Transactional Data and Get Shopper Identity API availability and response times?
• What data retention policies govern transactional data and shopper identity records?
• How do you handle 400 responses for non-existent shopping trips or invalid shopper IDs?
• How do you use transactional data (EMV fields, reconciliationId, cardStatementTransactionId) for receipt generation?
• How do you use shopper identity (shopperEmail) for receipt delivery?

1.12 Retry and Error Handling

• What retry strategy is implemented for failed Create Purchases API calls (400, 429, 500, 503)?
• How do you ensure Create Purchases idempotency using the idempotentShoppingTripId across retries?
• What retry strategy with exponential backoff is implemented for each Payment Service API?
• How do you handle 429 (Too Many Requests) responses with the 600-second Retry-After header?
• How do you handle 503 (ServiceUnavailable) responses with the retryAfter value?
• How do you ensure idempotency across retries for capture and refund operations to prevent duplicate financial transactions?
• What alerting is in place when maximum retry attempts are exhausted for any API?
• What is the escalation process when retries fail for payment-critical operations?

1.13 Observability, Deployment, and Readiness

• How do you implement observability across the payment lifecycle?
• How do you mitigate deployment risks for payment integration changes?
• How do you know that you are ready to support the payment workload?

1.14 Monitoring and Change Management

• How do you monitor payment workload resources?
• How do you implement change to payment processing logic?

1.15 Change Management Readiness

1.15.1 Change Control Process

• What formal change management process governs modifications to the Ordering Connector, payment integration logic, and supporting infrastructure?
• Who approves changes to production systems and what is the approval workflow?
• How do you classify changes by risk level (standard, normal, emergency)?
• How do you maintain a change log that records all modifications, approvers, and deployment timestamps?

1.15.2 Charge Calculation and Order Delegation Changes

• What is the process for deploying pricing rule, promotion, or tax configuration changes to the Ordering Connector?
• How do you ensure pricing changes are synchronized between your POS system and the Create Purchases API?
• What validation confirms that charge calculation changes produce correct totals before production deployment?
• How do you handle promotion activation/deactivation without impacting in-flight shopping trips?
• What is the rollback procedure if a pricing or tax change produces incorrect charges?
• What formal change management process governs modifications to payment integration logic and infrastructure?
• Who approves changes to production payment systems and what is the approval workflow?
• How do you classify changes by risk level (standard, normal, emergency)?
• How do you maintain a change log that records all modifications, approvers, and deployment timestamps?

1.15.3 Payment Lifecycle Logic Changes

• What is the process for modifying the adjust → capture → refund orchestration logic?
• How do you deploy payment flow changes without disrupting in-flight shopping trips?
• What testing is required before modifying payment amount calculations or currency handling?
• What is the rollback procedure if a payment logic change causes incorrect charges or failed captures?

1.15.4 Infrastructure and API Changes

• What is the process for updating API Gateway configurations, IAM policies, or compute resources for payment processing?
• How do you handle Amazon-initiated Payment Service API changes (new fields, deprecations)?
• What blue/green or canary deployment strategies are used for payment integration changes?
• What is the process for updating API credentials or rotating IAM roles?

1.15.5 Testing and Validation

• What pre-deployment testing is required for payment changes (unit, integration, E2E)?
• How do you validate changes in a staging environment before production deployment?
• What smoke tests confirm payment system health immediately after deployment?
• How do you test changes against the full flow (order delegation → adjust → capture → refund)?

1.15.6 Rollback and Recovery

• What is the maximum acceptable rollback time for payment components?
• How do you ensure every deployment is reversible and what automated rollback triggers are in place?
• How do you handle in-flight payment transactions during a rollback?

1.15.7 Communication and Coordination

• How do you communicate planned payment system changes to stakeholders?
• What maintenance windows are defined for payment system changes?
• What post-deployment review process captures lessons learned?

---

2. Security

2.1 Payment Data Security

• How is payment data encrypted in transit and at rest across all Payment Service APIs?
• What PCI DSS compliance controls are in place for payment processing?
• How do you ensure sensitive payment data (card last four digits, expiration date) is not logged or exposed in error messages?
• What tokenization strategies are used for payment instrument data?

2.2 Shopper Authorization and Risk Data Security

• How is shopper risk profile data (shopperRisks, authorizationConditions) protected in transit and at rest?
• What controls prevent unauthorized access to the Shopper Authorization API and Report Payment Status API?
• How do you ensure shopper identity data in authorization requests is not logged or exposed in error messages?
• What audit trail exists for all gate authorization decisions, including overrides of Amazon recommendations?
• How do you protect outstanding balance data from unauthorized modification?
• What controls ensure payment feedback data (totalAmount, settledAmount) is transmitted securely to Amazon?

