At what point does it make sense to sue these companies to compel them to answer these questions? I know, that's expensive... but I'm willing to contribute to a legal fund to make payment processors answer questions.
replies(7):
3 weeks ago, I woke up to a pissed off customer telling me her payments were broken. My startup uses Stripe Connect to accept payments on behalf of our clients, and when I looked into it, I found that Stripe had decided to deactivate her account. Reason listed: 'Other'.
Great.
I contact Stripe via chat, and I learn nothing. Frontline support says "we'll look into it." Days go by, still nothing. Meanwhile, this customer is losing a massive amount of business and suffering.
After a few days, my team and I go at them from as many angles as possible. We're on the phone, we're on Twitter, we're reaching out to connections who work there / used to work there, and of course, we reach out to patio11. All of these support channels give us nothing except "we've got a team looking into it". But Stripe's frontline seems to be prohibited from offering any other info, I assume for liability reasons. "We wouldn't want to accidentally tell you the reason this happened, and have it be a bad one."
We ask: 1. Why was this account flagged? "I don't have that information" 2. What can we do to get this fixed? "I don't have access to that information. 3. Who does? "I don't have access to that information" 4. What can you do about this? "I've escalated your case. It's being reviewed."
I should mention at this point that I've been running this business since 2016, my customers have been more or less the same since then, and I've had (back when it was apparently possible) several phone conversations with Stripe staff about my business model. They know exactly who our customers are and what services we offer, and have approved it as such.
After a week of templated email responses and endless anxiety, we finally got an email from Stripe letting us know that they had reviewed the account and reactivated it. We never got a reason for why any of this had happened, despite asking for one multiple times. Oh well, still good news right? Except nope, this was only the beginning.
This morning I woke up to an email that about 35% of my client accounts had been deactivated and were "Under review", the kicker here being that one of those accounts is the same one they already reviewed last week! This is either the work of incompetent staff or (more likely) a bad algorithm. No reasonable human could make this mistake after last week's drama.
So currently, my product doesn't work for 35% of my customers. Cue torrent of pissed off customer emails.
And the best part is, this time I have an email from Stripe this time: Apparently these accounts are being flagged, despite the notes on our file, and despite the review completed literally last week, as not in compliance with Stripe's ToS. They suggest that if I believe this was done in error, I should reach out to customer support. Oh, you mean the same customer support that can't give me literally any information at all other than "We have a team looking into it"? The same customer support that won't give me any estimates as to how long it's going to take to put this fire out? The same customer support that literally looked into this a week ago and found no issues!?
I feel like I'm going crazy over here. These accounts have hundreds of thousands of dollars in them being held hostage by an utterly incompetent team / algorithm that seems to lack any and all empathy for the havoc they wreak on businesses when they pull the rug out from under them with no warning, nor for the impact they have on customers when they all of a sudden lose all ability to make money. And all that for an account that has been using Stripe for nearly 7 years without issue!
This goes so far beyond "customer support declining at scale." If lack of customer support means that critical integrations start to fail, that's not a customer support failure, that's a fundamental business failure.
Go sue them. Also, cannot a class-action lawsuit be initiated against them? We already have many people going through such cases...?
For example, selling video game digital products like a strategy guide is benign, but gaming industry is ripe with fraud so most processors will give you shit if you're in the gaming niche, let alone (non-crypto) digital currencies, crypto, health products, non-snakeoil supplements, etc.
always read the fine print
For example, a few weeks ago the founder of Tailwind tweeted [0] about how Stripe had shut down their account when they were set to launch the Tailwind Job Board, despite many other job boards also using Stripe and there being no obvious increased risk. Any rational person would protest the fact that Stripe does not approve of this business.
Compare that to what I've seen on various Facebook groups about Stripe shutting down accounts. People aren't descriptive about what exactly they're selling and it usually boils down to "coaching" or some other gray area.
[0] https://twitter.com/adamwathan/status/1550092016242946049
Crypto is not at all decentralized.
I mean I love supporting startups, and YC, but Stripe has a $100b or whatever valuation... They'll be cool.
How many companies using Stripe have had multiple conversations about the TOS? I would guess it’s a minority. Not a topic anyone is usually excited to talk about.
Consumer protection is "good, actually", and while a financially robust entity is always better served by having options and backups, it's reasonable to assume that those luxuries are not available to everyone and should thus not be the expected modus operandi of a standard enterprise.
Charitably, I'll assume you meant "you should have other methods, as backup", which is decent advice. It's just really shitty when you frame it as a default expectation that was "fucked up".
>So currently, my product doesn't work for 35% of my customers. Cue torrent of pissed off customer emails.
Okay? You should have always had a plan for this bc its bound to happen eventually. Switch them to a new merchant or drop them as clients and take the heat. The cost of just being a middleman.
We have many such systems being developed, but you get downvoted on HN for promoting them, since people assume you are a scammer, a criminal, etc.
There are more and more Stripe horror stories like this, and from an outsider perspective it looks awfully like PayPal behaved back in the day (probably still does but I'd never touch it again as a merchant).
I have positive experiences with using Stripe in my last startup and we're currently building Stripe integration on another, which will process about 50% of our revenue (the other payment method being direct wire transfer).
There might be just a tiny minority of people that end up treated like this, but with every story, I'm less confident about our move.
If for some reason Stripe wants to withdraw that support, they must give their reasons and a proper period for transition to another provider.
Stripe abstracts away a lot of the complexities involved in the payment and banking world, but there's a ton of infrastructure there related to detecting fraud and money laundering. Unfortunately, the lack of transparency makes what might be a leaky abstraction look like a Kafkaesque bureaucratic nightmare.
Side note: the cryptocurrency shills in this thread are pathetic.
The real culprits here are the people trying to violate the TOS, plus everybody's desire for cheap services and easy onboarding. The historical alternative was very expensive setup (e.g., spend a few years building a relationship with your local bank branch manager and establishing a financial track record). Making it easy to get started means that most problems will show up down the road, and the lower merchant costs means less money to pay for smart people to carefully untangle the truly dodgy from accounts that just look that way.
However, that’s different than a singular actor, but more importantly, nothing is stopping a counterforce from coming in and correcting that regime. It’s possible we may see email revert to a less centralized form over time as various people choose to prioritize working that problem (and can make headway, because of how email works.)
I have seen way to many stories about people claiming to have been banned for no reasons from services (online video games are a popular one) before it is revealed the ban was 100% legitimate, to take any new story like this at face value.
It's an arms race with fraudsters that eventually sucks in legitimate businesses.
The pendulum of centralized vs de-centralized architectures has been swinging full tilt in the direction of centralized for some time. It is stuff like this which will eventually swing it back the other way.
In most cases, you will not be given details if fraud is suspected. The reason being that companies don't want to tell fraudsters how they got caught.
I guess I'm not rational. What's the issue with running a job board and charging for posts through Stripe?
It is also very common.
https://twitter.com/patrickc/status/1550136569482252289
""What is happening?" => basically, a major uptick in attempted fraud over the first half of this year that necessitated making our systems stricter. But have an idea for a structural fix here. More soon. (DM me if you've had problems on this front.)"
The DM part may only apply to the high profile person he's responding to. :-)
There's definitely a space for 'digital cash', for sure, but consumers will prefer the former.
When it comes to money, there are just deeply inherent issues of dealing with fraud, spam, goods not delivered etc. etc.. which adds significant overhead to the whole system.
Most people playing above-above board don't have a problem.
Usually in these cases, it's because something semi-shady is being sold, and it usually contravenes one of the T&Cs of Stripe.
The OP here didn't tell us what line of business they were in.
Looks like this erroneous holds/deactivations are costing Stripe real business.
.. and then it would become a bit unmanageable for 'edwin', and then they would have to create support@stripe.com or whatever (like literally every other company on earth) and set up an appropriate way of dealing with customer complaints.
And it looks like Stripe has been targeted by US State Attorneys frequently https://decrypt.co/42444/stripe-pays-120000-to-steer-clear-o.... So I can't fault them. They've got hundreds of thousands of irate algorithm victims that they're dealing with but those victims can't throw them in jail or seize their assets.
I hear you about cloud dependencies, but this isn't one of those cases.
Just like here. We have those "Stripe shut me down" posts on HN regularly.
Oh look! 49 days ago: https://news.ycombinator.com/item?id=32263421
Genuinely can't tell what you're suggesting the business model problem is with Tailwind Jobs?
According to the CEO at Stripe, the issue with the Tailwind example you listed was "a major uptick in attempted fraud over the first half of this year that necessitated making our systems stricter. But have an idea for a structural fix here. More soon." And then Tailwind Jobs was reactivated.
Asked support, got 2 weeks of "we're working on it"'... And finally a "You're using Opal, you can't enable issuing".
They're losing thread fast.
Most real payment processors (e.g. banks, merchant services companies) “underwrite” a company BEFORE allowing them to process. Underwriting means they look over the business model, financials, etc and make sure the business is an acceptable risk, not doing anything illegal or against their terms, etc. So you’re more likely to be declined initially, but if you’re lit up, you should be good for the future because the underwriters actually saw the deal and approved it.
