Most product engineering assumes a forgiving substrate. A bad write gets rolled back. A failed deploy gets reverted. A confused user closes the tab and starts over. Payments removes that safety net. Once a transaction settles across a network we do not control, there is no transaction to roll back, no migration to undo, and no support ticket that makes the money reappear where it was.

This is the one property that explains almost everything else in this course. It is worth sitting with before we touch a ledger, a webhook, or a reconciliation job.

The core constraint: settlement is one-way

In application code we treat operations as reversible by default. A database transaction either commits or it does not. If something downstream fails, we roll back and pretend it never happened.

Money does not work that way once it leaves our boundary. When a card authorization captures, or an ACH debit settles, or a payout lands in someone's bank, the funds have moved through systems owned by acquirers, card networks, and the receiving bank. We cannot reach into those systems and reverse the entry.

What we can do is move money the other way with a new, separate transaction: a refund, a credit, a return. That is not an undo. It is a compensating action that leaves both legs visible forever. The original debit happened. The correcting credit happened. The history is permanent, and our records have to reflect both.

The practical rule: design every money movement as append-only and irreversible, then build correction as a first-class second movement, not as a rollback.

What "no undo" changes in practice

State must be modeled as a forward-only machine

Because we cannot revert, we cannot model a payment as a mutable row that we flip between values. A payment is a sequence of states it has passed through, and most transitions are one-directional.

A typical card payment moves through requires_action, authorized, captured, succeeded, refunded, and disputed. Some of those are terminal. You do not go from refunded back to succeeded. Treat the lifecycle as an explicit state machine with allowed transitions, reject anything that is not on the list, and store the transition history rather than overwriting status in place. When something goes wrong at 2am, that history is the only reliable account of what actually happened.

Errors are ambiguous, and ambiguity is the dangerous part

In ordinary systems a failed call usually means nothing happened. In payments, a failed call frequently means we do not know whether anything happened. A timeout on a capture request could mean the capture never reached the processor, or that it succeeded and the response was lost on the way back.

That uncertainty is why idempotency keys, retries, and reconciliation exist, and we cover each later in the course. For this lesson the point is narrower: a payments error is not "it failed, try again." It is "we have lost track of the truth, and we must go find it before we act." Retrying blindly on an ambiguous timeout is how a single charge becomes two.

Other parties can reverse our outcome long after we are done

Even after a payment looks final on our side, the networks give the other party a long window to claw it back, and the windows are not symmetric.

For Visa, a cardholder generally has up to 120 days from the transaction to dispute it, and certain scenarios extend further. On the ACH side, an everyday return like R01 (insufficient funds) comes back within two banking days of settlement, but an unauthorized consumer return (R10) can land up to 60 calendar days later, backed by a signed statement from the account holder. A payment is not "done" when our API returns 200. It is provisionally done, and a chargeback or return can reopen it weeks or months later.

This is why payments teams reason in terms of liability windows, not just success and failure. Whether we hold the money yet, and whether someone can still take it back, are different questions with different answers.

A worked example: the double-charge that "never happened"

Walk through a concrete failure to see the constraint bite.

A customer taps Pay. Our service sends a capture to the processor. The processor charges the card successfully, but our network connection drops before the response comes back. Our service sees a timeout, marks the attempt failed, and our retry logic fires a second capture. The second one succeeds cleanly. The customer is now charged twice.

In a non-money system this would be a harmless duplicate write we could deduplicate after the fact. Here it is two real debits on a real card. We cannot delete one. The only correction is to issue a refund for the duplicate, which is its own transaction, with its own settlement timing and its own row in the ledger forever.

The fix is not "retry less." It is to make the capture idempotent so the second request returns the first result instead of charging again, and to reconcile against the processor's record of truth before we ever conclude that the first attempt failed. The mindset shift is the lesson: we assume our own view of the outcome might be wrong, and we verify against the system that actually moved the money.

How this reframes the rest of the build

Once we accept that money has no undo, a set of design defaults follows that we will keep returning to:

None of this is exotic infrastructure. It is a discipline that comes from taking one constraint seriously instead of assuming the forgiving substrate we are used to.

Takeaway

The defining fact of a payments feature is that a completed money movement cannot be undone, only compensated by another movement that is itself permanent. Build as if every confirmed transaction is etched in stone, treat your own view of an outcome as possibly wrong, and reconcile against the systems that actually hold the money. Get that posture right and the harder modules ahead, ledgers, idempotency, reconciliation, become careful applications of the same idea rather than surprises.

Next →
Scoping the Unhappy Paths First