superkuh3 years ago
If only there were a system to transfer money between two people that didn't require a trusted third party...
Stripe has implemented a new fraud detection system that is clearly flawed here. These customers are small gyms in local areas with accounts active for the last 11 months without no issues whatsoever, now all of a sudden they were both suspended (and payout blocked) due to suspicious activity. The suspicious activity is disputed payments, which for SEPA DD (the main payment method used) can simply be that the customer has no money in the bank account.
The Stripe response so far has been vague, to say the least. Has this happened to you?
I believe Stripe is a very good product and we have had no issue with them until now, but this situation is deteriorating trust very fast. Do they literally have the power of taking your funds hostage over a "suspicious" fraudulent activity that is clearly due to a bug in their automatic detection system?
Please let me know if you know someone that can help us here
I love credit cards because I can dispute transactions.
The power balance simply isn't always "seller who is selling a large quantity of easily-replaceable items that might be a dud can easily amortize the cost of fraud across all of their payments by high margins"... sometimes it really is "seller who is selling a small quantity of expensive or precious items tends to get scammed by anonymous buyers who abuse chargebacks ".
This. He's right you know.
The chargeback system is rife with extreme abuse, and the banks will always give in to friendly fraud without checking the contents of the dispute. Both the customer and the merchant lose to chargebacks and friendly fraud.
If users really wanted credit card functionality at the expense of its costs, you could build that as a layer on top, without forcing everybody in the system to use it.
And consider, most disputes is not just about the quality of a product. That is handled with regular refunds. Credit card disputes are a lot of times because of fraud or card skimming, which is very often because the system is not very secure to begin with. Secure cryptography can remove a lot of this type of fraud.
about the OP’s thread: centralized services like PayPal, Venmo and Stripe can close your account. Nobody can close your private key, even if you are on a L2 for fast payments you can use the escape hatch to withdraw without possibility of censorship.
To the OP: sorry to hear what you are going through.
[1] See https://vitalik.ca/general/2021/01/05/rollup.html and https://vitalik.ca/general/2022/11/19/proof_of_solvency.html
In India, most purchases go through UPI already which is p2p without a middleman.
It's tough time to be in payments and will only get worse as many custom integration with lending companies break down due to huge losses.
No payment gateway in India charges for UPI transaction too. So if similar payment system is incorporated in US, I won't expect stripe to be able to charge for it.
The only major functionality these payment gateway provide is checking if transaction went through.
They are wrappers on top of bank APIs such as federal bank.
Anyone can generate a QR code for their payment ID and request payment without needing a gateway but it's manual. Most street vendors confirm payments manually since it happens in person.
Additionally, we have other standardized framework for requesting account information from banks such as RBI account aggregator framework. So you don't need something like plaid to fetch bank statements from all your bank accounts.
Recurring payments are also setup on the bank end as a mandate.
Yes, you will end up using an off the shelf solution but you are not at the mercy of them if you accept UPI only.
Stripe customer support is beyond useless, so I totally get your frustration, but I would encourage you to get to the bottom of this and verify that that your "insufficient funds" theory is correct by calling the customers with the failed payments.
It seems like their own mistake has caused their automatic fraud detection algorithm to incorrectly flag this account. This is speculation obviously, but with this timing...
This is exactly my thinking process tho. The other account blocked was just starting, had like 8 payments and one dispute and got blocked.
I'm really afraid for our other accounts now, seems like is just a matter of time until they get blocked.
Thank you.
[1] https://news.ycombinator.com/item?id=28085706
[2] https://news.ycombinator.com/item?id=33299222
1. Why is stripe a seemingly preferred payment processor for HN crowd? 2. Is there no ( edit: real ) competition or is the competition similarly bad ( or somehow worse )?
edit: Instead of replying individually, I decided to edit this section. Thank you everyone for the background(s). It does answer a lot of the questions I had. I perused their site and I can absolutely see the 'dev first' principle in play.
As an early adopter and someone that was once very fond of this company and its approach to things, I'm disappointed to see the direction it has gone.