While I haven’t worked for these other companies, a lot of experience seems to show that Stripe, Square and PayPal operate differently: they light up ANYONE, and then only underwrite when the account hits a critical threshold of revenue. So it’s easy to get an account there, but if you scale up, that’s when you’ll be scrutinized and potentially terminated. It’s a very unethical practice because it ends up hitting businesses at the worst possible time, when the termination or suspension causes a huge financial hit.
So basically, always have a backup processor and use these web based services at small scale to prove out your model, but NEVER rely on them as your sole payment solution.
I made a mistake out of inexperience, was refused the chance to correct that mistake, and all of my PayPal accounts -- including my PERSONAL account that I had had for years -- were banned because they were started by a person (me) who had an account frozen or banned. Is that a legitimate enough story?
What people forget is interfacing with systems designed to operate in the real world is at best an abstraction over this difficulty and eventually it gets exposed for the mess it actually is.
"What is happening?" => basically, a major uptick in attempted fraud over the first half of this year that necessitated making our systems stricter. But have an idea for a structural fix here. More soon. (DM me if you've had problems on this front.)
I use Stripe for invoices, but I can easily send an invoice through another platform if needed.
For processing transactions on the web, I would always lean toward using a service like ChargeBee that allows me to setup multiple payment gateways.
Getting off the ground quickly is one thing, but the moment that you have reliable revenue is the moment that you need to put some serious emphasis on redundancy across your business to plan for disasters, outages, etc. It's worth it to pay the fees to maintain a 2nd (or 3rd) payment processor once you have that type of revenue coming in.
yeah, im sure its a minority of accounts at stripe, but seriously, do not take the chance!
Inability to explain it is infuriating. Absent an explanation, everyone's default assumption should be that they did it randomly, by mistake, or maliciously, and that they're liable for damages. If S is being told by law enforcement to do this, fine, I get it, but at least do an EOY report like everyone else saying '90% of our unexplained holds were court orders, stop blaming us and help us reform this'.
'Governance through obscurity' isn't going to be any better than security through obscurity
PayPal had banned me because I was under 18 when I opened my account, they then allowed me to open a new one (right after this one got suspended) and it has been working fine without any issue since then (10 years+).
Stop doing shady stuff.
This isn't a hard problem for technical reasons, it's all political. It's about preventing money laundering and trying to fight crime via financial instruments. But it also means any payment system that doesn't implement these restrictions will almost instantly be overrun by criminals because they are highly motivated to find ways of moving money.
Stripe's abuse detection should be factoring in the age and long-term activity of the account, and support staff should be able to provide additional information to customers with established histories. Some of Stripe's policies make sense when dealing with new accounts, but a recurring factor in these complaints is that the account isn't new.
(Google's spam detection is broken in a similar way.)
I've been a low-volume Stripe customer for years. Posts like this are really increasing the urgency for me to come up with a new card processor, because I'd rather take an additional percentage haircut to get access to a dispute resolution process that recognizes me as an established customer.
(or if you are trying to be pseud, let me interview you and I'll write it)
if this is SOP it's important information
Then Stripe can FORKING SAY SO UP FRONT.
And those businesses can grumble but go elsewhere
Implying that you are happy to take on responsibility for infrastructure of someone's business, then unilaterally and without notice or opportunity to cure any issue, is pretty much tantamount to theft. Stripe in this case appears to be accepting money, then failing to provide service, and in this case is even holding onto money paid to their customers. This causes a lot more damage to others than it does to Stripe.
I don't like externalizing problems to other parties as a business model.
Is there a common theme between these posts?
Yes because that is so simple and there are so many competitors that provide the same level of service /s. Also there is no guarantee anyone else in this space is better than Stripe (when it comes to customer service). I can tell you the company I attempted to switch to had terrible docs, a bad API, horrible support, oh, and their shit just didn't work randomly. This is not clear-cut or simple.
> You should have always had a plan for this bc its bound to happen eventually.
Throw some victim blaming in as well for good measure.
> The cost of just being a middleman.
Middleman, aka providing a platform that uses payments? That's what we are calling a "middleman" now?
Source: I used to run adult websites which is considered 'high risk' and also these days responsible for overseeing 1M/m in CC processing for a state agency.
https://news.ycombinator.com/item?id=30363800 (Feb 2022)
https://news.ycombinator.com/item?id=30106006 (Jan 2022)
https://news.ycombinator.com/item?id=30105990 (Jan 2022)
If you keep doing it, we're going to have to ban you, so if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
As much as I hate government intervention in business, it really seems like there needs to be a way to force companies to actually be direct, accessible, and reactive in cases like this. I went through something similar with Venmo randomly locking my account after I received a large-ish payment, and not getting any real action or sense of urgency on their side.
if it's egregious, I'm assuming someone from stripe could get in here and ask permission from the OP to explain to the community what happened?
> 7.2.3. Data Export Following termination or expiration of a Subscription, We will retain that Account’s Service Data for one hundred twenty (120) days from such date of termination or expiration (“Data Retention Period”).
I mean, ideally we need an open source PCI compliant equivalent of ChargeBee so that you can 100% own your customers payment information.
That's the way this problem really gets solved, but the security surface for that open source project is going to be a challenge.
Huh? Of course they do. Just one example:
https://www.paypal.com/us/smarthelp/article/what-is-paypal%E...
Creating a new account on here to potentially get support is just plain wrong, and needs dealing with IMO. Should never hit the front page.
How can any founder rely on Stripe, much less recommend the platform, if you need to have a backup system in place “just in case”.
Email Edwin and also reply to their comment on HN conveying the high level summary of what you think is going on with your account.
Normal Stripe support reps seem to stick to the script no matter what. Edwin has fixed edge cases for HN users in the past thankfully.
One year ago this month, Twitter permanently suspended a 340,000-follower account for “repeated violations of our COVID-19 misinformation rules.” The owner of that account, the former New York Times reporter and vaccine skeptic Alex Berenson, responded with a lawsuit demanding reinstatement. . . .
. . . Earlier this summer, Twitter put Berenson’s account back online, noting that “the parties have come to a mutually acceptable resolution.” Berenson wasted little time in calling out mainstream media for failing to cover the “pathbreaking settlement” that led to his return. . . .
https://www.theatlantic.com/technology/archive/2022/08/alex-...
Thank you for sharing your insight!
Realistically, more humanly, payment processors and other big tech companies that are basically societies digital gum and infrastructure can simply not be tasked with making these calls. I also don't think they are very keen to do it but in the absence of timely regulation they must.
There have to be more rigorous ground rules (what is the business allowed to do, what must they do, what is the user allowed to do, and what are they entitled to), by law, and quickly.
The risk profiles are different. That is only thing the payment processor cares about, same reason why adult services get shunned. Not because they are puritans, it is because of risk of frauds and chargebacks etc are much higher .
Coaching is a service unlike Tailwind the software that can varying success and satisfaction levels customers probably do higher chargebacks and stripe's automated systems or low level staff with a playbook likely rejected it until someone senior got to see the bad press and got it fixed.
Although I agree that there are a lot of TOS violators out there, there are also legitimate businesses suffering real and tangible harm from these actions.
This case in particular sounds interesting. They were reviewed and the problem was fixed, and they were then again given the big ban hammer. In this case, I suspect the liability must shift to the provider for causing harm through failed processes/systems under their control.
Just my 2c
Then you only loose the recurring payments on the lost provider that are on hold, and you are not dying, so you can resolve that problem using a lawyer.
This is crisis management, not technical perfection that you need for those situations.
We hadn't charged a single live customer yet, but we had done plenty of tests using the Stripe testing environment. So we go live with a huge launch event, and we have customers signing up in droves. When they get to the last step -- payment -- they get an error.
Logging in to the dashboard I didn't see any indication that there was anything wrong with our account. No alerts or notices. We had already gone through the approval process you go through when signing up, and been told we were approved.
The thing that surprised me the most was that there was just no indication anywhere that our account would not be able to charge cards. Wouldn't it make sense for there to be an indicator somewhere that just says "Not ready yet"?
Apparently, they had never even begun reviewing/vetting us since the time we signed up for the account months earlier. We reached out to customer support and it took them about two weeks to get us activated. And, similar to OP, they never gave us a shred of information about what was going on. I still don't know to this day what the issue was.
Next time I build something with Stripe I'm going to test it in production before launching, with my own real credit card!
And then one day last month I got an email saying my account had been banned. They would not give me a reason, and told me if I tried to open a new account it would be banned as well. Good riddance, I don't need them anyway, but talk about burning any vestige of good will they ever had.
It seems Stripe has gone the same way now. Time to move on to the next hot payments processing startup until they get big enough that they decide to start fucking their customers too.
I get that, but I don't see how actually telling people what term of service was violated gives too much leverage to the bad guys.
Sounds similar to how subprime lenders doled out the mortgages without any due diligence. They skimmed their bit off the top in transaction commissions, but later dumped them before they became a compliance hassle.
Power can go out. Promises from the power company don’t fix that. Only backup power does.
You are right that redundancy is important, but redundancy either in cloud vendors , payment processors or even high availability of your app takes time and effort with no immediate ROI as apposed to buliding features , better customer service.
