52 comments

[ 0.30 ms ] story [ 97.3 ms ] thread
[flagged]
The last 10 comments were all boilerplate promotion of getopenpay

"Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity." https://news.ycombinator.com/newsguidelines.html

Ah sorry! Thanks for flagging
You’ve been doing it for months - so long in fact that I’ve added your company to a list of companies that I won’t go near. I’m not even that devoted to this site but recognize both your name and the repetitive ways you promote your project.

Remember that when you try to craft a marketing message, you have to make sure that you’re not doing damage to your brand. You have done a significant amount of damage to your brand because you don’t care about this community.

Sorry- I just noticed this post and thought I'd comment. The HN community helped me when I got kicked off of Stripe that I thought it would be a way to give back
Come on bud, I just went through your account and you have only made one comment that didn’t link to your brand. I’m sure you have other things to contribute as I’m sure you have other interests beyond your brand. Just balance it out a little bit and it wouldn’t be so grating.

Advertising your own brand doesn’t give anything back. It will damage your company though.

> This is fairly common.

It'd be nice of you to back up this statement with facts beyond having a "horrible experience with Stripe" and using it to pitch your own project.

unfortunately feels like Stripe being Stripe. we learned that the hard way too
Uh Oh, you hit the front page.

Let's count to 5 until we get:

"Hi, this is xxx (CEO/CTO of Stripe), this should not have happened. Drop me a mail at xxxx@xxx.xxx and I will have a look at this. (-: "

Can we get a CEO in here? A CTO at least? Come on Stripers, I know you are reading this.

I'll bite. I _worked_ at Stripe. Stripe has no authority in decision making here, the issuing bank decides (eg the customers bank) who wins and losses chargebacks. Stripe is a conduit of information, not a party to the decision.
They're "disrupting" payment processing.
Invalidate the tickets without notifying the customer. That way they travel and everything only to be turned away at the venue.
Yeah, it feels like value wasn't actually lost here unless the ticketing system can't cancel tickets for the event after the fact, or the customer invalidated the charge after the event. If you can invalidate the tickets, then it's effectively as if they didn't purchase them, right?
It could be that the tickets were sold as -- or reached a state where -- they were non-refundable. This workflow becomes a hack for refunding things that are non-refundable.
There is a chargeback fee. Google suggests that it is $15 at Stripe.
Reading between the lines, sounds like the seller is reselling the tickets, so it's more of a graymarket transaction, practically, legally and morally.
They filed the dispute after the show and after showing their ID at the door which matched then name on the tickets. I can't submit that proof to Stripe as the show is in a different country would literally involve me asking for security cam footage, which is beyond a small business's bandwidth.
Someone capable and willing to buy name checked tickets with stolen credit information is probably capable of getting a sufficiently passable fake id for the rushed ticket counter staffer at the concert, and that assumes they even matched the names. I just attended a concert with supposedly name attached tickets that were just scanned at the door with no check against the names/id.
This is between the bank and the merchant, Stripe doesn't get to make the decision they are the intermediary. Blog title should have been: I Lost $210 in a Bank of America Dispute Despite Proof.

They should sue the customer in small claims if it is fraudulent dispute.

I agree, BoA seems like the people they should be reaching out to to discuss what they need to be collecting to prevent this in the future, and also to answer what IP addresses they compared if it wasn’t sent in the proof. Maybe they already did but as presented this sounds like a dispute with BoA
Small claims lawsuit is the right response instead of just being upset over BOA/Stripe.

That person defrauded you, sue them.

If you evidence is what you say it is, you will most likely win. End of story.

So, the customer did a chargeback with their bank, won, and you want Stripe to eat the loss?

If I pay for something with a credit card and win a dispute with my bank, should Visa do its own investigation? And if Visa's investigation is different than my bank, do they comp the merchant?

Banks already do dispute resolution. It's maybe not the most objective system since the bank is getting paid by the customer, but it's the system we have. I'm not sure why Stripe should have this responsibility as well and I don't see how switching to a payment method other than cash or crypto would've prevented the customer from winning.