* Newcomer trying to gain traction. They'll do just about anything to make and keep customers in the name of top-line growth. This includes expensive labor and human costs.
* Grow into a successful business. Start feeling the pains of "infinite growth".
* Realizing revenue can't grow indefinitely, they start cutting costs and see how long they can ride the coat-tails of success.
* The small/cheap accounts start gaining wind that customer support sucks, so they start looking for something else. The big accounts are likely still happy since they're large enough to justify a handler who will make them happy.
* A new startup lurks in the background, likely to follow the same process.
It really just comes down to whether or not the incumbent realizes it's only a matter of time before the major accounts start leaving too.
From what I can tell, Stripe's documentation is generally regarded as nice, just have a look at some of the examples: https://stripe.com/docs
That said, PayPal also seems to be okay, for the most part: https://developer.paypal.com/home
Edit: is it just me, or does PayPal's UI kind of break, when you choose the "horizontal" layout in their integration builder? Example: https://imgur.com/a/IvBdYeI
Both of them seem to have some scary stories around them, in regards to frozen funds or closed accounts, but what are you going to do about that? For many, there aren't many options, since any of the other platforms out there are likely to have similar power over your finances if you go with them.
It does have its quirks, like searching for a stripe customer id won't give you what you're looking for but searching for the amount will.
Mollie on the other hand has like 2 pages where you can see your transactions.
Strips isn't perfect but they're absolutely the best.
And they do have customer support if you really need it.
Stripe account suffered a card test - https://news.ycombinator.com/item?id=33688298 - Nov 2022 (33 comments)
Ask HN: Stripe holding funds for 120 days for no reason - https://news.ycombinator.com/item?id=33299222 - Oct 2022 (114 comments)
Don’t use Stripe. I am trying to save you from my mistake - https://news.ycombinator.com/item?id=33254485 - Oct 2022 (21 comments)
Ask HN: Why do people come to HN for Stripe resolutions? - https://news.ycombinator.com/item?id=33140798 - Oct 2022 (108 comments)
Ask HN: Have you noticed an increase in the number of Stripe Disputes lately? - https://news.ycombinator.com/item?id=33123756 - Oct 2022 (16 comments)
Ask HN: Can I avoid being nuked by Stripe? - https://news.ycombinator.com/item?id=32856237 - Sept 2022 (31 comments)
Stripe has decided to nuke my entire business - https://news.ycombinator.com/item?id=32854528 - Sept 2022 (679 comments)
---
I think we have to start treating this as a MOT (major ongoing topic) and do something about all these follow-ups [1]. I've delayed making this call because of the core principle that we moderate HN less when YC or a YC startup is part of a story [2]. But less does not mean not at all. At some point we have to remember the other core principles of HN moderation too, such as that repetition is bad for curiosity [3].
I don't mean that these incidents aren't real—and obviously they are super important to the users who are personally affected. But from an HN point of view, the question is "is this story new/different enough to support a substantially different discussion", and here the answer is clearly no.
When it comes to Stripe, what choice do small businesses have? Tokenized Payment details are not portable, I can't take a saved debit or credit card in Stripe and slide it over to a First Data or Tsys account at whim.
I'm fine with integrating another API (hell, InvoiceNinja already supports most payment gateways), but changing processors when you rely on stored payment details is extremely risky business.
Stripe charges a premium transaction fee for being a no barrier to entry processor, but when they decide to underwrite your account and fail to do so, you end up SOL with a locked account.
- Paddle
- Mollie
- Paypal
Many upstart small businesses will face false fraud inquiries, but you have to roll with the punches and move to a new processor if Stripe is not responsive.
We are attempting to support mollie also to enter the dutch market but we are only 2 people writing the code here. :(
1) Multi-cloud
and…
2) Multi-payment processor
These stories are horrifying. These cloud and payment processors simply do not care. They print money and provide no human support. Any venture that I make in the future will be cloud-agnostic containers on several cloud providers with at least two payment processors handling an even share of the load. Double work be damned. Stripe and GCP simply do not care.