When running a small business you always take lot of risks by cutting short processes large organisations will have. Judging which ones to take and which to mitigate is a not a easy skill, many times people get it wrong .
While we may see Stripe chime in the thread, and make summary judgements, we will almost surely not have total visibility (and thus closure) in this case.
What possible benefit could there be to anyone in "golly gee, who could possibly know?" vs. "It's because you're selling cannabis to Iran, stupid"?
My guess is that it's because most people aren't selling cannabis to Iran, and the Real Problem is the liability they [Stripe, et al] would be exposed to if they admitted their billion-dollar system (and/or call center employees) can't distinguish between Cuba and a cubano.
Always have at least two payment processors. If you've got a lot of money on the line, get a third lined up, too.
Reminds me of collateral damage and kills in a war.
If your business is important enough that it can't risk falling into the endless hellpit of automated, anonymous, hyperscaled infrastructure, then don't build your business on automated, anonymous, hyperscaled infrastructure.
I'm not saying that's an inherently good or bad thing... But it sure would be hard to fit both customer protections laws and service guarantees while at the same time having laws that explicitly force providers to do the opposite.
I'm genuinely curious why you wouldn't have done that anyway? I pretty much always do, precisely so I can experience a full end to end user experience.
Care for the customer can make or break a company. If stripe wanted big customers they can't be this careless
(and just to be fair to Stripe there seems to be a lot of customers as well that know crap about best financial/accounting/compliance practices and don't know why Stripe might have an issue with somethings)
When you use Stripe or Paypal or similar, you don't apply for your own merchant account. You make transactions using their merchant account. If there's a fraud or chargeback percentage issue, the banks will have a problem with them, not you, but it also means the service needs to be proactive in policing their clients so the banks never come after their merchant accounts.
When starting up a company, use a Stripe or a Paypal to get up quickly, but probably ramp up to using multiple quickly, so you have backups. As your revenue increases, apply for a merchant account and move your transactions over to that. There is an upfront cost, but the processing fees are significantly cheaper, and no one will pull the rug out from under you without quite a bit of correspondence. Even when using your own merchant account, you can find processors who will handle all the credit card input and transmission on their end instead of on your site, which greatly limits your PCI compliance requirements. Regardless, when you build your service, abstract the payment process such that you can easily add or switch providers. Don't be married to a single one, because at the least you should be switching to a merchant account when the application fee is lower than the transaction fee percentage difference.
Source: I also worked for (and was the principle developer of) a high risk payment processor, providing a processing gateway for individual merchant accounts serviced by an ISO. We tried to look at becoming an IPSP (I think that's the acronym), letting customers leverage our merchant accounts like Stripe or Paypal do, but it was significantly more work and process with credit card companies than we wanted to deal with.
Everything was fine, up until right after Thanksgiving. This was an ecommerce company, so a sudden 500% increase in authorization volume is pretty normal and expected. Well, not to Costco ( or rather, the bank whose services they were reselling ). Our account was immediately deactivated, and we ended up having to spend a week begging our previous bank to reactivate our previous account.
That first night was, personally, an all-nighter writing janky code to encrypt cardholder data with ephemeral keys and store it off-database on an isolated, firewalled host (in order to pass the PCI-DSS SAQ coming to us in January), ship the product anyway, and hope that we'd be able to authorize a reasonable percentage of that unauthenticated cardholder data in the future.
This is what happens when you make business decisions based purely on price -- or in the case of Stripe, developer convenience.
I'd love to know why certain categories are always flagged or silently banned. Cannibis, sex toys, porn, crypto, etc. Payment processors seem to always give these categories the worst service and whenever a company is nuked like this, it's usually one of these categories. Why is that? It almost feels like there's some secret government organization tasked with upholding religious values telling payment processors to fuck with random accounts and swearing them to secrecy. I obviously don't believe that, but it's equivalent to the scale of whatever is going on due to natural causes. I don't believe that these industries are prone to higher than usual fraud. So what is it?
2. Why write at all: consensus drives policy change, and information drives consensus. Writing, of any length, assembles information, bundles it into an argument, and (if the argument lands) becomes a 'capsule' around which consensus can form.
1. Why long form: room for nuance and research. Long form can include different perspectives (including stripe's -- perhaps they have a reason for these practices). It can address questions like 'what % of the industry behaves this way, what are the downsides to the banks' approach'. The interview + editing process can tease out anecdotes that sharpen the argument, or uncover new aspects of the problem.
This part is selfish, but for the writer, long form lets you improve your own knowledge of the topic, and your ability to make arguments around it.
Even if it is government under the hood you have to know what you're accused of. Not American so I doubt the US political system is interested in hearing from me, but I agree that's the only way of solving the deeper AML problems.
But in all seriousness, being a YCombinator startup is now a big red flag outside of the VC-funded bubble. My current employer, and the previous one, have strict no-YC policy for SaaS due to numerous issues with previous YC companies. And these are both tech-friendly/tech-adjacent companies.
It's even worse at stodgier companies; an executive sees "Stripe froze my payments" and that's what they remember when a Stripe salesman tries to pitch them on using stripe for their online store. Stripe is quickly becoming Google, in the bad way: it's a name people are learning to avoid, and if that hits critical mass they're dead.
While it feels like rule of the machines, it's actually rule of the fraudsters. If these payment processing platforms weren't so broadly vulnerable to fraud, they wouldn't need to rely on machines to make these critical decisions. An we can blame the credit card and ACH systems for both heavily prioritizing convenience over security via "pull" payments. Yes, crypto offers "push" payments, but those actually increase the risk of fraud for buyers. I think the killer combo is crypto with escrow, to protect buyers. But of course escrow has higher costs than just blindly transferring funds like the payment processors do. That's why this is one of those perennial problems of commerce.
If you're running a business and you find that it is utterly dependent on some single point of failure, you'd think that would be something you'd want to correct ASAP.
They can determine up front if it violates the TOS
They can notify the customer of the SPECIFIC violation IN DETAIL, and what can be done to cure it, and provide time to do so.
They can deny access to the transaction instead of nuking the entire business for some algorithmic flag.
The Stripes and PayPals of the world do NONE of this. Instead, they act like they accept almost all businesses, get them dependent on that piece of infrastructure, then willfully trash the business on a whim.
It’s not just getting banned, they could change their pricing on you or just straight up close their doors. You never want your business to be totally dependent on another company. If it can’t be avoided, get on a service contract with them.
Your best bet is to pay the slightly higher fees by going directly through your actual bank.
display_cc_form_that_handles_cc_data_so_we_do_not_have_to() {
which_one = random_number(3)
switch which_one {
case 1:
display_authorizedotnet_form()
break
case 2:
display_stripe_form()
break
default:
display_paypal_form()
}
}
Like maybe don't literally randomize it request-by-request, but that's how you'd be ready to use multiple processors, and you could do something a little more complex to, say, rotate which one you're on every Wednesday, or whatever. Or just have it ready so a one-line code change or config toggle switches which one you're on (that's only worse because if something's not used frequently in prod, there's a good chance it doesn't actually work, even if it once did)
I agree with you, as you grow, you have to diversify. However, services like Stripe Connect are more difficult and time consuming to replicate. Stripe connect handles the processing of many different accounts and handles skimming the commissions and then depositing the proceeds into the individual bank accounts of your users after doing some cursory KYC. This service is of course not compatible with similar services offered by other processors, so you will have to write all the handling logic and integrate with the KYC providers and possibly separate ACH deposit providers on your own.
In other words, there is a lot of lock-in with services like Stripe Connect.
A blog post also feels more trustworthy than a random social media site comment.
Shocking, I know.
As a backup plan I’d suggest talking to a bank like SVB to see if you can set that up. (It’s always nice to have a warm standby payment rail if your business depends on it, though it’s really annoying to set up fully.)
For context the SVB integration is sending a NACHA file over sftp, you could do this manually for a single batch using the Python ACH library in an afternoon.
Yes, now you need to hold account/routing info, and collect PII like SSN/TIN. This makes infosec more expensive. But not as bad an option as going out of business.
On the plus side you can turn around debits much faster, use same-day ACH, and pay a few cents per transaction.
(If you need help on scoping/implementing this I happen to be available for consulting right now.)
When I use my VISA chip and pin credit card online I sometimes depending on merchant/amount/etc have to approve the transaction via the credit card app. Should this be the defacto standard?
I still love them. That issue aside they allow me to have a personal and business account in multiple currencies, and don't screw me on the exchange rates.
As executives and purchasing managers get more tech-aware I think we're going to see an increase in due diligence into who is running companies, who their investors are, what other companies they've invested in, etc. Brands like YC will end up getting punished (and all their portfolio companies, by extension) for the bad actors.
Sure, you can do it, but you'll have to forever have a note in your accounts package saying 'this revenue isn't actual revenue'.
It really upsets those who want the accounts to match up to the cent at the end of the year...
Looks like they've already paid that penalty
"Do not use real card details. Testing in live mode using real payment method details is prohibited by the Stripe Services Agreement. Use your test API keys and the card numbers below."
Re: porn, the issue is its sky-high chargeback rates.