2.3 Bad Debt Data Security

• How is outstanding balance data (shopper identity, amount owed, shopping trip history) protected at rest and in transit?
• What access controls restrict who can view, modify, or write off bad debt records?
• How do you ensure shopper PII is not exposed in bad debt reports, alerts, or log messages?
• What audit trail captures all bad debt lifecycle events (incurred, payment feedback sent, entry denied, debt resolved, written off)?
• How do you protect the debt resolution payment channel (online portal, customer service) from unauthorized access or fraudulent payoff claims?
• What controls prevent unauthorized modification of outstanding balance records that could allow a blocked shopper to bypass entry denial?

2.4 Charge Calculation Data Security

• How is cart data (item SKUs, quantities, pricing, shopper identity) protected in transit and at rest?
• What input validation prevents injection attacks through malformed cart payloads?
• How do you ensure sensitive shopper data is not logged or exposed in Create Purchases API error messages?
• What audit trail exists for all charge calculation requests and responses?

2.5 Shopper Identity Protection

• How is shopper identity data (shopperEmail) protected in transit and at rest?
• What access controls restrict who can retrieve shopper identity information via the Get Shopper Identity API?
• How do you ensure PII compliance for shopper email addresses?
• What audit trail exists for all shopper identity access requests?

2.6 Transactional Data Security

• How do you protect EMV transactional data (PAN sequence number, cryptogram, cardholder verification)?
• What controls ensure transactional data is only accessed for authorized purposes (receipt generation, reconciliation)?
• How do you handle and secure the reconciliationId and cardStatementTransactionId fields?

2.7 API Authentication and Authorization

• How are API credentials for the Create Purchases API, all six Payment Service APIs, the Shopper Authorization API, and the Report Payment Status API managed and rotated?
• What controls prevent unauthorized access to payment and identity APIs?
• How do you detect and respond to abnormal API usage patterns?
• What role-based access controls govern which systems can invoke each API?

2.8 Security Events, Data Classification, and Incident Response

• How do you detect and investigate security events related to payment operations?
• How do you classify payment and shopper identity data?
• How do you protect payment data at rest?
• How do you anticipate, respond to, and recover from payment-related security incidents?

---

3. Reliability

3.1 Charge Calculation Reliability

• What is the target availability SLA for the Create Purchases API (Ordering Connector)?
• How do you handle empty carts where no pricing is required and a pre-auth cancellation must be triggered?
• What happens when a cart contains an item SKU that cannot be identified (bad cart process)?
• How do you ensure charge calculations complete before the pre-auth window expires?
• How do you handle idempotent retries using the idempotentShoppingTripId without creating duplicate purchase records?
• What is the recovery process when the Ordering Connector returns intermittent 500 errors?

3.2 Shopper Authorization Reliability

• What is the target availability SLA for the Shopper Authorization Connector?
• What fallback gate decision is applied when the Shopper Authorization API is unavailable or times out?
• How do you ensure the Report Payment Status API is called reliably after every payment outcome, including retries on failure?
• What reconciliation process detects shopping trips where payment feedback was not successfully reported to Amazon?
• How do you handle stale outstanding balance data when payment feedback calls fail persistently?
• What is the recovery process when the Fraud and Abuse Connector returns intermittent 500/503 errors?

3.3 Payment Lifecycle Reliability

• What is the target availability SLA for each Payment Service API (adjust, cancel, capture, refund)?
• How do you handle a declined charge adjustment (e.g., insufficient funds, card limit exceeded)?
• What is the recovery process when a capture fails after a successful adjustment?
• How do you handle the scenario where a cancellation is attempted on an already-captured charge?
• What reconciliation process detects and resolves incomplete payment lifecycles?

3.4 Bad Debt Tracking and Resolution Reliability

• What is the target availability SLA for the bad debt tracking system?
• How do you ensure bad debt records are not lost when the Report Payment Status API call fails (retry, queue, fallback)?
• What reconciliation process detects shopping trips where bad debt was incurred but payment feedback was not successfully sent to Amazon?
• How do you handle stale outstanding balance data in Amazon's system when your payment feedback calls fail persistently?
• What is the recovery process when the debt resolution payment channel (online portal, customer service) is unavailable?
• How do you ensure that a shopper's debt resolution payment is correctly applied and the Report Payment Status API is called to clear the balance, even if your systems experience a failure between payment receipt and API call?
• What data consistency checks ensure the outstanding balance in your system matches what Amazon tracks via the Shopper Authorization API?
• How do you handle the scenario where a shopper resolves their debt but the Report Payment Status call fails, leaving the shopper incorrectly blocked at the gate?