Gumroad has their own failures, but if ANY issue with payment processing is intolerable, don’t bother running a business.
With backups - onsite, offsite, security, code reviews, pen testing, separate environments for testing, etc... all things that take time and aren't "light lifts".
If you skip and don't cover your bases? You're going to fall and you'll deserve the broken leg - or worse - when it happens.
In the real world, many businesses aren't created in the Silicon Valley by established founders and friends with VC funds, who can afford the time and cost to have all this.
Edit: To clarify, I am not saying that the things suggested are unimportant or not vital to an established business.. But that the bottom line for a brand new business with very few people involved is to survive and be stable enough to have the change of introduce backing on/off site, distaster recovery plans, paying for pen testing, security consultants, dedicated QA, etc.
I didn't say "they deserve to fail"... I said karma will happen. Deserve or not? If you don't have "insurance" then you'll pay eventually.
If you don't have backups? Good luck when the Cyrpo Locker hits. if you don't have redundant hard drives? Good luck when the click of doom hits you.
If you only have one payment processor who is known to randomly lock accounts without recourse? Then it's a matter of time until it happens to you.
I do get that shortcuts have to be made when starting... but those short cuts don't sidestep reality.
EDIT: Did I just leak a b dollar idea? Have fun :)
I can't imagine that existing on the payment front though. Even as a separate startup, a payment processing multiplexer just seems precarious, like “OK my business is now less dependent on Stripe but it's entirely dependent on the availability of this tiny company.”
In the late 90s we wrote code to distribute and aggregate fraud checking, card payment processing, settlement accounting, receipt reporting, and refunds across multiple gateways so we could handle mega live event signups. That needs to be an OSS product.
Due diligence, lol. In fact, the world is just a huge mess, and you have to have backup plans for all the important things in your business, or not care for downtime.
My previous company had a business contract with GCP and so wouldn't be cut off for, for example, a dodgy employee account tied to the business in some way.
It's amazing how many people put their email and credit card in a form, pay sticker price for a service, and have their entire business depend on it. The terms of those contracts necessarily have to protect the service from all sorts of malicious users who just click sign-up. Talk to a person, get a contract, and the whole conversation changes (and yes GCP has account managers for this).
Do kids these days not realize you can negotiate anything and everything with your vendors/suppliers/partners?
Yes, most SaaS companies LOVE it when you sign up for one of their standard plans, using THEIR standard T&C's, and standard payments.
But, DID YOU KNOW, if something is critical to your business, you can negotiate directly with pretty much every business on the face of the planet, and if your spend is large enough, or you're willing to pay, you can negotiate anything????
It's nuts, I know :)))))
Negotiating significant discounts needs a bit more work, commitment, or growth story. Discounts tend to scale with spend.
(Disclaimer, I now happen to work at Google, unrelated to cloud, but this was my experience at my previous employer)
Not sure if this has changed recently, but this was in about 2018/2019.
By all means use another payment provider as leverage to negotiate better contracts and rates, but I think it's unnecessary from a business reliability standpoint until you're very big and Stripe's downtime level (very small) is a material business risk. Spoiler: almost no one is this big.
If you’re on the .NET stack, our abstraction [0] is over PayPal, PayPal credit card, Stripe, ChargeBee, CoinBase, Amazon Payments, and other providers that have since been replaced with no-op exceptions because the payment processors have gone under.
I think abstracting over payment APIs has gotten so much more difficult this side of 2014 or so. They’re doing all they can to achieve consumer lock-in and trying mighty hard to each offer their own custom services that they try really hard to convince you need and can’t live without, and invariably there might be something in there you want to support in your abstraction, sometimes necessitating cascading architectural changes. This is probably the third “major overhaul” of the abstractions we’ve written as a result.
I work for a company the does exactly this [0]
It’s amazing to see companies who not only optimize their business logic. But also their payments and how that generates direct revenue. Being able to switch payment providers at the push of a button has really opened up opportunities for growth and derisked a critical part of their business.