Bad actors have massive incentive to try all sorts of insanely advance schemes to ensure their cash flow (I saw this both at MP3.com and Zynga early days). As a company, Stripe has massive incentive to stop them. If you stop 95% of bad actors and cause .01% of good actors to get caught up in the enforcement, that’s a net win for the company. If I was running Stripe, you’d be an acceptable casualty.
Of course to you, you’re not an acceptable casualty and this is a shitty situation. The advice in this thread about having multiple processors you can switch between is a technical and financial headache for you to implement, but it’s really your best bet.
I’m sorry you’re going through this, I hope it works out, but the tough love call here is you are an acceptable casualty and need to plan accordingly.
Yes this has an increased cost if your processor charges by number of customers, but I don't think that's particularly common - these two were just revenue + monthly fee.
What law do you think forbids this? In my experience running global payments through multiple rails, on an OFAC/risk ping you typically get a request for enhanced due diligence, which normally looks to the payee like “send me a picture of your drivers license”.
The most common result is that O Bin Laden (matching the OFAC list) is actually Oscar bin Laden; with further info you disambiguate the payee from the OFAC listed entity and are allowed to transact.
I have never encountered a reg that says you are obliged to ghost your customer.
That's in addition to explaining to our investors that we ended our launch day at -$1,000 due to all the chargeback fees because some dumb developer doesn't know what a testing environment is. And in addition to the fact that Stripe recommends against you testing in that way.
I did get a full end-to-end experience, in my production environment, with literally one variable changed: using the testing Stripe API key instead of the production one.
I don't know, it didn't seem like a crazy way of testing at the time. When you consider that the testing environment worked perfectly, and there was no indication, whatsoever, anywhere that we would not be able to charge cards, it kind of felt like how you're supposed to do it.
But clearly I was wrong :) The way you find out if your account has any issues is by charging a real card, and if it works, reversing it, and if it doesn't work, waiting a couple weeks with no information on what's going on. Lesson learned!
With, half of the blogs that I liked I can't remember the name of the blog, it's probably either been dropped from search engine indexes for being older than a year or two or pushed to the 10th page by better SEO, or the site has simply vanished.
This is exactly why the whole process is suspect. The government farms out the policing of certain financial crimes onto the financial institutions as a prerequisite for operating the business. If the government came along and froze your bank account you’d have a right to ask why and a right to get some answers. But instead the government pawns the responsibility off onto businesses and then prohibits those businesses from telling you why.
And so the BSA and Patriot Act effectively allow the government to take your property and take away your right to confront the government about why they took your property. And it’s all on merely a vague suspicion of misconduct. No proof whatsoever.
I can’t help but laugh at the irony— the federal government laundering their otherwise unconstitutional activities through the banks.
And that's the only thing similar in here. The payment processors are not selling anything by fraudulent claiming they evaluated their quality.
What they do have is a very bad customers service that is prone to a different kind of crime (withholding people's money) and create a very unique kind of risk they don't communicate to their customers.
For processors starting out, there's nothing wrong with using Stripe or Paypal etc. When you ramp up to using your own Merchant Account, Authorize.net isn't too bad as long as you're not doing recurring payments (those get tricky), or maybe even Rocketgate.
Democratic systems won't change these laws because there is no popular support for change - there is a reasonably large 'law-and-order' and 'corruption-as-main-concern' voter demographic who strongly support these laws, and the niche of HN techies and libertarians who'd oppose them is insignificantly small in comparison; and authoritarian systems won't change these laws because their leadership supports them even more.
I do some payments that are ridiculously suspect but legal.
I have never been completely blackholed and given robot responses, any time a problem comes up.
Stripe is lower margin than other banks/payment providers, so they don't look very hard.
They have a very strong incentive to throw away troublesome customers, which they do.
I don't think it's right to say Stripe's "hands are tied".
They could spend more to identify false positives, but they don't.
If I used Stripe for all of my transactions I would be blocked. I know this because I have 100% confirmed this from an inside source at Stripe and at a countries central bank.
Yet somehow I have and continue to maintain accounts with other banks without breaking the law.
You think AML/KYC laws, as they currently exist, are unconstitutional?
edit:
That's a fine position to have, but it's a fringe one, and I don't think you should be offering it as a reason why Stripe does what it does that's generally accepted by everyone else.
You forgot the part where Paypal get to keep your money when they close your account. And it's not like they only keep it temporarily in case of lawsuits/chargebacks, they just keep it forever. I still can't believe that crap is legal.
It is like this with virtually any security system. Adding feedback you can use for debugging also makes the system much easier to compromise.
edit: As I re-read the thread I see that I am thinking more of onboarding KYC, as opposed to this case which would be ongoing-activity investigation. So that would explain the difference in expectations here. Still interested in learning more about the regs for ongoing investigations if you have time to share!
See https://www.lawsociety.org.uk/topics/anti-money-laundering/t...
I understand the idealistic benefits of freedom of payments, however, the KYC/AML restrictions are there for valid reasons that simply have much more magnitude of importance (for example, the scale of corruption and its social harm is so big that even a slight decrease in that due to KYC/AML enforcement far outweighs all the current social costs of KYC/AML) and removing them would mean that in aggregate the bad guys have won. I'm not saying that you're a bad guy, but you are an "ally of convenience" to them as achieving your position would let the bad guys win and I would consider it immoral to allow that.
We definitely should strive for better, more accurate AML/KYC implementations that have less impact on legitimate trade. But arguing for removing AML/KYC just because of that is effectively throwing out the baby with the bathwater.
> Guns, gunpowders, ammunitions, weapons, fireworks and other explosives. Peptides, research chemicals, and other toxic, flammable and radioactive materials
Why does the payment processor get to dictate whether I can run a defense ordnance company or run a scientific chemical supplies store?
Some of this stuff needs to be challenged in the court or regulated so that payment processor has no say whatsoever in whatever their belief system says about legitimacy of a business.
Porn is ripe with fraud/theft/bad actors/etc.
It’s not a shadow government, it’s common sense.
There are others, I know of this spanish startup integrating with stripe.
In this way,you can have both your bank TPV/ Payments and Stripe working alongside, if any fails just put the other, or the one giving better prices by default, etc
The businesses were very not shady, and nowhere near morally controversial.
My impression from that piece and these stories is that Stripe is having some technical problems and it's wreaking havoc everywhere.
Because they have the legal right to do so? They could ban companies run by redheads, if they like. As long as they're not discriminating based on very specific sets of criteria established by law, they get to choose who they do business with.
The government requiring private citizenry to associate with everyone who wishes to associate with them seems like a very dark path to go down.
Think about how they can accept 100+ currencies without a relationship with some dodgy central banks in developing countries.
There are absolutely items on that list for political reasons.
https://woocommerce.com/product-category/woocommerce-extensi...
Splitting up your payments reduces your volume with each one, which can mean you're paying higher rates overall. Or, if you go the "keep an unused alternative on standby" route, you'll likely at least have some initial traffic that pays higher public-pricing rates until you can convince them to give you a better rate, and put it in effect.
Still might be worth it as a kind of insurance premium, but it's something to consider.
No appeal process, nothing. Caused significant short term cash flow issues. So be very careful using your own card.
That might be an oversight on your part or "something that goes without saying", but when your counter to the accounts being flagged "as not in compliance with Stripe's ToS" does not include "hell yes, they're/we're in compliance with the ToS", it leaves me wondering whether you're in a grey or dark grey area here.
Stripe makes this super easy, but it is a house of cards based on stories like this one. So I agree, you still need to get your own merchant account, and not rely on stripe as you get larger, but depending on your business model it might be taking more of your time generating due diligence documents than an acquisition.
I'd love for an open payment standard for p2p payments and individual-to-business/institution payments to become available so that individuals could establish their own connection point to a fair payment exchange network.
This will only come with regulation that forces it, though. See India's UPI system, for example.
Palantir came out of Paypal fraud detection
https://thehustle.co/%F0%9F%92%B3-how-paypal-fraud-made-pala...
This is probably what a business like OP's would need to do. When their customers are small, use a processor like Paypal or Stripe. But as customers get larger, OP should probably do what we did: partner with an ISO, who can get the customer their own merchant account. OP still does the processing for them, but the risk and finances run directly through the client, not OP. The ISO can also add in a margin on the transaction fees for OP if that's part of their business model.
Same goes for PayPal, Google, Mailchimp, and all the others.
[1]https://www.elavon.com/industries/cenpos.html [2] https://www.tempuspayment.com/default.aspx
And with that you cannot turn off someone's electricity (which they don't "need": see Amish) just because you don't like them. And definitely not while hiding behind an algorithm.
Betting the farm on Stripe should never be the modus operando of a 'standard enterprise' and thank god I have never worked with anyone in any position of power over money that shared your beliefs. That is just insanity.
Why would you reverse it? If you can’t afford to consume one unit of whatever you are selling are you really in a good place to be in that business?
I guess there can be rare exceptions where the business sell only a handfull of high ticket items. But then again probably Fincantieri does not let you put your bespoke mega yacht on a card through a web transaction.