3.5 Transactional Data and Shopper Identity Reliability

• What is the target availability SLA for the Get Transactional Data and Get Shopper Identity APIs?
• How do you ensure transactional data consistency across the payment lifecycle?
• How do you handle 400 responses for non-existent shopping trips (data not yet available or invalid)?
• What is the data replication and backup strategy for transaction records?

3.6 End-to-End Resilience

• What is the expected end-to-end latency from cart receipt to completed capture?
• How do you handle cascading failures across the order delegation → adjust → capture pipeline?
• What circuit breaker patterns are implemented to prevent system overload?
• How do you handle concurrent payment operations on the same shopping trip (race conditions)?

3.7 Data Protection and Fault Tolerance

• How do you back up data?
• How do you design your workload to withstand component failures?

3.8 Backup and Recovery

• What is the backup strategy for charge calculation configuration (pricing rules, promotions, tax rates) and purchase records?
• What is the backup strategy for payment lifecycle records (adjust, cancel, capture, refund states)?
• What is the backup strategy for transactional data and shopper identity records?
• What is the Recovery Point Objective (RPO) for payment records and transaction data?
• What is the Recovery Time Objective (RTO) for restoring payment services after a failure?
• How do you validate that backups are complete, consistent, and restorable through regular restore testing?
• How do you ensure backups are stored in a separate AWS region or account for disaster recovery?
• How do you recover incomplete payment lifecycles (adjusted but not captured) after a data loss event?
• What is the escalation process when automated recovery fails?
• How do you conduct disaster recovery drills and how frequently are they performed?

---

4. Performance Efficiency

4.1 Charge Calculation Performance

• What is the p99 response time for Create Purchases API calls?
• How does calculation performance scale with cart complexity (number of items, promotions, tax categories)?
• What optimizations are in place for high-volume concurrent charge calculations?
• How does the system handle large carts (many line items, weight-based items, multiple external identifiers)?

4.2 Shopper Authorization Performance

• What is the p99 response time for the Shopper Authorization API?
• How does authorization performance scale under peak gate traffic (e.g., 100 concurrent shoppers entering)?
• What is the acceptable gate decision latency from card tap to gate open/close?
• How does the Report Payment Status API perform under high volume (e.g., batch reporting after peak hours)?

4.3 Payment Operations Performance

• What is the p99 response time for each Payment Service API (adjust, cancel, capture, refund)?
• How does the system perform under peak load (e.g., 500 concurrent payment operations)?
• What is the sustained throughput capacity for mixed payment operation types over 15 minutes?

4.4 Data Retrieval Performance

• What is the p99 response time for Get Transactional Data and Get Shopper Identity APIs?
• How does query performance scale with transaction history size?
• What caching strategies optimize data retrieval for frequently accessed shopping trips?

4.5 Bad Debt Processing Performance

• What is the latency from a declined adjustment to the Report Payment Status API call being sent to Amazon?
• How quickly does a bad debt event propagate to the Shopper Authorization API to block the shopper's next entry attempt?
• What is the end-to-end latency from debt resolution (shopper payment received) to the shopper being re-authorized at the gate?
• How does the debt resolution and payment feedback pipeline perform under peak volume (e.g., batch debt resolution processing)?

4.6 Rate Limiting

• How does the system handle 429 responses with the 600-second Retry-After header?
• What queuing or throttling strategies prevent hitting rate limits during peak periods?
• How do you distribute payment API calls across time windows?

4.7 Demand Management

• How do you design your payment workload to adapt to changes in demand?

---

5. Cost Optimization

5.1 Compute and Infrastructure

• How are compute resources scaled for payment processing services?
• What auto-scaling policies handle peak vs. off-peak traffic?
• Are there opportunities to use reserved capacity or savings plans?

5.2 Payment Processing Costs

• What is the cost per transaction across the full payment lifecycle (adjust + capture)?
• What is the cost impact of declined adjustments or captures that require alternative payment flows?
• How do you minimize unnecessary payment operations (e.g., avoiding adjust when amount is unchanged)?
• What is the cost of refund processing and how do you track refund rates?