[0]: https://primer.io
You'll typically lose ~half the user's each time you do that...
Unless uptime or payment processing are core to your business (newsflash, they're not for most startups), this would be a waste of time and a velocity drag on _everything_ we do in the future.
Way, way more important to get traction than worry about theoretical risks.
In particular payments are a nightmare to generalize. Either they assume directly interacting with the user (do you have your customer enter their data twice?) or you have to collect the info and ensure you capture the superset of fields required (particularly onerous for international) and then have a process for handling KYC/fraud cases on each. Payment routing becomes more complex, each rail has its own timing you need to learn, exception cases, support protocols, and so on.
For cloud infra if you pick your APIs carefully you can make it fairly easy to lift-n-shift (eg using k8s and running your own Kafka) but it’s not going to be trivial if you use hosted services such as RDS, SQS, etc.
IMO you are WAY more likely to die from running out of runway than because of problems with your payment rail. These are bad when they come up, but remember you are seeing the worst cases highlighted here, and not the 99.9(…)% of customers that don’t have business-impacting issues. TANSTAAFL etc.
Aggregate engineering and customer experience are cost centers.
Our management culture is irreparably broken. Somehow the Linux kernel runs the world without them. Very few CRUD apps out there need a literal people pipeline to copy-paste React deps into git.
We’re missionaries for nation state currency, sharing the wealth we create with our neighbors through make-work tasks. We’re not engineers engaged in craft.
Even Democratic “rule of law” places like Canada can seize your funds for engaging in “politically incorrect” behavior.
Are you running any businesses this way now? What were the challenges?
Sudden changes of circumstances like trading for 11 months and then seeing multiple declined payments from multiple parties does sound quite suspicious to be fair. I imagine Stripe have extensive amounts of data about that sort of thing. That's not to say Stripe are in the right here, but I can see why they wouldn't just assume their threat model is wrong based on your word that the payments are valid.
Hello,
We’re reaching out to notify you that some SEPA Direct Debit payments created between September 26th to October 4th incorrectly show as disputed when they actually failed. We have confirmed this issue is resolved, and SEPA Direct Debits created after October 4th 04:00 UTC will not incorrectly show as disputed. Please note that as SEPA Direct Debit is an asynchronous payment method, you still may see new disputes on payments created before October 4th.
We have compiled a list of all currently-known payments impacted by this issue, which you can download by clicking this link:
We will be refunding any charges for the affected payments and disputes.
We are very sorry for any inconvenience this may have caused. If you have any further questions please let us know.
—The Stripe team
We don’t typically comment in detail on individual cases, but we do think it’s important for onlookers to know that we take every single case like this seriously. It looks like what happened here was an edge case involving SEPA payments that resulted in a dispute rate that’s far in excess of what’s generally permitted by financial partners. When we do this, our interventions are partly to protect financial partners/Stripe, partly to protect end customers, and in part to protect the businesses themselves. (For example, Visa will fine businesses that maintain high dispute rates.) This case is actually a bit more complicated still, since you said that you’re using Connect. In these cases, we also take seriously the importance of defending the platform (i.e. you) against users who are trying to defraud you.
More broadly, we work hard to balance the rules of the financial ecosystem, ease of use, protection against fraudulent businesses, consumer protection, and continuity for businesses. We support millions of businesses across dozens of countries and payment methods, and we discover new scenarios every day. We plan to blog about our work here in more detail before too long (including some of our key metrics). If any HNers have suggestions as to what we should include, feel free to reply here. We’ll try to share anything helpful that’s not too sensitive.
BOA implements First Data gateway by default these days, so most likely your previous processor is utilizing same solution as well, so less work to switch.
Maybe the issue is a fraud system designed for cards that's not well thought out for other forms of payments.
This can also happen due to insufficient funds, or as it happens if the mandate you (Stripe) send them is wrong. We previously have an issue with this exact same account where the reason for the disputes was an incorrect mandate and we were refunded for those.