This. This is a common tune to about 100% of "BigSomething killed my business" stories that appear on HN almost weekly. If you go to BigSomething, you get a polished, automated, convenient, cheap service that would not hesitate to kill you account the moment something looks wrong to any of the robots watching it, and the customer support (the non-robotic kind, I don't count "we are working on it" auto-replies) is not part of the package because it doesn't scale. You have to either accept this as the risk for doing business, or not use BigSomething as you primary or critical vendor.
I've never thought about this, but now that you've pointed it out, I'm realizing this is genuinely a fantastic feature.
Sounds like yet another of the many perks of the spartan design here. All substance, with just a hint of (cascading) style.
https://en.wikipedia.org/wiki/Texas_obscenity_statute
or google "texas six dildoes"
<edit> https://www.theregister.com/2016/12/13/us_purchase_governmen...
and https://onwardtexas.org/trending/is-it-illegal-to-own-more-t...
which was posted on HN about 3 months ago and flagged.
</edit>
They just walk in and buy one. They in their personal capacity end up richer by a burrito and some invaluable experience. The company ends up richer by the price of a burrito. If this kind of “revenue inflation” matters to anyone then either the CEO has a bad burrito addiction or the company wasn’t transacting enough anyway or both.
Also consider that if the situation continues your pissed-off downstream customers will ID you sooner or later.
I am wondering if anyone has experience with exploring alternatives other than Stripe Connect. Our use case involves multiple payouts: buyer -> seller -> [us and referral person]. Especially if you involve multiple payment providers, how do you go about handling vault and card data. Stripe Connect and PayPal separately have their own vault features. Would it be annoying for the buyer to have to re-enter payment information several times to save cards on file.
Under 29 CFR § 1606.1, national origin is defined as but not limited to: An individual's, or his or her ancestor's, place of origin; or because an individual has the physical, cultural or linguistic characteristics of a national origin group.
Don't believe me? Ask anyone at the front desk of a hotel the rate of attempted chargebacks for ppv porn.
You can get vetted by banks, visa and co for those things (maybe not cannabis with US companies) but the fees are considerably higher because of the chargeback rates. This is why onlyfans announced then backtracked the porn ban, visa told them "either you're paying us like you distribute porn, or you stop doing it".
When I was involved with taking payments through paypal that's what we did. For us there was no value in keeping payments in there but there was plenty of risk. We stopped using them very quickly though, their fees were ridiculous.
Government has made entry to this space hard which is why there aren't enough competitors, so they're really the source of the problem.
'pc86 has an interesting solution in a sibling comment, but I don't think you can do this across the high-touch providers, eg Stripe+Paypal.
If a future Court ever decides hair color denotes national origin, fall back to a different example of your choosing; people with tattoos, Mac users, viola players.
When people on HN swear up and down that Bitcoin has zero use cases, I think some may be voluntarily forgetting stuff like this.
Is Bitcoin a perfect fit here? Probably not. Does it eliminate the problem of arbitrary algorithms blocking payments for no discernible reason? Yes.
However, by a long series of deliberate actions, Stripe has made it irrelevant to the fact that they are now deliberately, unilaterally, and with zero notice whatsoever shutting down that biz' critical infrastructure.
They could have, and should have as a part of KYC compliance, already figured out what type of business it is. If they failed at that, then fine, give them 60 days notice to find other infrastructure. Stripe is taking its OWN FAILURE to properly vet their customers according to their own standards and dumping the consequences onto the ex-customers. Sorry, but unless we're talking actual provable international criminal/autocratic money-laundering, that's just wrong.
So no, in no universe is it rational to believe that trusting a resource to deliver on their promises is, in any way, "fucking yourself". You're just projecting your paranoia onto others as a mechanism for rationalization. You have the privilege of living with backups, and pretend that it makes you more reasonable than others, because it boosts your ego while simultaneously satiating your paranoia. It's fine - I always carry a full sized spare tire in my compact car. Inconvenient and hardly used, sure. But it stifles my paranoia about the many times I've needed to ad-hoc replace a tire. And has saved me more trouble than I can quantify. That doesn't mean people who can't afford a full-sized spare are 'fucking themselves' by not prioritizing it over, say, other or less-costly needs. It just means that I have privileges they don't.
I don't know if that's still the case, but these days I'm wary about using AMEX on any sort of money transfer service.
(Obviously it’s quite difficult to know the ratio of cases like these involving government investigations and those involving their own internal risk procedures.)
Op speaks of calling and emailing and reaching out … instead, pay your lawyer 30 minutes and have the letter hand delivered to their legal department.
I can’t predict what will happen but it won’t be ignored.
Very sorry to hear of your situation, but it's because of people sharing stories like this that we've been planning our migration away to a more responsible (and responsive) processor for awhile.
It's a ton of work to build new integrations, migrate data, and disrupt customers. Which tells you just how bad of an experience it is with Stripe when we'd rather spend a 6-8 months moving away.
In the U.S. I guarantee you that most insurance companies are NOT doing this. What this company is doing is called "Bad Faith" in insurance jargon. And the penalties for this sort of behavior are enormous, and can even include the possibility of the company losing its license to sell insurance in a particular state.
> The insurance industry as a whole is seriously messed up and congress seems unwilling to do anything about it.
Congress doesn't do much with insurance because insurance in the U.S. is regulated at the state level, not the federal level.
I assume the government didn't want to put all the work in of making sure the currency they've societally coerced the world to use isn't being used for fraudulent transactions, they'd rather pawn it off onto the banks because it's easier for the government to not do anything about it.
Now the banks have been shooting anything and everything that has even a semblance of fraud with account locks/funds freezing/etc., because if they don't the government will go after them.
How does this system make any sense to anybody? So frustrating. Let me exchange currency with anybody for any reason at any time.
They can be proved to be incorrect, for exmpale if they refer into their own ToS, which is public information and binding. And then some legal expert says that this is not how it goes and it ends up into court, because customer sees risks being lower.
If they made a mistake or there was a software failure, it is bad PR.
If they ban someone for some specific reason but not someone else, there will be drama.
It is very beneficial to just say nothing.
There are clearly problems at Stripe. But this kind human is not one of them.
We write a few a high risk accounts per month. As a matter of fact I just had a call center run across my desk a few hours ago.
Exhaust all underwriting options as each processor has a different risk tolerance. For instance this call center is now using NMI and a rolling reserve, I've found another processor (one of the big 5) that will not fall under the High Risk thus saving a boat load not to mention negating the accounting nightmare that comes with rolling reserves and high risk processing.
Stripe and other companies are doing their best, but they are in an arms race with more and more elaborate fraudsters. At planet scale.
They probably mainly just don't want people running shitloads of automated-test charges and issuing refunds for all of them. It may technically be against the TOS but there's no way they actually care if you run the occasional real-credentials test, especially if you don't refund it.
Now if you are in line for a large payout the insurance company will definitely review your application to see if you lied. Significant lies will get your policy cancelled and no payout. So don't lie on any insurance applications.
We may be talking past each other here. I was referring to property and casualty insurance in my comment, while it sounds like you're talking about health and disability insurance. Two completely different worlds and regulatory frameworks.
Others (adult services) are not due to government regulations, they are there simply there because banks don't want to deal with chargebacks.
More and more, we just keep acting dumber as "tech" is more and more engrained
All the while the rest of us know absolutely nothing about what just happened!
What exactly is going on? What is the business model? And why does it require that these cases reach Hacker News before they are solved by @edwinwee!?
... which is to say that, yes, you and I as people who work deeply in a space, of course we know this thing is a SPOF. Everyone else? They don't know that. It took me a long time to acquire the empathy needed to talk them through this stuff, but it made me a better communicator, and it helped an awful lot of them understand.
I guess in the case of the orchestrator you linked they retain the card details and can then charge using any of n processors, though I'd be interested in thoughts from the overall thread where people are advising to be ready to change payment processor
Which is total bullshit. If you hadn’t, or didn’t really have the means to; create such a hubbub on social media about this - your issue would never have been resolved.
I actually think it’s worse when companies do this, rather than fix the clear, underlying support problem.
I know HN has a natural dislike to anything crypto, but I really hope crypto can eventually bypass this bullshit
Maybe fail open until you fix the payment processor issues? Seems it would be better to take the short term hit monetarily for long term gains and retain your customers than lose 1/3 of your user base.
1. Tomorrow we're regrouping with the team to see how we can improve our processes to prevent a similar case from happening again.
2. We're working on a new version of the Stripe Connect dashboard right now. There will be much more detail on which connected accounts are restricted and how to resolve the issues. We want to release it soon and I think it’ll provide platforms better visibility into the state of their accounts.
I wish I could remember the details better. They were focused on small business owners, retail mostly. I think they started out with an interview of someone with an interior design-related business.
Everyone runs 1-3 “real transactions” as a “real customer” when getting ready for a launch with QA.
This cause exists for Stripe to point to for excuses people make when attempting to wash transaction or test stolen CC info in a prod environment (which doesn’t work with a test api key)
With an actual merchant account you can probably get closer to 2% or at least 2.5% + 25-30¢
At 5 million in transaction revenue, a .5% decrease would be 25k a year. You can probably get a larger decrease depending on how much risk your company's business has.