There was a time when Stripe was an actually nice company to use as a merchant. But it’s just grown into Authorize.net…
This evidence seems unconvincing. Why should I believe that it wasn't fraudulent? It's interesting that the bank sent a form letter, but why didn't you include the IP address? Who owns the IP? Is it a residential IP in the geographic area of the venue, or maybe the card holder? Or some cloud provider?
(comment deleted)
> they resorted to finger-pointing

Ahhhh! Stripe is a payment gateway. They’re an intermediary / frontend that simplifies away the complexity of negotiating with each bank and getting your own contract with each bank and integrating with each one separately.

I’m sorry to say this, but chargeback fraud is fraud, and you as a business have to deal with that. This customer might have millions in debt with BoA that they’re dutifully servicing. But someone has to eat the cost, and the reality is that this time, it’s you.

Either you can take the customer to court or you can ban them from future payments. Alternatively, you can try a payment method that isn’t as easy to dispute, but you’re still exposed to fraud at some level.

> they resorted to finger-pointing.

This is not finger-pointing. This is literally how disputes work. Stripe has no role to play in this and they have clarified this in their docs:

> Throughout this process, Stripe facilitates your case, but doesn’t have influence over the outcome, which is at the sole discretion of the account owner’s bank.

-----

> This is a lie because I never even sent them the IP address since that isn't shown in the evidence I submitted.

What if they already have a record of IP address of who did the transaction and they are saying that it doesn't match the geolocation of the customer?

Indeed, OP hasn't actually stopped to consider, what if BoA is right?

What if it really was a fraudulent transaction as claimed?

The merchant should consider what they can do to protect themselves in such cases, if they are not protected, such as being able to cancel the tickets.

The guy showed up at the door and watched the show, and only after filed the claim. His name matched the ID at the door. Unfortunately, I don't have access to a video of him showing ID at the door as it's in a different city.
> The decision on who wins a dispute comes down to a judgment call by the bank in which Stripe unfortunately has no role or way of influencing. We are aware of how this resolution can impact you and your business, but as much as we wish we could do more in this scenario, this is the final outcome.

What about this could Stripe have done better? Eat the cost of any disputes or fraudulent charges that the bank judges not to be fraud?

I routinely use different per-company email addresses with most companies I deal with, mainly so that my email is automatically sorted and so that I can deal more effectively with cases where a spammer gets my email address from a company or an marketing unsubscribe request is ignored.

The mere fact that my bank and the merchant have different email addresses for me should not give me an unfair advantage in disputes with a merchant. The main protection the merchant has from me is the fact that I'm too honest to fraudulently start this kind of dispute, which is not something a merchant should rely on for their customer base at large.

Bank of America's policy is inappropriately merchant-hostile here, and so is Stripe's policy of so blindly deferring to the bank.

That said, I'm not truly sure what the right fix is. Names are not globally unique or authenticated, and a fraudster with the necessary credit card information could easily have gone to the website and made the ticket purchase just as easily as the genuine client, even in the example of the linked article. And the last time I used my credit card (legitimately) to buy flight tickets for relatives to visit my wife and me, the only email address I specified belonged to one of my visiting relatives, not to my wife or me.

It's a hard problem to fairly solve.

Is it?

- 3d secure would have made it hard to claim "wasn't me"

- banks here cancel cards involved in fraud, and request a police report (not really a very strong deterrent, but at least makes it risky/harder to repeatedly claim fraud, when it isn't)

You must not be in the US.

Many US-issued cards don't have any meaningful form of 3-D Secure, and many of those that do just have an automated set of risk checks, but not the newest versions common in Europe with live customer authentication through app or one-time passcode. I've actually never seen that level of security on any card from the US or Canada, though I won't guarantee that there isn't some card there which offers it.

Similarly, in the US and I suspect also in Canada, a police report is not a routine part of how credit card issuers handle fraud. Not even when the customer is the one to report the fraud to the bank, instead of the bank automatically detecting it.

Indeed, I'm not in US - I was just pointing out that it's not __that__ hard to fairly solve, in fact it has been solved decently well in other places.
Solutions are path-dependent. Credit card adoption has followed a very different trajectory in the US vs Europe, and on a very different timeline too.

Aligning the incentives and the funding to get the US from where it is now to a place that would solve the problems we’re discussing is indeed quite hard - but not technically, as you quite rightly point out, at least when there is adequate time + resources + will available to implement and require the existing technical solutions.