This is all fine when your clients have 1 million sales per month. But in this case they have umm... "To put this into context, we are talking about a small local gym, with 33 active memberships."
You need a better metric than 0.1% or 1% or just turn down small clients? They're just disproportionate support costs anyway so they shouldn't be allowed to run a business online :)
Yes, several. They're nowhere near any kind of monopoly.
Hope this advise helps someone going forward.
We recently had one customer forget to cancel their subscription, and then without contacting us first they filed a dispute for 6 months of charges. That's 6 individual disputes, each with a $15 ($90) dispute fee. We got in touch and mentioned we'd have investigated, found the license unused, and refunded for those months. They contacted their bank to withdraw, but the bank and Stripe are just pushing ahead.
Then our real nightmare happened. We are subject to potential dispute fee running more than $50-80k. We wanted to avoid disputes and so we requested Stripe to help us immediately refund all the money. They again did not respond. So, we painstakingly manually returned every payment one payment at a time. Finally they agreed to cover the dispute fee (which would have sunk our company). With the promise that they won't cover next time. uff, how do we even control that,
And then, they briefly suspended our account. And then revoked after some days saying it was a mistake. And then activated security radar, which basically is blocking all genuine payments now. But, we don't know what the alternative is. Is there an alternative?
We are constantly working on the nightmare that any
Then our real nightmare happened. We are subject to potential dispute fee running to several tens of thousands of dollars. We wanted to avoid disputes and so we requested Stripe to help us immediately refund all the money so we can avoid disputes. They again did not respond to solve. So, we painstakingly manually returned every payment, one payment at a time. Finally they agreed to cover the dispute fee (which would have sunk our company) of whatever was disputed (thanks to them). But they warned us they won't cover next time. uff, how do we even control that.
And then, they briefly suspended our account. And then revoked after some days saying it was a mistake. And then we activated security radar, which basically is blocking most genuine payments now. But, we don't know what the alternative is. Is there an alternative?
I thought, well this is Stripe, they’re awesome. I’ll email them. They’ll help.
Well, big surprise. Customer support was just bots and boilerplate answers, after weeks of waiting.
Mentioned my issue in passing on a thread here (I resent having to make a fuss on social media just to get some special attention). I was told to contact one of their people directly. I did that a few months ago. And he actually did email me back. But then he first forgot about my case for another two weeks. And then he said he would look into it immediately, but all I got is a bunch of automated emails asking me to validate my email address and things kind that. I did all of that, but it changed nothing. And my account is still suspended.
I will continue to use Stripe for MVPs and such. But I now consider it a toy solution that can’t be trusted for running a business.
Stripe cut off my revenue and deactivated customer facing payment pages. They did so without giving me prior notice, and I haven’t found a single person to talk to who would know what is going on in almost half a year now.
They’re putting their customers in serious risk of financial losses and potential insolvency. And they do not care, do not help and do not even explain.
That is the inverse of customer obsession. I wonder if the Collison brothers have lost interest in running their business like Bezos did with Amazon a few years ago.
Can I ask why? Wouldn't inertia see to it that it stays in place in some circumstances? I'd be moving to something else at every stage if it were me
But you’re right about inertia. There’s a real danger I’d end up sticking with them and hoping for the best, and then being in the same situation again.
Thing is, after having such problems with Stripe, in whom I had a lot of trust, I am very much interested in cutting out the middleman as much as possible.
See, a physical bank would never be allowed to simply turn off my ability to receive money without prior notice. And if they did, I could sue the hell out of them. But with all of these Internet companies, I don’t feel I have that security.
I have heard that the European Union plans to offer their own payment system. So perhaps the government sector will catch up. The idea that one should depend on private sector companies in order to participate in commerce seems quite odd.
Otherwise, these issues have made me a lot more willing to go old school and just send out invoices. That sounds like the 1990s, and surely has its own problems. But at least I am in control.
I am definitely open for suggestions though! Interested in hearing what you would suggest.
They have an incredible number of customers just going about their business and not experiencing issues like what’s in this thread.