Stripe's sales rep might be contacting your company because you've hit the threshold where it's probably worth getting a merchant account, and they want to see if you're considering leaving to give you a discounted rate to stay. You're pretty much in Stripe's retention department because of your volume. It is definitely worthwhile at this point for your company to shop around for a merchant account. Some don't even have application fees if you're not a high risk business. At the least they can get an idea of how much they could save, and use that to leverage lower fees from Stripe.
I would still consider trying for a processing gateway that handles all the card transmission, though, even at a slightly higher margin. Handling the card at all means you need PCI Compliance. At your revenue you're probably PCI Level 2 or 3, which only requires a self-assessment questionnaire (that is lengthy but doable), and a quarterly vulnerability scan. At 6 Million transactions a year, you'll be PCI Level 1, which means you'll need an auditor to come in and look at your processes and policies.
There you have it. Their core business model is to process payments for their own customers and they are gaslighting them with passion.
Lesson for all of us: We all are working to get paid, so before you finalize your payment processor and start the integration, make sure you are able to reach out to them via multiple mediums - phone/chat/email.
I believe it's time to show these idiots at S - how it's done. I've heard their founders talk, they come across as over-grown kindergarten kids. S to graveyard. The story of past.
Because of this, I strongly recommend connecting to Asian payment processors. Even Chinese is more reliable than western these days.
Initial form questions like "tell us if you have ever been to hospital for anything serious?", you're thinking "I'm not sure if that time I dropped in to the GP 5 years ago with a headache counts as serious [same for other things that seem trivial over the years, just being sensible]".
You phone the insurer to check, they say "oh there's no need to put that down, it's not meant for trivial things, you'd have to write an essay in a small box if we meant literally anything conceivable; don't worry about it". You couldn't possibly hope to remember every tiny thing over the years anyway, unless you had access to your various written medical records held by various parties.
10 years of premium payments later you make a claim because you now have MS, you need support and treatment, a brain scan confirms physical issues, and..... "your policy is invalid because you didn't tell us about that time you went in about a headache 15 years ago". They still keep the 10 years of premiums though.
You take them to court. Your lawyer mentions that this is extremely common practice by health insurance companies. They don't provide you with any way to confirm if your policy is valid until you make a claim, then it's too late. You did what you thought you were supposed to do. The lawyer says most people who then take the insurer to court are unable to prove they were misled, and the insurer keeps the premiums you paid despite not providing any actual insurance.
Don't ask me how I know.
I assume US has something similar to address issue like this where financial platform is acting like this?
It is obviously of interest to many in the community if services they might use or consider using themselves are having problems or letting their customers down. I personally have no problem with leveraging the publicity that social media affords to get a problem resolved if those services haven't got their act together within a reasonable amount of time.
However there is a serious risk of unfair or just plain incorrect reporting when one side gets to set the agenda and the other side either can't respond for legal/regulatory reasons or has their response buried among the other comments. People can be far too quick to reach for the pitchforks in these discussions before knowing all the facts and on sites with voting mechanics there is a danger of mob mentality distorting the subsequent discussion as well.
In this case it looks like Stripe probably did handle some aspects of this situation poorly (bad and people deserve to know it can happen) but are probably also taking steps to avoid screwing up the same way in future (good and people deserve to know that too). Then everyone can form their own opinions and discuss the issues but at least starting from a relatively balanced and well-informed position.
"Hi, we've noticed an increase of frauds/chargebacks on your account so we have taken X action"
That also doesn't really explain why long-standing, established customer accounts were frozen with this particular business.
For example, OP says they've been reaching out to Stripe and couldn't really get any answers but but somehow you were able to get all of this cleared up within the day.
I get that a "regulated space" complicates things, but why was the client cleared last week and what changed? Why last time was it only shutting down a single client and this time 35% of clients? Is this done on a customer by customer basis or are there other stories out there of customers who were/are affected today by the same issue?
Lastly, when someone (a reviewer?) at Stripe shuts down an account do they notate why the account was shut down and if so, is there a reason this isn't shared (at least with frontline support)?
Now we're asking that to stay true to that part of the company. Not because we want to see them fail but because we want to see them succeed.
Its much harder to engineer a payment abstraction layer with recurring payments where you're not relying on Stripe's subscription features that are not migratable to another payment processor.
Although I guess doing lots of refunds would mess with anti-fraud and other systems.
I just do special pricing/discounts to do a $5 transaction (too small could look like credit card fraud).
Just you saying that makes me say it's a bad idea because that framing in itself is emotionally charged which increases the odds that protest could turn into violence/physical intimidation. That's not terribly wise when there are alternative options for payment processors available.
Test in production. Do real dollar value tests. If you can test with different cards with different security levels, try a Visa 3D Secure and a 2FA Amex charge. Personally I do them and then get reimbursed (or do them directly on a company credit card) rather than start out a production payment history with refunds, not sure if that matters but I figure if it does it's got to be a bad signal so I may as well avoid it.
Except the operationalization of those rules is: here are some vague guidelines that you have to follow, and if we don't like you we'll retroactively decide you were committing a crime even if you followed those guidelines to the letter. See HSBC for a case in point.
This doesn't really help. When you link your bank account with PayPal the link is 2 way. I.e. PayPal can, without any input from you, transfer money out of your account. They can even do that if the account is empty. Your bank will almost certainly allow an overdraft on your account and you're still liable for the amount + overdraft fees.
I had some issues with PayPal about a year ago and a senior rep at my bank talked me through these details.
With my bank, it wasn't even possible to turn off the overdraft feature.
Bottom line is, PayPal almost always wins.
https://www.reddit.com/r/paypal/
and
https://www.trustpilot.com/review/paypal.us
and
https://www.bloomberg.com/news/articles/2022-06-03/paypal-cu.... (which was attempted as a class action lawsuit)
That's the trick. Let Stripe put the money into your bank account and let them think its a real sale (not a production test), then refund the money out of the bank account back to the person who's card was used instead of refunding or reversing the charge. Stripe don't need to know about that.
(You also owe yourself "due diligence" in knowing that you _can_ refund or reverse charges, so you'll also do that test in production as well, but don't make it one of the first transactions you ever do in prod. I try to stretch that test out until after a 60 day window past the first few dozen real sales have gone through, under the assumption that by then Stripe (or whoever) will have seen a bunch of payments go through and not be challenged when the CC statements arrive, and that'll have sent some "probably not a new fraudulent merchant" signals into their systems.)
After all, they have a track record of screwing you over again, after fixing and checking your account. Whatever triggered that could do it again when you least expect it, despite Edwin's good work. Probably the triggers haven't changed as you are still running the same business.
(Like several other commenters, I was thinking of using Stripe as a main payment processor before seeing this article because of their great API, documentation, test mode and ease of setup. They seemed like a good choice, but I had wrongly assumed they were reasonable and reliable and if there were issues they could be resolved; that I didn't need to worry about Stripe being shady themselves. Now I've learned Stripe is like the Paypal of old when it comes to killing a business abruptly with no warning or recourse. That's so severe it cancels out every benefit and feature. With much disappointment I now feel it will be necessary to evaluate other services instead.)
Operation Choke Point pretty much worked like that.
I don't have a problem with the government fucking with the cannibis business given that it's still federally illegal, but the messing with legal businesses needs to stop.
I would bet that 99.9% of the Stripe (and Paypal) horror stories that get posted almost weekly are _not_ federal money laundering or terrorism financing investigations with legal secrecy provisions imposed on the payment processor.
One of the attacks that fraudsters have developed is to buy businesses to use their accounts for fraud. That going out with a fraudulent bang is better than trying to run a marginal business.
I'm curious as to why you think that? Is this a way way more common thing than I expect? Or is "My startup uses Stripe Connect to accept payments on behalf of our clients" a raging red AML flag I don't recognise (I've never done that, so it could easily be)?
While I don't know what the incentives are for payment processors, they act as though they are under a quota, similar to SARs in banks, where it's mainly about showing they are getting petty crime as a means to protect their interest in partnership level crime.
7 days(!) of interactions with their support (chat via the app, the only option), sending numerous photos of cards and other things at their request, yet my account remained locked.
Eventually what worked was posting to their Facebook social media, then it was resolved within 20 minutes.
I still use Revolut because it has convenient features, but I won't keep a significant balance in the account any more, in case it is randomly locked again.
Occasionally their marketing suggests I make it my main account and salary destination. Maybe open a business account. Ha!
Is there an X.509-based hierarchical bank registrar system for charge-origination signing certificates, for putting charges onto the card networks? Is there a DNS registry of merchant accounts for pre-checking charges before attempting them? Do banks underwrite other banks into existence by signing their certs?
I'm considering using stripe connect for something very tame (like a gig economy thing) and I've looked into it and I really want to use standard accounts because I don't like how the liability shifts to me for custom and Express accounts.
Sure, the customized user experience for those is quite nice but I don't really care about that I just want to ensure I can have the best possible relationship with a payment processor.
Honestly I love stripe like how they made s** easy for me. I had my first case of fraud the other day and it's just so easy to refund it and all the tools they provide I just feel so safe like they protected me from whatever bad s** could have happened if I hadn't you know handled this potential fraud well.