Rather it’s hard financially, politically, legally, culturally, and logistically to achieve those circumstances where adopting the existing technical solutions goes from theoretically possible to done.

In particular, these problems are hard for Stripe to solve unilaterally from its particular position in the payments ecosystem, and/or for a single major US bank to solve without competitive disadvantage when its peers don’t also make the same changes.

The comment originally was in the context of "I'm not truly sure what the right fix is." ; technically, a pretty decent fix is implemented elsewhere so it's not that hard to find. 3DSecure is implemented widely in Europe due to PSD2 regulation, you just need one like that in US, doesn't even need to be very original, they can copy most of it from EU. I'm not saying there aren't social/political challenges, just that there needs to be a will - because there already is a way.

> So for merchants in any country worldwide, this problem has only been solved decently well if they want to region-restrict their cards.

Well strong customer authentication is only relevant for online purchases, and I'm willing to bet that the number of non-EU clients purchasing _online_, via _insecure cards only_ is negligible (one can offer other alternative ways of payment). Also I _think_ that if merchant requires 3DSecure but bank doesn't offer it, the liability passes to the bank (i.e. BoA may decide to authorize the transaction on the card without 3DSecure - but in case of fraud, they will be the ones eating the loss, not the merchant). Not entirely sure on this one, though :)

> The comment originally was in the context of "I'm not truly sure what the right fix is." ; technically, a pretty decent fix is implemented elsewhere so it's not that hard to find. 3DSecure is implemented widely in Europe due to PSD2 regulation, you just need one like that in US, doesn't even need to be very original, they can copy most of it from EU. I'm not saying there aren't social/political challenges, just that there needs to be a will - because there already is a way.

Yeah, I’m saying that the people who could make that happen don’t have the incentives to do it, so the right technical fix is politically, commercially, or financially infeasible for many of the people who would have to agree in this. Solving that problem doesn’t have an obvious right fix.

Why is it so different in the US? Simply put, credit cards were widely adopted before 3-D Secure (or even chips) existed, to such an extent that they’re even now far more dominant than they are in Europe, and the number of issuers and merchants is far greater and more evenly distributed across small businesses (yes even many of the issuers).

So any modernization of the US credit card infrastructure is hard and slow. You’d be surprised. Even having a chip in US cards only became widespread recently, but they still don’t usually have a PIN used when making a in-person purchase. (The cards still work in most but not all European payment terminals - the machine often requests a signature, though the staff only sometimes bother with it.) Canada does at least have chip and PIN as standard.

> Well strong customer authentication is only relevant for online purchases

If you’re talking about the EU legal requirement, yeah - although it actually doesn’t apply in full if the cardholder’s bank is outside the EEA, the UK, or one other nearby country, even if the transaction is in the EEA. (Weirdly, Switzerland is also out of scope, despite how integral it is to Central Europe, probably because it’s not in the EEA.)

But in the US, plenty of in-person fraud still happens too with cloned or stolen cards. Adding a chip has made this somewhat harder but not as much as you’d like, especially not without a PIN.

> I'm willing to bet that the number of non-EU clients purchasing _online_, via _insecure cards only_ is negligible (one can offer other alternative ways of payment).

All of this very much depends on the business. For a business like OP’s which sells event tickets, if those event tickets have an international clientele such as tourists traveling from outside Europe or one of the few other countries where these technologies are commonly supported, there may not be any good other way to make the online ticket purchase happen.

Yes, credit (or effectively equivalent debit) cards without common 3-D Secure are that dominant in the US and Canada, although some people use PayPal or other local solutions too. In fact, credit and debit cards are the only way to buy online that’s routinely offered by most merchants in the US, so there’s no way to exclude non-European credit cards without excluding many US customers.

And lots of US or Canadian tourists in Europe really want to use the credit cards, because the fancy cards that frequent tourists or foreign-resident Americans/Canadians use often zero out the foreign currency cost with no foreign transaction fees, and/or because of reward points offered by the cards that are better for the cardholders (at more cost to the merchants) than what’s offered by issuers in Europe.

Traditional bank transfers (wire transfers) to Europe from outside the SEPA region are complicated, often slow, and expensive for both sides.

