Section E · Reference

Interview Questions — Practice

30 questions across 8 sections. Drill out loud. Use the toggle to hide all answers and rehearse. The practice tracker remembers your progress per question.

How to drill this

Cover the answers. Speak the response aloud — interview muscle is verbal, not silent.
Time yourself: most answers should land in 90 seconds. Long answers are weakness.
Use the practice tracker checkboxes — they persist locally.
Re-run cold the morning of the loop.

Toggle

Click the button below to hide / reveal all answers at once.

1 · Payments fundamentals

Q1.1 · Explain authorization vs settlement.

Auth: issuer's go/no-go decision at point of payment; reserves funds. Settlement: actual movement of funds between issuer and acquirer, typically later (same-day to T+2). Auth can be voided cleanly; settlement requires refund. Different failure modes; different measurements (AAR vs settlement success / speed).

Q1.2 · What's the four-party model?

Cardholder, issuer (their bank), acquirer (merchant's bank), network/scheme (Visa/MC). PSP / processor sits as the technical layer on the acquirer side. Auth requests flow cardholder → PSP → acquirer → network → issuer; the response runs back.

Q1.3 · Why is retry-on-hard-decline a bad idea?

Scheme rules prohibit it; retrying generates fees and counts against integrity programs (Visa's AI program, etc.). Hard declines signal scheme-level issues (lost/stolen, account closed). The right move is to switch rails or stop.

Q1.4 · What's the difference between a BIN and a PAN?

PAN is the full 13-19 digit card number. BIN is the first 6-8 digits, identifying the issuing bank, country, and card type. BIN is safe to store; PAN is in PCI scope.

Q1.5 · What does MCC 6051 mean and why does a crypto PM care?

MCC 6051 is "quasi-cash" — historically used for crypto purchases. Many issuers selectively block or step-up authenticate this MCC; some BIN ranges hard-decline it. Half of crypto auth-rate work is about how purchases are coded.

2 · Emerging-market rails

Q2.1 · What's a VPA in UPI?

Virtual Payment Address — name@bank alias for a bank account, e.g. chris@okhdfcbank. Human-readable, used by PSP apps to route. The customer's underlying account number is hidden behind the VPA.

Q2.2 · Who runs PIX, and what's MED?

PIX is operated directly by BACEN, Brazil's central bank — unusual; usually a private network operator. MED (Mecanismo Especial de Devolução) is the fraud-return mechanism: customer can file within 80 days; recipient bank has 7 days to hold and respond.

Q2.3 · Walk through a UPI Intent payment.

App creates intent; deep-links to user's PSP app; user enters UPI PIN; PSP forwards to NPCI; NPCI routes to issuing bank for debit; funds credit to receiving bank; callback back to merchant; merchant credits balance. End-to-end seconds.

Q2.4 · What's SEPA Instant and how does it differ from SEPA Credit Transfer?

SCT Inst — instant variant, ~10s settlement, 24/7, up to €100k. SCT is the older, batched, business-day rail. SCT Inst settles through TIPS or RT1; not all banks support it but coverage is rising.

Q2.5 · What's Mada and why is it tricky?

Mada is Saudi Arabia's domestic card scheme, SAMA-mandated. Most domestic transactions must route over Mada even on dual-badged Visa/Mastercard cards. International acquirers typically can't route Mada domestic — you need a local sponsor bank or local acquirer.

Q2.6 · How does M-Pesa work mechanically?

Carrier-operated (Safaricom) mobile-money rail, USSD-driven historically. Customers hold a wallet linked to their SIM. STK push prompts for PIN confirmation. Dominant in Kenya; agent network for cash-in/out.

3 · Vendor & orchestration

Q3.1 · Walk through how you'd select a new acquirer for Brazil.

Scope (rails, volume, latency). Long-list → short-list. RFP across coverage, cost, reliability, compliance, integration speed, partnership. Sandbox + tech DD. Commercial terms. Compliance / legal review. Pilot + parallel run before full traffic. Maintain at least two viable partners for failover.

Q3.2 · Smart routing vs cascading — what's the difference?

Smart routing picks the optimal PSP before first attempt based on BIN, MCC, history. Cascading retries on a different PSP after a soft decline. Smart routing optimizes preemptively; cascading recovers reactively. Both are AAR levers.

Q3.3 · When would you de-platform a PSP?

Persistent AAR underperformance vs alternatives (mix-corrected), repeated SLA misses without remediation, compliance/sanctions exposure rising, roadmap divergence, cost no longer competitive. Off-board slowly: parallel-run replacement, shift % traffic over weeks, retain as cold failover, then settle the contract.

Q3.4 · What's in the card cost stack?

Interchange (issuer), scheme fees (network), cross-border fee, FX spread, acquirer markup, PSP / gateway fee, optional fraud-vendor fee, chargeback fee. All-in card cost in mature markets is typically 2-3%; UPI/PIX is sub-50bps.

4 · Metrics & analytics

Q4.1 · Define AAR and name two variants.

Authorization rate = approved auths / attempts. Variants: first-attempt AAR (cleanest measure of issuer behaviour), final AAR (after retries; captures cascade lift). Also per-PSP, per-BIN, value-weighted.

Q4.2 · How can lifting AAR hurt conversion?