Personally I found their email support to be really comprehensive and just really top-notch awesome and their chat support to be more responsive and more generalized but still good. So my suggestion is like maybe if you have a serious issue maybe email support is a good way to go I mean just an idea.
The thing about standard accounts for connect is all of that interaction on the client's account gets deactivated or something you're not responsible for trying to pick that up like that's between the customer and strive so I mean maybe it's not a great experience for your customers but for the longevity of your business and for the experience of all your customers you can basically say sorry you know you have to take this up with stripe there's nothing we can do. Maybe I don't have the correct info but that's how I understand it.
The way I see these payment processors though is like my connect business will exist at the benefiance and generosity at the grace of the king. I mean I basically have to you keep the kings of the stripe empire happy because you know my upcoming connect business is completely dependent on them. So I think that's going to be in my thinking like rather than just thinking all I have to do everything to satisfy customers my first customer will actually be stripe so I have to do everything to satisfy them and then I have to do everything to satisfy customers. to some people that may not sound ideal but I just see that as the reality.
At the same time in the long term because of how these things can occur like your business got nuked, I've read of other people's businesses getting cancelled... I'm sure there are processes behind it but like I have the feeling of fear like this could just happen to me one day even if I'm trying to do everything right.
Maybe it couldn't but I have that fear and I think I need to take precautions for that so basically I think I have to keep a good relationship with stripe but at the same time I want to develop a way to like have a button that I can switch and, "okay stripe bans me" and I can switch over like technical redundancy to another payment processor.
Even then I don't think is a foolproof strategy because I mean I'm sure all the big payment processes are kind of in League with each other and in communication with each other to some extent so you there may be some you know you'll get sort of banned by a whole clique of them or something but ... like other people have said here it seems there are payment processes who take on business who have been kicked out of stripe.
---
Also no offense but my impression from Reading striped docs is like if they're going to you know be banning connect accounts or you know having issues with payments then you'll get some sort of warnings about like early forward warning or you know you'll get requests for information you know for compliance purposes for those connect accounts I don't know my sense is like maybe you just thought those requests or those notifications or just not important you know you got your business to run you don't have time for this you're sure that all your customers are legitimate you know you feel you can vouch for them and so your attitude was it doesn't f*** matter I don't have to do this. I mean maybe so you're saying their support wasn't responsive but maybe my feeling is you probably might not have been responsive in the past.
That's just my sense but you know I might be incorrect about that and I think it just kind of is reassuring for me to think that's the case because then I can think well I can do better you know I can have a a more assured relationship with them then what I've read about. Anyway that's my take on it you got to try to be prepared but I certainly offer a lot of good stuff.
https://www.merchantmaverick.com/what-is-a-merchant-services...
Seems what they posted above is accurate.
Payment processing is a possible point of failure. Chances of it failing? I think anyone who's read HN/Reddit/etc would have to evaluate the chances as fairly high. Cost to the business of it failing? Often extremely high.
Having done this analysis, you can look at mitigations: sign up with both PayPal and Stripe, get a merchant account, etc.
Then build the redundancy into your system. Yes, this probably means you cannot use the fancy features because there's no good cross-provider abstraction. That's the cost: you might have to implement recurring transactions yourself.
This happens over and over again. Your individual business is worth basically nothing to your cloud provider, your payments provider, your CDN, your domain registry, etc. They do not care if it breaks.
You have to have redundancy for anything you cannot operate without.
That is indeed the question. There is no way of knowing if the nature of the business is a factor unless you know that nature of the business.
They need to nuke all their "X Verification APIs" and just manually check each and every account. For us, it was an issue with the Address Verification API not finding our address. As if addresses are a fixed thing and not dynamic. I also felt like I was going crazy because they would trigger it every 3 months or so, even after resolving the issue after speaking for weeks with the support team.
This happened to us in both Stripe and Shopify (which I think uses Stripe as its backend).
Sounds like there's an opportunity for a Stripe competitor that businesses can somewhat trust to not pull the rug, though that'd be quite the bootstrapping process.
Wouldn't they then just be another one of the more old school merchant service providers, who still exist for you to use if you're open to paying for being underwritten up front? The point of Stripe et al is to be cheap, quick and easy in comparison (for the happy path, anyway) through more automation, with the drawback of these types of failure modes.
No need to roll back the transactions directly and risk flagging anything.
Plus, it's often useful having a real, live, paid and in good standing account and/or purchase in the system for further testing steps! (More true in the subscription space than the one-time purchase space... but even there... it's probably worth testing your refund flow end to end periodically eventually, once you have a healthy set of traffic under your belt to avoid standing out.)
If you login during a vacation overseas and get your account locked, they keep everything in it. Doesn't matter if you never did any transactions yet and all that money is yours from the bank account you linked. If you get banned, you lose it. Getting your account and/or your money back is about the same level of difficulty as getting unbanned from a google account. It's not impossible, but be prepared to take them to court.
If you only use PayPal to purchase things online, the protection is great, but you don't want to be on the other end of that transaction.
It's incredible to me that despite the sheer size of these companies, and the enormous number of customers from all over the world, that there's a place you can go and get someone who will pay personal attention to your issue.
Kudos Edwin.
After some eye-rolling he agreed to buy a burner phone, add a prepay SIM, and whaddayano the bloody charger did not work. Two months later it works, for most people, who have recent cars that are not Teslas. Sigh. "welcome to our product, you're a beta tester. Maybe an alpha tester. We hope it works!".
The issue most people in this thread are talking about exists in the almost. If it was always guaranteed, then there would not be so much evidence to the contrary.
All authority in decisions No obligation of support
Either give me authority in transaction risk management to determine what's fraud or not.
Or answer the phone when I call to get support on what decisions have been made in my account.
They want their cake and eat it too. So I'll get pie somewhere else.
Do you have any examples of this?
They're saying the opposite. Paraphrased, "any rational person could see that Tailwind Jobs is a legit business and that it's wrong for Stripe to shut them down".
"The issue" in the sentence you quoted is referring to Stripe's behavior, not Tailwind Job's business model.
So while I agree this is basically an issue of bad customer service, it is at the most egregious level. If your mortgage company started foreclosing on your home incorrectly, or the title company said "new phone who dis?" when you tried to sell your home, it wouldn't just be called "bad customer service". These are life altering issues. And these companies just don't care. A little public shaming of the people walking into work of a company like that could do some good.
Exactly. This is why the whole "their hands are tied" excuse is so frustrating to me.
In short, it's a different category of risk than the category that an individual business or even a business that is acting as a middleman for transactions takes on. And it's a different category precisely because most of the solutions aren't technical; they're legal, social, and financial. If a bank gets screwed it just gets screwed; even if the law intervenes to deal with transgression, money is often just gone as a result of such fraud. So they are comparatively more conservative in their decision-making.
Right, but that's a totally different situation and not one that would involve protest (it'd involve lawyers/lawsuits and court).
The problem with public shaming is the presumption that the people doing the shaming are in the absolute moral/ethical right (which is always subjective) and that anyone affiliated with the decided perpetrator (in this case, Stripe) are at fault. That's the problem with showing up at their office as an angry mob of people. An uninvolved worker could come out of the building and the mob could start shouting and attacking them even though they're a low-level employee who had zero involvement.
Doing it online is hypothetically better, but again, it just introduces a lot of unnecessary negative energy that is very unlikely to remedy the actual problem (and in extreme cases can still spill over into reality).
I agree that threatening someone's livelihood is bad, but in this specific example my immediate question would be "what were you or your customers doing?" If it's even remotely in the grey area of the TOS (however foolish/restrictive that may be), the owner has a responsibility to consider alternatives up front and communicate the potential for those to be necessary to customers.
If you’re using a gateway, there are some that Handle tokenization so you never have to touch the PANs and you don’t have to worry about PCI levels and audits. There’s no reason your systems should be touching PANs unless you’re really large and using multiple payment processors for scalability and redundancy like if you need to process a million transactions in a few hours.
Or perhaps I am missing something here?
But yes, please remove overdraft from your accounts. I have no input to offer on paypal at this time.
P.S. Are you in the U.S.? I am just really surprised they bank deemed overdraft as a necessary feature in your case. I am personally interested in this case.
I am disappointed the American people is simply putting up with this healthcare situation. I don't think it matters if your doctors welcome room is fancy. Or they have 10 administrators replying to you within minutes. In the end you want to be treated fast and efficiently, and it fails. But I digress.
I can see why paypal does this and I am glad we are planning on avoiding them in our back end.
1) It doesn't seem to learn.
2) I think it was better a couple years ago.
3) The transcription seems very slow. But I remember a couple years ago it was lightning fast.
Any settings or premium version that can be signed up for?
Not sure how long it will take to understand that good support is not the one that tells how you are "important" to them when you call, but the one that actually mediates the problem before it becomes so.
I am very much in favor of making the laws simple for payment providers as it is the best way for everyone to grow and succeed. That being said the laws for financial institutions need to require someone to talk to, a time limit on response time and an escalation process to resolve issues. We shoot ourselves in the foot here by not mandating clear, clean procedures for dealing with issues.