5.3 Shopper Authorization Costs

• What is the cost per Shopper Authorization API call?
• What is the cost per Report Payment Status API call?
• How do you minimize unnecessary authorization calls (e.g., caching recent authorization decisions for the same shopper)?
• What is the cost impact of retry logic on failed authorization and feedback calls?

5.4 Bad Debt and Recovery Costs

• What is the total cost of bad debt as a percentage of revenue, and how do you track this metric?
• What is the cost of operating the debt resolution channel (online portal, customer service, payment processing fees for debt payoffs)?
• How do you quantify the revenue impact of denying entry to shoppers with outstanding balances (lost sales vs. recovered debt)?
• What is the cost of Report Payment Status API calls for debt tracking, and how does retry logic affect this cost?
• How do you optimize the balance between aggressive debt recovery (more API calls, more customer outreach) and cost efficiency?
• What is the cost impact of write-offs, and what approval thresholds govern write-off decisions?

5.5 API and Data Transfer Costs

• What is the total cost per shopping trip across all API calls?
• How do you minimize unnecessary API calls (e.g., caching transactional data)?
• What is the cost impact of retry logic across all six APIs?

---

6. Store Reporting

6.1 Reporting Mode Selection

• Have you evaluated which reporting mode best fits your organization (Merchant Portal, Intra-day S3, Event feed via EventBridge)?
• What is your required frequency of data refresh for payment reconciliation?
• Does your existing data ingestion infrastructure support CSV-based (Intra-day) or JSON/API-based (Event feed) formats?

6.2 Merchant Portal Reporting

• Are daily Payment reports being downloaded and reviewed from the JWO Merchant Portal?
• How do you use the dashboard (30-minute refresh) for monitoring payment operations?
• What process exports and integrates Merchant Portal data into your internal reconciliation systems?

6.3 Event Feed Reporting Operations

• Are EventBridge rules configured for PAYMENT event types (AuthorizationApproved, CaptureApproved, AuthorizationDeclined, CaptureDeclined, AuthorizationCancelled)?
• How do you use payment events for near real-time reconciliation against your adjust/capture/refund records?
• What alerting triggers on decline events from the Event feed?
• How do you correlate Event feed payment events with Get Transactional Data API responses?

6.4 Reporting Data Integrity

• How do you reconcile reporting data against your payment lifecycle records (adjust, capture, cancel, refund)?
• What validation ensures reconciliationId values match between your records, Get Transactional Data responses, and Event feed events?
• How do you detect and investigate discrepancies between Amazon reporting data and your payment processor records?

6.5 Reporting Security and Access

• How are IAM roles and KMS keys for reporting access managed and rotated?
• What access controls restrict who can view or download payment reporting data?
• How do you ensure PII in reporting data is handled per privacy regulations?

---

7. Post-Purchase Operations

7.1 Receipt Generation and Delivery

• Have you determined the receipt ownership model (Amazon-generated or retailer-generated)?
• If using retailer-generated receipts, how do you consume Get Transactional Data API responses (EMV fields, card last four, reconciliationId) to build itemized receipts?
• How do you use Get Shopper Identity API (shopperEmail) to deliver receipts to shoppers?
• How do you handle receipt delivery failures?
• How do you ensure receipt content accurately reflects the captured charge amount?

7.2 Receipt Lookup

• Have you determined the receipt lookup ownership model?
• How do you use cardStatementTransactionId from Get Transactional Data to help shoppers locate shopping trips on their card statements?
• What is the data retention period for receipt records?

7.3 Refund Processing

• What is the process for store staff or shoppers to initiate a refund?
• How do you validate refund eligibility (within 30-day window, valid shoppingTripId, valid reason code)?
• How do you track refund status using the reconciliationId returned by the Refund API?
• What monitoring detects abnormal refund patterns that may indicate fraud?
• How do you communicate refund status to shoppers?

7.4 Bad Debt Identification and Recording

• What process identifies all bad debt scenarios (fully declined adjustment, partial capture shortfall, failed capture after retries, pre-auth token expiration before charge)?
• How do you record bad debt incidents with sufficient detail (shoppingTripId, cart total, settled amount, outstanding amount, root cause, payment instrument identifier, timestamp)?
• How do you determine whether to write off the full cart amount or attempt a partial capture when an adjustment is declined with a non-zero authorizedAmount?
• What business rules govern the incremental adjustment strategy to find the maximum approved amount before recording the shortfall as bad debt?
• What automated alerting triggers when a shopping trip results in bad debt?
• How do you detect and record bad debt caused by pre-auth token expiration (ShoppingTripExpiredException) when the cart was not charged within the ~46-hour window?