Forcing 3DS step-up lifts AAR via issuer liability shift but the step-up itself causes drop-off. Net intent-to-success conversion can fall. You optimize the funnel, not the auth event in isolation.

Q4.3 · What's cost-per-successful-payment, and what's commonly missed?

All-in cost ÷ approved txns. Commonly missed: retry-attempt fees, chargeback fees, fraud losses, FX spread. Naïve formula divides total spend by all txns; right one divides full economic cost by successful payments only.

Q4.4 · How would you define a "rail-health SLO"?

Composite — availability (e.g. 99.95% successful API request rate), AAR floor (rolling 7d), latency p99, settlement on T+1 above threshold. Breach → ops incident; sustained breach → traffic shift.

5 · Design / spec

Q5.1 · Spec UPI AutoPay for recurring crypto buys.

See P1 — goal/users/flow/mandate UX/rail mechanics/KPIs/risks/v1 cuts. Focus on mandate cap, NPCI flow, idempotent execution, cancel UX, AML monitoring overlay.

Q5.2 · Design an A/B test for PIX-as-default in Brazil.

See P2. Sticky user randomization. Primary = deposit-from-intent conversion. Guardrails on fraud, support, value mix. Run ≥ 2 weeks; pre-register segment cuts.

Q5.3 · How would you launch a new rail in a new market?

See 13. Partner contract, sandbox testing, compliance signoff, canary, whitelist, %-staged rollout with health gates, hypercare 2-4 weeks, BAU handoff. Build the dashboard before launch.

Q5.4 · Spec defenses against the deposit-withdraw fraud loop.

See P9. 3DS first-deposit, hold-window for crypto-out, BIN risk scoring, velocity rules, same-card-only refund window. Tradeoffs vs legitimate-user conversion — tune the threshold.

6 · Compliance / governance

Q6.1 · What's the Travel Rule and when does it apply?

FATF Recommendation 16 — VASPs must share originator and beneficiary info on crypto transfers above threshold (often USD/EUR 1,000). Applies to outbound and inbound; protocols include TRP, TRUST, Sumsub. Self-custody is the hard case — need wallet attribution claim.

Q6.2 · How do you reduce PCI scope?

Don't touch raw PAN — use PSP-hosted fields / iframe / SDK. Use network tokens issued by Visa/MC for stored credentials. Use a vault for any internal tokenization. Achieve SAQ A rather than SAQ D.

Q6.3 · Name three licenses that gate a payments launch.

US: MTL (state-level) + FinCEN MSB registration. UK: EMI or PI under FCA. EU: EMI / PI under national competent authority; MiCA for crypto. Local market: RBI PA/PG (India), BACEN (Brazil), BSP (PH).

Q6.4 · What's VDMP and why care?

Visa Dispute Monitoring Program — flags merchants above ~0.9% dispute rate. Above threshold = fines, then de-platforming. Mastercard's equivalent is ECP. Crypto merchants run hot historically — must instrument early-warning well below 0.5%.

7 · Analytical / SQL

Q7.1 · Write a SQL skeleton for first-attempt AAR by issuer over the last week.

WITH first AS (
  SELECT DISTINCT ON (payment_intent_id)
    payment_intent_id, issuer_name, status
  FROM auth_attempts
  WHERE created_at >= NOW() - INTERVAL '7 days'
  ORDER BY payment_intent_id, attempt_seq
)
SELECT issuer_name,
  COUNT(*) AS attempts,
  COUNT(*) FILTER (WHERE status='approved') AS approved,
  ROUND(100.0*COUNT(*) FILTER (WHERE status='approved')/COUNT(*),2) AS aar_pct
FROM first
GROUP BY issuer_name
HAVING COUNT(*) >= 100
ORDER BY aar_pct ASC;

Q7.2 · How would you compute retry-success rate by decline family?

Per intent: get the first attempt's decline family, then check whether any later attempt approved. Aggregate. See 10 — retry decision modeling.

Q7.3 · AAR dropped 4pp overnight. Diagnose.

See P8. Confirm real vs measurement. Decompose by acquirer / BIN / decline_family / hour. Check recent code or rule changes. Roll back suspect change while investigating.

Q7.4 · How would you measure the lift from network tokenization?

A/B on COF flows: treatment = network token used, control = PAN-based stored credential. Primary metric: AAR. Secondary: re-auth success on issuer card-update events. Controlled for BIN mix and time-of-day.

8 · Behavioral

Q8.1 · Tell me about the most ambiguous payments decision you've owned.

Frame: situation → stakes → constraints → decision → outcome → reflection. Lead with the metric or risk you balanced. Lean on a real one; don't invent.

Q8.2 · Tell me about a time you halted a launch.

Should be ready with one — even adjacent (security, compliance, on-call posture). What signal triggered the hold? Who did you align with? What did you do with the team after?

Q8.3 · Walk me through a partner conflict — how did you handle it?

Show: facts before opinion, escalation only after working channels, document everything, preserve the working relationship. Outcome: contract enforcement, SLA credits, or amicable parting.

Q8.4 · Why this role specifically?

Two beats: the fiat-crypto seam interests you (specific reason — pick one); the portfolio model (rails-by-method-by-geo) is a richer PM job than single-rail ownership. Honest about gaps; specific about why now.