Plus keep in mind, the US and Canada are not the only countries where banks don’t have to offer strong customer authentication. It’s only required in the EEA and a few other countries. So when I said “international clientele” I don’t only mean North Americans.

> Also I _think_ that if merchant requi...

Paypal - like Apple Pay & Google Pay - require you to authenticate into your account, which takes away the "wasn't me" deniability (if you pay _with paypal_ as opposed to "via paypal, with credit card"). It's funny you bring up tourists - because these are exactly the people who had to get cards with PIN (when their banks didn't offer them), or risk being unable to use them in Europe. So the fact that they "want to" doesn't mean that the merchants do, in fact, bend over backwards to allow them - it was the US tourists that had to adapt. So it's possible!

I know the situation in US, I don't believe it's a problem of "cost" or "widespread use" (e.g. haven't heard about beggars taking credit card in the US - the card usage is far more widespread in Europe). Card fraud is not curbed in the US because there's no political will to do it, not because it's not possible or it's too expensive. If there was a PSD2-equivalent law, all banks would quickly implement it and y'all would wonder why this wasn't done sooner.

> Paypal - like Apple Pay & Google Pay - require you to authenticate into your account, which takes away the "wasn't me" deniability (if you pay _with paypal_ as opposed to "via paypal, with credit card").

Yeah, but most Americans who frequently deal with foreign expenses don’t want to pay with PayPal for them, since they are much more expensive for currency conversion than the traveler-focused US credit cards, don’t give the same legal protections to the cardholder in case of merchant misbehavior or data breach, don’t get covered by cardholder benefits like insurance, and don’t give reward points like the good US cards.

> It's funny you bring up tourists - because these are exactly the people who had to get cards with PIN (when their banks didn't offer them), or risk being unable to use them in Europe. So the fact that they "want to" doesn't mean that the merchants do, in fact, bend over backwards to allow them - it was the US tourists that had to adapt. So it's possible!

My life is a living counterexample to what you say is necessary for US tourists in Europe. I’ve been living in Germany for over 2 years now on various short-term immigration statuses (and yes legally despite the total duration). The main way I pay for most non-invoiced expenses both online and in person is a US-issued credit card with no PIN, only frictionless-flow 3-D Secure (no life customer option), and no foreign transaction or currency conversion fee. It works fine in pretty much every case I’ve encountered in Germany where cards are accepted at all, aside from sometimes having to sign. I do pay certain expenses by SEPA bank transfer or direct debit, but mostly medical or government expenses, rent, and certain peer to peer payments.

Cards with no tap to pay and no chip are a problem in Europe, but both of those are widely available in the US now.

> I know the situation in US, I don't believe it's a problem of "cost" or "widespread use" (e.g. haven't heard about beggars taking credit card in the US - the card usage is far more widespread in Europe).

You’re overgeneralizing about Europe and misgeneralizing about the US. Here in Germany, international cards like Visa and Mastercard were not that widely accepted before the COVID-19 pandemic, and even now most Germans don’t hold an actual credit card.

Beggars certainly don’t tend to take cards in Germany, though maybe they do in some of the most cashless European countries. In the US, sure beggars don’t typically take cards there either, although I’ve heard of isolated examples of it happening.

Looking overall rather than at atypical subsets like beggars, cards are indeed far more widely held in the US than in Europe, especially true credit cards but also the international type of debit card with a Visa (not Electron) or Mastercard (not Maestro) logo that can be used as if it were a credit card.

If you check statistics, be sure to look up statistics on how widely cards are held (and which types), not how widely cash is used. Many US people frequently use both cards and cash.

> Card fraud is not curbed in the US because there's no political will to do it, not because it's not possible or it's too expensive.

Why is there no political will to do it? Yes, it’s too expensive, a little bit for the merchants but especially for the banks. US merchants simply charge high enough prices to cover high credit card processing fees that let the banks eat the fraud (and/or pay rewards to their good customers). Customers don’t mind because they’re quite strongly legally protected, and the customers who don’t benefit from credit card rewards don’t feel ripped off because the relevant portion of the merchant cost structure is built into the listed prices. Nobody with sufficient influence and awareness of the situation has an incentive to change the system.

Even tap to pay was hard to get adopted in the US. Most initial attempts failed and ...

