I’m applying for Amazon MWS developer with option to assist some of my friends who also are sellers.
I know this question has been asked in the past. I’ve been searching online and been working on this application for 7 days now around 8 hours a day and still absolutely NO IDEA what to do.
Prior the application I spent over 6 months building the code needed this was my only hope to make some extra and now with the risk of not being approved it’s very devastating.

Can anyone, please shed some light on this? they denied the application twice and I still can reply with the content they need. But I feel like I Have been giving them the perfect response, but STILL They are denying it.
I’m begging you guys…Please, help me.
Their question is:

We identified the following areas that do not meet the requirements outlined in our policies for accessing Personally Identifiable Information (PII). In order to maintain access to PII, you must update your application to meet the following MWS policy requirements:

1. Access Management: Developers must assign a unique ID to each person with computer access to Amazon Information. Developers must not create or use generic, shared, or default login credentials or user accounts. Developers must implement baselining mechanisms to ensure that at all times only the required user accounts access Amazon Information. Developers must review the list of people and services with access to Amazon Information on a regular basis (at least quarterly), and remove accounts that no longer require access. Developers must restrict developer employees from storing Amazon data on personal devices. Developers will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Amazon Information as needed.
2. Least Privilege Principle: Developers must implement fine-grained access control mechanisms to allow granting rights to any party using the Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend PII must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
3. Data Governance: Developers must create, document, and abide by a privacy and data handling policy for their Applications or services which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets. Developers must keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update regularly. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII Information should be maintained to establish accountability and compliance with regulations. Developers must establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation.
4. Logging and Monitoring: Developers must gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to their Applications and systems. Developers must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Amazon Information. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain PII and must be retained for at least 90 days for reference in the case of a Security Incident. Developers must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). Developers should perform investigation when monitoring alarms are triggered, and this should be documented in the Developer's Incident Response Plan.
5. Incident Response Plan: Developers must create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types that may impact Amazon, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to Amazon. Developers must review and verify the plan every six (6) months and after any major infrastructure or system change. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable). Developers must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon on request (if applicable).

Developers must inform Amazon (via email to security@amazon.com) within 24 hours of detecting any Security Incidents. Developers cannot notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that the Developer do so. Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case Amazon reserves the right to review the form and content of any notification before it is provided to any party. Developers must inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.

If you would like to update your system to maintain access to PII, please respond to this case within 5 business days to indicate your desire to comply. You must also include a Plan of Action to provide details for the following:

1. How you will update your data protection controls to address each of the necessary updates listed above?

2. Provide a timeline that states the date in which you will fully implement the necessary updates within 30 days.

Once we have approved your Plan of Action, your data protection controls may be assessed by our Solutions Architect team. If you are unable to complete necessary updates within 30 days, you may reply to this message to request a time extension, which we will review on a case-by-case basis.

I truly have no idea what they are asking. Timeline date ? Date to do what exactly?
Below is the answer I gave them, despite of they they STILL denied it. I thought it was perfect but I guess I was very wrong.
It seems it’s about personal information but I do believe I answered their question (though I don’t understand question # 2). Please view below what I wrote which they denied:

2. Provide a timeline that states the date in which you will fully implement the necessary updates within 30 days.

ANSWER:

This question is a bit confusing. Implementing what updates?

1. How you will update your data protection controls to address each of the necessary updates listed above?

ANSWER:

I have NO need or intentions of saving or storing any information received/sent through MWS.

The only information I securely store in our database is what information the seller chooses to save in their profile; such as business phone number, e-mail address, company name etc.

############################################################

############################################################

############################################################

* I will not nor will I ever have the need to save/store any PII data *

In GENERAL however, our company policy:

================================

A) Encrypt PII AES-256

B) Delete old PII no longer needed

C) Establish an acceptable usage policy

D) Eliminate any permission errors

E) Create a standardized procedure for departing employees

F) Establish an accessible line of communication for employees to report suspicious behavior

G) perform a security check 17280 times/day (every 5 seconds)

I will:

* have proper IDAM controls in place will help limit access to personal data for authorized employees.

* have DLP tool to prevent any breach

* apply Encryption & Pseudonymization on SSL with bothways on all data

Per your policy, I will:

===================

A) assign a unique ID to each person with computer access to Amazon Information.

B) not create or use generic, shared, or default login credentials or user accounts.

C) implement baselining mechanisms to ensure that at all times only the required user accounts access Amazon Information

D) always review the list of people and services with access to Amazon Information on a regular basis WEEKLY, and remove accounts that no longer require access.

E) restrict developer employees from storing Amazon data on personal devices.

F) maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Amazon Information as needed.

G) create create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types that may impact Amazon, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to Amazon.

H) review and verify the plan every month and after any major infrastructure or system change.

I) investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable).

J) maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon on request (if applicable).

K) inform you within 24 hours of detecting any Security Incidents.

L) NOT notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that we do so.

M) inform you within 24 hours if our data is being sought in response to legal process or by applicable law.