7.5 Bad Debt Feedback to Amazon

• How do you ensure the Report Payment Status API (POST /v1/feedback/payment-status) is called after every bad debt event with accurate totalAmount and settledAmount?
• What retry strategy ensures payment feedback is delivered to Amazon even when the Report Payment Status API returns 500 errors?
• What monitoring detects shopping trips where bad debt was incurred but payment feedback was not successfully sent to Amazon?
• How do you handle the scenario where payment feedback is delayed, causing a shopper to enter the store again before their outstanding balance is recorded?
• What reconciliation process compares your internal bad debt records against Amazon's outstanding balance tracking to detect discrepancies?

7.6 Bad Debt Entry Denial

• How does the Shopper Authorization Connector use outstanding balance data to deny entry to shoppers with unpaid debt?
• What is the expected latency from a bad debt event to the shopper being blocked at the gate on their next visit?
• How do you handle the scenario where Amazon's recommendation includes shopperRisks: ["BadDebt"] but your internal records show the debt has been resolved (data sync lag)?
• What in-store experience is provided to a shopper who is denied entry due to outstanding balance (signage, staff assistance, instructions to resolve)?
• How do you handle conditional authorization for shoppers with outstanding balance (e.g., allow entry with increased pre-auth amount to cover risk)?
• What business rules determine whether a shopper with outstanding balance is denied outright vs. conditionally authorized with a higher pre-auth?

7.7 Bad Debt Resolution and Shopper Re-Entry

• What self-service or assisted process allows shoppers to pay off their outstanding balance (online payment portal, customer service phone/chat, in-store kiosk)?
• How do you confirm that a shopper's debt resolution payment has been received and applied to the correct outstanding shopping trip(s)?
• After a shopper resolves their outstanding balance, how do you ensure the Report Payment Status API is called with the updated settledAmount to clear the balance in Amazon's system?
• What is the expected turnaround time from debt resolution to the shopper being re-authorized for store entry?
• How do you handle partial debt payoffs where the shopper resolves some but not all outstanding trips?
• What monitoring confirms that a shopper who resolved their debt is successfully authorized on their next visit (end-to-end resolution validation)?
• How do you handle disputes where a shopper claims they have paid but the outstanding balance has not been cleared?
• What communication channel notifies shoppers that they have an outstanding balance and provides instructions for resolution?
• What communication confirms to shoppers that their debt has been resolved and they can return to the store?

7.8 Bad Debt Escalation and Repeat Offenders

• What thresholds trigger escalation when a shopper accumulates multiple bad debt incidents (e.g., 2+ incidents, cumulative amount > $X)?
• How do you differentiate between a one-time payment failure (temporary insufficient funds) and a pattern of non-payment (potential abuse)?
• What process flags repeat offenders for permanent or extended entry denial?
• How do you feed repeat offender data back into the Shopper Authorization Connector to ensure escalated risk levels (NonpaymentHighRisk) are applied?
• What fraud investigation process is triggered when bad debt patterns suggest intentional abuse?
• How do you track bad debt aging (time since incurred) and escalate aged unresolved debt?

7.9 Bad Debt Write-Off and Reporting

• What write-off process and approval workflow governs unrecoverable bad debt after all recovery attempts are exhausted?
• How do you track bad debt by root cause (payment decline, partial capture, token expiration, capture failure, system error)?
• What reporting tracks bad debt metrics: total outstanding amount, frequency by root cause, recovery rate, resolved vs. unresolved breakdown, average time to resolution?
• What thresholds trigger investigation when bad debt rates exceed acceptable levels?
• How do you feed bad debt data back into fraud and risk assessment processes to improve future gate decisions?
• How do you reconcile bad debt records against payment processor records and Amazon transaction data?

---

8. Shopper Self-Service Portal

8.1 Portal Availability and Operations

• Do you have a shopper-facing self-service portal for receipt lookup, refund requests, and outstanding balance payoff?
• What is the target availability SLA for the portal?
• What monitoring tracks portal uptime, response times, and error rates?
• What alerting is in place when the portal is degraded or unavailable?
• How do you handle portal outages gracefully (maintenance page, estimated restoration time, alternative support channels)?
• What runbooks exist for portal incident response?

