A global hospitality marketplace running payments across dozens of markets, payment methods, regulatory regimes, and fraud vectors — all converging on a single moment: when the guest clicks "Confirm and pay." The system worked. The documentation didn't.
The engagement was to produce a structured map of the end-to-end payments-in flow — payment method add through authorization, fraud and identity checks, settlement, and hold release — and to use it to surface the gaps and opportunities the team couldn't see from inside the system. I was brought in as the payments domain expert: the person who knew what the nodes meant and where the edges were soft.
SMS and CVV step-ups fired uniformly across markets. Africa and Middle East saw 19% post-friction dropoff against 8.2% in North America — thresholds were never tuned to local risk profiles.
Over-indexed on Visa/Mastercard globally. Markets with native instrument support (Pix, UPI, Naver Pay, AliPay) converted higher; markets without had a structural ceiling.
Identity verification ran as a parallel track but gated authorization holds. The manual Face Match Queue was a latency bottleneck — guests surfaced these as payment failures, not identity reviews.
37% of bookings ran through Request-to-Book; 28% failed to convert. Host denial and timeout drove most of it. Payment charge errors were small but fully addressable.
SCA compliance was handled at the gateway. Exemption logic — low-value transactions, trusted beneficiary — wasn't being applied consistently. Avoidable step-up authentication in EU markets.
Payouts held until 24 hours post check-in, contingent on cancellation and AirCover state. The interaction was underdocumented — hosts saw delayed payouts without explanation.
"The process existed. The documentation didn't. The job was to translate a working but opaque system into something the team could interrogate — and find where the edges were soft."
Domain translation across the full payments-in stack — converting an operationally real but undocumented system into a structured, interrogatable process map.
Technical grounding: Walked the team through how the stack actually works — cardholder, gateway, acquirer, network, issuer; interchange and scheme economics; transaction-level fraud scoring; PSD2 SCA mechanics in practice. Drawn directly from prior capital markets and trade finance compliance work.
Funnel mapping: Worked the booking flow node by node — listing through payment entry, authorization, fraud and identity checks, confirmation, check-in, settlement. Identified where documented behavior matched best practice and where it didn't.
Regulatory layer: Mapped PCI DSS, AML, KYC, GDPR, and PSD2/SCA explicitly against each step. Surfaced where compliance was clean and where exposure existed. Output fed directly into the deliverable decks and process documentation.
| Area | Observation | Nature of Gap |
|---|---|---|
|
Fraud friction calibration
2-way SMS · CVV · PayPal reauth
|
4.1% of transactions hit SMS verification; 8.3% hit CVV. Thin Friction Library logic was risk-score driven but not regionally tuned. 19% post-friction dropoff in Africa/ME vs. 8.2% in North America. | Threshold logic unclear |
|
Local payment method coverage
Pix · UPI · Naver Pay · AliPay · iDEAL
|
60% of payment methods were added at checkout — peak conversion risk. Markets with local rail support converted higher. Markets without had a structural ceiling. | Coverage underdeveloped |
|
IDV / payment flow coupling
Winston · Face Match Queue · KYC triggers
|
IDV ran as a semi-independent track but gated authorization holds. Manual FMQ was a known latency bottleneck creating ambiguous "pending" states — surfaced to CS as payment failures, not identity issues. | Systems inadequately decoupled |
|
RTB conversion loss
37% of bookings · 28% fail to convert
|
Host denial (10%), host timeout (6%), guest withdrawal (8%), IDV failure (2%), payment charge errors (3%). Charge errors were a small but fully addressable slice. | Addressable failure slice |
|
PSD2 / SCA exemption logic
EU markets · Strong Customer Authentication
|
SCA handled at gateway level. Exemptions for low-value and trusted-beneficiary transactions weren't consistently applied. Avoidable step-up friction in EU checkout. | Exemption logic underused |
|
Settlement and hold release
24hr post check-in · cancellation interaction
|
Hold logic interacted with cancellation timelines and security deposit processing in ways the documentation didn't capture. Hosts experienced delayed payouts without visibility into cause. | Host-facing opacity |
| Engagement scope | End-to-end payments-in |
Payments at scale isn't intuitive. The interaction between interchange economics, fraud scoring, regulatory compliance, and conversion optimization involves tradeoffs that aren't visible from the surface of a checkout flow.
The contribution wasn't design or delivery. It was the ability to sit inside a process map of a payments system at this scale, know what the nodes meant, and ask the right question of each one. That comes from years inside fintech and compliance-heavy systems where getting the process wrong has real consequences.