If anything, I would bet that regulators would be concerned about the fact that companies such as Stripe have triggered a race to the bottom whereby underwriting has become an after-the-fact exercise that can severely damage and/or kill a high-growth SME. The old way, where you filled out a ton of paperwork, provided every bit of information possible about you and your business, and then went back and forth with a human to get approval, was a much more stable way to business. But alas, when you've got former bank governors on your payroll and political mega-PAC donors on your cap table, people don't scrutinize very much.
If I were you, I'd do two drastic things: one, switch to another payment solution, and two, sue Stripe.
The guy can't keep his story straight for 3 lines on HackerNews, he is obviously doing stuff that he shouldn't and using his PayPal in a sketchy manner.
You can not just store the credit card of your user (or have to go through a heavy compliance), and using services like Killbill.io or GetLago.com is just moving the single point of failure to another place.
How would you ensure that you are not 100% relying on a specific payment provider, without keeping all the credit card informations of your users?
This would be the same as saying: I want zero car accidents on the road, so I'll scale the police headcount linearly with the number of reckless drivers.
Granted, horror stories just like OP's are not great, for Stripe and for those who use Stripe, but we tend to keep in mind the bad press more than the good.
With Stripe growing and having more and more business, it's just basic math that the number of bad press will grow along. OP's doesn't mention (maybe intentionally) what business he offers so maybe the team has a good reason to put 35% of their user on hold (granted, the communication around it isn't great).
That being said, to your point, this still requires either a vendor neutral vault for the cards or to tokenize them in all of the vendors. Possible, but still hard to do in practice.
Why didn't your team respond to him earlier?
I wonder what new payment system that's "not a bank" this story will be about in a decade from now.
https://news.ycombinator.com/item?id=21306225 https://news.ycombinator.com/item?id=26320429
In both case https://news.ycombinator.com/user?id=edwinwee Edwinww is a huge help and Im highly recomend to reach out to him.
Without Edwinwee my SaaS might never see life.
This isn't recommended. Also, presumably by end-to-end you meant post auth business flow too. Such as reconciliation, settlement, generating tax receipts, invoices etc.,
In general, all the data in production should be real, as much as possible.
If the amount is big (e.g., say jewellery story) then figure out a way to recoup/refund the money out of band in a way that leaves no trace in production system. E.g., reimburse it, put it under QA budget or some such.
Trying to get money from a real bank account (Lloyds in England) after moving out of the country was much harder though. It involved writing several letters and getting a policeman to stamp something, as well as multiple phone calls, including to several staff who gave me wrong advice. But still, they returned my money eventually.
And I'm not even talking about 3D Secure!
As mentioned in the comments, a solution would be to migrate from Stripe to a merchant account with a bank where your service is vetted upfront.
If this company sells T-shirts or something, then Stripe may have acted improperly. If they sell cannabis, then Stripe would have acted as the law requires, as everyone in that industry knows perfectly well. So it's pretty relevant information, and HN readers deserve to have the information they need to make informed decisions. There are plenty of other places online for uninformed outrage bait.
The thing with SARs is that they tend to be cascading as OP described. So if I (innocently and totally coincidentally) do a transaction with someone who has been flagged for suspicious activity my account might now be flagged as “higher risk” for suspicious activity and will be monitored more closely.
And, if they decide they’ve found suspicious activity in my account then everyone who does business with me is at risk of having their accounts flagged as “higher risk” for closer monitoring and so on.
And the bank isn’t allowed to tip anyone off because if any of those accounts are actually laundering money they might suddenly withdraw it and then the “lead” from the SAR is moot. It’s actually a crime to notify someone about the suspicious transaction(s). Which is why you get stonewalled.
To be honest this seems more like a hotel problem than a porn problem. E.g., I viewed it by mistake, I didn't understand the pricing, etc. I would expect that there is a similar amount of complaints about the hotel room's minibar and snacks that are lying there but charged an incredible rate afterwards if touched.
I'm sorry you felt insulted by my assumptions about you. I honestly assumed that a sober recitation of the obvious flaws in your framing would be enough to deflect what was a small amount of candid anger that you decided to parlay into self-aggrandizing "advice". Instead, I can see that I touched a nerve and only invoked more hatred from you. For that, I am truly sorry! I hope you get less hateful in the future as I will try to be more cautious of similar types of lashing out.
Honest question: what would be an example where I, as a business owner, would have some 3rd party billing my customers?
A link to an HN thread is opaque, uninteresting, and context-less.
No, that's wrong. Firstly, as others have pointed out, society long predates any such notions.
Secondly, determining what is illegal activity, and putting a stop to it, is ostensibly the job of law enforcement and the courts, not the bank.
This is not really true. The BSA says banks have to maintain an "adequate AML program" and policies to "reasonably know your customers identities" or whatever. These policies are deliberately vague. Then based on these deliberately vague rules, banks have to make a compliance program that usually goes above and beyond the minimum that is required (in order to avoid being fined). These compliance programs that specify what kinds of behavior and transactions to consider risky are never made public.
What always confuses me about this is that it seems like many owners trust their vendors over their own employees and I don't even know where to start unpacking that sentence.
For anyone following along, text at https://www.fincen.gov/resources/statutes-and-regulations/ba... > https://www.govinfo.gov/content/pkg/USCODE-2020-title31/pdf/....
This is for SARs (Suspicious Activity Reports). (At least, that's the one I've encountered before, there may be other forms too).
There aren't though. People come to HN to complain about getting fucked over by YC companies because it's basically the only place people will get a response. I'm not saying all, or even most, complaints are valid. But your immediately siding with the YC company just shows your bias, which is expected since you're literally invested in the company.
Regardless of whether or not Stripe is legally in the right, their customer support is absolutely abysmal. And the problem is that this is clearly a trend with YC companies and the fact that people have to vent about it on HN so frequently, and with such fanfare, says a lot.
https://www.kff.org/health-reform/issue-brief/pre-existing-c...
"Before private insurance market rules in the Affordable Care Act (ACA) took effect in 2014, health insurance sold in the individual market in most states was medically underwritten.1 That means insurers evaluated the health status, health history, and other risk factors of applicants to determine whether and under what terms to issue coverage."
"Prior to the ACA’s coverage expansions, we estimated that 18% of individual market applications were denied. This is an underestimate of the impact of medical underwriting because many people with health conditions did not apply because they knew or were informed by an agent that they would not be accepted. Denial rates ranged from 0% in a handful of states with guaranteed issue to 33% in Kentucky, North Carolina, and Ohio. According to 2008 data from America’s Health Insurance Plans, denial rates ranged from about 5% for children to 29% for adults age 60-64 (again, not accounting for those who did not apply)."
But I seriously ask anyone, how important is processing payments to you? what do you suspect the chances are? would you prefer to go through a bit more hoops upfront with a non-stripe alternative, or roll a 1/100 or even 1/10000 dice that one day you're just gonna be royally screwed over?
I have seen it happen very close, so I know my choice. It always "only" happens to other people... until it happens to you. Its easy to say "yeah.. they were doing shady things, I dont", but when the algorithmic gods determine you to be shady, no mere mortal, except perhaps a couple of very influential people lurking HN(cough edwin cough) will do anything. Will you catch his eye? is it worth the risk?
ANYTHING you depend on, spend serious serious time doing vetting, making sure its proper, and I would say, for the love of god, make it someone you could go visit physically.
There's "testing"
* manual during development
* automated testing
And there's "testing"
* smoke checking processes in production
In most cases, the "test in production" is more of a "validation" that end to end experience works. And there probably shouldn't really be much of a way to distinguish between a "test" in production and a "validation" of the purchase process.
Also, what's your evidence that some payment processors don't handle porn because of government pressure, rather than just natural market forces? I had a friend who did tech for a porn company, and from what he says, even a well-run porn company has much higher rates of chargebacks (e.g., next-day regrets and "no honey I don't know what that charge is") and fraud (stolen cards, fraudulent affiliate program participants).
My recommendation is to look into your local providers and see if any can integrate with payment APIs like Authorize.net. These providers really want your business and care enough to at least not let you go bankrupt. The bar is low!
1. Overdrafting. My bank would not allow me to turn off overdrafting on my checking account; any money in my savings account would be used to cover an underfunded purchase from my debit card, causing a $25 fee and there was nothing I could do about this, short of closing my savings account or reducing the amount of money in it. Since free checking was dependent on a linked savings account with $500 minimum balance, this wasn't an option. The overdraft/fee could cause the savings account balance to go below the minimum, and if I didn't notice I'd get a $25 fee for my savings account as well.
2. The school would constantly charge my debit card as a credit card, and the transaction wouldn't appear for up to two days. Doesn't really help me keep track of my balance when transactions don't show up. Cashiers at the student store could usually process the card properly, but every time I bought something to eat at the cafeteria it would process as credit, regardless of what I told them.
Today, I think bank policies have changed (though I switched banks before this) and I believe you can disable overdrafting on most large banks (WF and BofA, anyways)
Worst part is not that the account was closed. Worst part is that Stripe is not asking or giving any proofs/comments/data. They are simply sending templated replies. Its like talking to a robot while someones livelihood may be connected to this being resolved.
Also overall our dispute ratio is almost Zero. People visiting gardens dont dispute their visits. So frustrating.