Risk Register
:::info Source
Sourced from services/billing-service/SERVICE_RISK_REGISTER.md in the documentation repo.
:::
| ID | Risk | Sev | Impact | Mitigation | Owner |
|---|---|---|---|---|---|
| R-BL-01 | PCI data leak (PAN in logs) | S1 | Processor termination; massive fine | SAQ-A; no PAN in our systems; CI grep; tokenization audit | Billing + Security |
| R-BL-02 | Double-charge | S1 | Customer trust + refunds | Idempotency-Key; Stripe idempotent; unique PK on processor_ref | Billing |
| R-BL-03 | Webhook signature bypass | S1 | Fake payment events | HMAC verify + timestamp + nonce cache | Billing + Security |
| R-BL-04 | Reconciliation drift | S1 | Financial integrity lost | Daily reconciler; P1 alert on > $100 variance | Billing + Finance |
| R-BL-05 | Payout to wrong account | S1 | Financial fraud | Micro-deposit verify; 4-eyes on large payouts; Stripe Connect KYC | Billing |
| R-BL-06 | Stripe outage → payments blocked | S2 | Revenue loss | Queue + retry; fail over to secondary region; alert | Billing + SRE |
| R-BL-07 | Tax jurisdiction wrong | S2 | Tax noncompliance; fines | Stripe Tax / TaxJar; quarterly review | Billing + Finance |
| R-BL-08 | Chargeback avalanche | S2 | Revenue + processor rating | 3DS; evidence collection; AI fraud advisory | Billing + Trust & Safety |
| R-BL-09 | Currency conversion error | S2 | Over/under-charge | Processor-provided rates; snapshot at order time; reconciliation | Billing |
| R-BL-10 | Subscription state machine bug | S2 | Wrong access (entitled but billed as canceled) | State machine invariants; migration tests; chaos | Billing |
| R-BL-11 | Dunning process stall | S3 | Revenue leakage | Monitor next_attempt_at; alert if idle > 7d | Billing + SRE |
| R-BL-12 | GDPR anonymization vs tax retention | S2 | Regulator pressure | Legal hold prevails; PII anonymized but records retained | Compliance + Billing |
| R-BL-13 | Webhook replay after key rotation | S2 | Duplicate side-effect | Event ID PK + nonce cache | Billing |
| R-BL-14 | Provider payout delayed | S3 | Provider dissatisfaction | SLA 7 days; escalation path | Billing + CS |
| R-BL-15 | Invoice PDF rendering failure | S3 | Tax/legal gap | Retry; fallback simple text invoice; alert | Billing |
Governance
- Quarterly: PCI scope review; Stripe key rotation.
- Monthly: reconciliation report review.
- Weekly: webhook failure rate + dunning effectiveness.