# Fraud pipeline checklist (real-time scoring on AWS)

Walk before enabling production authorize path.

## Ingest

- [ ] Authorization events land on **EventBridge** custom bus (not direct Lambda invoke from API GW for fan-out)
- [ ] **EventBridge Pipes** route to fraud scoring Lambda with DLQ on pipe failure
- [ ] Idempotency key = `network_transaction_id` (or processor reference) stored in **DynamoDB** with TTL

## Scoring

- [ ] Feature store reads from **ElastiCache Redis** or **DynamoDB** — p95 feature lookup &lt; 15 ms budget documented
- [ ] Model inference timeout &lt; 80 ms at p99 or async step-up (3DS / step-up auth) path defined
- [ ] Shadow mode ran ≥ 7 days — compare block rate vs manual review queue

## Response

- [ ] Step Functions express workflow: `allow` | `review` | `decline` with compensation on partial failure
- [ ] Decline reason codes mapped to processor API (do not leak internal model features to cardholder)
- [ ] CloudWatch alarm on DLQ depth &gt; 0 for 5 minutes

## When NOT to build custom fraud ML

- Volume &lt; 50k authorizations/month — processor fraud tools first
- No labeled fraud dataset — rules engine + velocity checks only
- Regulatory hold on automated decline without human review — wire manual queue first

## What broke (template)

| Week | Symptom | Root cause | Fix |
|------|---------|------------|-----|
| | Duplicate declines | Missing idempotency on pipe retry | DynamoDB conditional write on txn id |