8.2 Portal Authentication and Shopper Identity

• How do shoppers authenticate to the portal (payment card lookup, email, loyalty account, other)?
• How do you verify the shopper's identity before granting access to receipt history, refund capabilities, and outstanding balance data?
• What controls prevent unauthorized access to another shopper's data?
• What session management policies are in place (session timeout, concurrent session limits, secure cookies)?
• How do you handle authentication failures (lockout policy, rate limiting, fraud detection)?

8.3 Receipt Lookup and Download

• How does the portal retrieve receipt data (Get Transactional Data API, Get Shopper Identity API, internal records)?
• How do you display the cardStatementTransactionId to help shoppers match trips to their card statements?
• What receipt formats are supported (web view, PDF download, email delivery)?
• How do you handle receipt lookup when backend APIs (Get Transactional Data, Get Shopper Identity) are unavailable?
• What is the data retention period for receipts accessible through the portal?
• How do you ensure receipt data displayed in the portal matches the original charge calculation and payment records?

8.4 Refund Request Processing

• How does the portal validate refund eligibility (within 30-day window, valid shopping trip, not already refunded)?
• How does the portal call the Refund API with an idempotent refundRequestId to prevent duplicate refunds?
• What refund reason codes are presented to the shopper (DAMAGED_ITEM, EXPIRED_ITEM, UNWANTED_ITEM, OTHER)?
• How does the portal display refund status and reconciliationId to the shopper after submission?
• What process handles refund requests that fail due to API errors (retry, queue for manual processing, shopper notification)?
• How do you prevent abuse of the refund process through the portal (rate limiting, pattern detection, manual review thresholds)?

8.5 Outstanding Balance View and Debt Payoff

• How does the portal display the shopper's current outstanding balance with per-trip breakdown (date, store, amount owed, root cause)?
• What payment methods are accepted for debt payoff through the portal (credit card, debit card, other)?
• How does the portal process debt payoff payments through your payment processor?
• After a successful debt payoff, how does the portal call the Report Payment Status API to clear the outstanding balance in Amazon's system?
• What is the expected turnaround time from debt payoff to the shopper being re-authorized for store entry?
• How does the portal handle partial debt payoffs (pay off one trip but not others)?
• What confirmation does the portal display after a successful debt payoff (balance cleared, store access restored)?
• How does the portal handle debt payoff failures (payment declined, API error) without leaving the shopper in an inconsistent state?
• What reconciliation process ensures debt payoff payments processed through the portal match the Report Payment Status calls sent to Amazon?

8.6 Portal Security and PII Protection

• How do you ensure shopper PII (email, card details) is masked in the portal UI (show last 4 digits only, partially mask email)?
• How do you protect shopper data in transit between the portal and backend APIs (TLS, certificate pinning)?
• What audit logging captures all portal actions (receipt views, refund requests, debt payoffs, authentication events)?
• How do you ensure no PII is logged in portal application logs or error messages?
• What data retention policies govern portal session data, access logs, and payment records?
• How do you comply with privacy regulations (GDPR, CCPA) for shopper data accessed through the portal?

8.7 Portal Performance and Scalability

• What is the target response time for receipt lookup, refund submission, and debt payoff operations in the portal?
• How does the portal scale under peak traffic (e.g., post-holiday refund surge, batch debt resolution)?
• What caching strategies reduce redundant API calls for frequently accessed receipt data?
• How do you handle portal performance degradation when backend APIs are slow or rate-limited?

8.8 Portal Change Management

• What is the process for deploying portal updates without disrupting active shopper sessions?
• How do you test portal changes against the full shopper journey (authenticate → lookup receipt → request refund → pay off debt → re-enter store)?
• What rollback procedure exists if a portal deployment introduces defects?
• How do you coordinate portal changes with backend API changes (Refund API, Report Payment Status API, Get Transactional Data API)?

---

9. Sustainability

9.1 Resource Efficiency

• How do you minimize compute usage during low-traffic periods across payment services?
• What strategies reduce unnecessary data processing for empty carts or cancelled charges?
• How do you optimize data retention policies for payment transaction logs and audit trails?

9.2 Data Lifecycle Management

• How do you optimize retention of payment records and transactional data?
• What archiving strategies minimize long-term storage for completed payment lifecycles?
• How do you efficiently purge obsolete payment and shopper identity data?

9.3 Network and Transfer Optimization

• How do you minimize network traffic through efficient API call patterns?
• What batching or caching strategies reduce redundant Get Transactional Data or Get Shopper Identity calls?