Germany is one of the most conservative societies in EU, they still insist on cash. But even so, I'm surprised you can do large-value payments without PIN; even if you have a contactless card, those are limited to small-ish sums (less than 100E I believe) - so yeah you can buy a croissant, maybe you can even buy lunch in most restaurants - but it still can randomly ask for PIN on some expenses, AND it always asks for large expenses.

> Why is there no political will to do it?

I don't know but I don't think there's a simple answer. Certainly not "it's too expensive", US can afford it. There's a cultural element to it, there's probably lobby of some interested parties. With cards in particular, it's also consumer apathy (as you say, people don't care - so no strong lobby is needed because no real demand for change exists). And maybe other reasons. But I don't think the status quo holds because it's too hard/expensive to change - it holds because there's not enough demand to change it.

A very simple way to change all this would be a law that moves liability to the bank (instead of merchant) in case of fraud. Sure banks would hate it (which is why it won't happen), but also if it happened, they'd then have actual incentives to prevent fraud/ would need to start seriously contemplating "what is more expensive".

> Germany is one of the most conservative societies in EU, they still insist on cash.

This has changed a lot since the pandemic, but only since then, and cash-only places are still common. However even many of the cards that people do now carry in Germany aren't true credit cards, unlike in the US. (True credit cards are however now accepted in most places that accept any cards, at least in Berlin, with a few exceptions.) Germans are very hesitant to accept even the level of debt that is involved in charging to a credit card which one pays off in full by the monthly due date, which doesn't usually involve paying interest.

> But even so, I'm surprised you can do large-value payments without PIN; even if you have a contactless card, those are limited to small-ish sums (less than 100E I believe) - so yeah you can buy a croissant, maybe you can even buy lunch in most restaurants - but it still can randomly ask for PIN on some expenses, AND it always asks for large expenses.

You're probably describing how things typically work for cards issued in your country, but that primarily depends on the issuer's policies, mostly not those at the point of sale. I'm familiar with what you describe from having lived in Canada before, where I did have some cards issued in Canada as well as my US-issued ones.

But that's not the way it works for US-issued cards. There isn't even a PIN for my card to prompt for if they wanted to prompt for one, since the card doesn't support that functionality; the most they can do, and this sometimes happens, is prompt the staff to ask for my signature. Some of the time the staff actually does ask me to sign, other times they don't.

I think they can also ask me to insert the chip, but most of the times this occurs (not all), it's the merchant trying to upsell me on a marked-up currency conversion option instead of just letting my bank convert for free. (Even for the many US cards which do charge for currency conversion, the typical merchant conversion mark-up is still higher than what the cards would charge, and then the cards often charge their fee anyway since it's still a foreign transaction regardless of currency.)

As for the 100 euro limit, I'm surprised if such a low limit still exists in your country. For the Canadian cards where I had a similar $100 or $200 limit, they raised the limit during the pandemic and never lowered it. My US card has no relevant such limit - I frequently tap for amounts above 200 euros at the pharmacy, and recently tapped a 1500 euro charge at a veterinary surgical clinic. Some of these ask me to sign, but generally not to insert the chip, and definitely no PIN. All in Germany, yes.

> I don't know but I don't think there's a simple answer. Certainly not "it's too expensive", US can afford it.

"Too expensive" doesn't always mean "too expensive to afford if it were to be prioritized". It can mean "too expensive to justify the expense". Which I think is in fact true in the US, at least given the various risks, incentives, and costs of the various parties involved.

> With cards in particular, it's also consumer apathy

It's not just consumer apathy - US laws are so protective of consumers who are victims of fraud that consumers in the US almost never lose any money or much money to card fraud, especially credit card fraud but even many cases of debit card fraud. Unlike on most topics, US laws in this area are far more consumer-protective than EU laws.

> But I don't think the status quo holds because it's too hard/expensive to change - it holds because there's not enough demand to change it.

Which is another way to say it's too hard/expensive to change. That is, it's too hard/expensive to be worth changing, not too hard/expensive to be possible to change.

> A very simple way to change all this would be a law that moves liability to the bank (instead of m...

Separate reply to add: the US (or Canadian) rules apply in these regards to the use of US (or Canadian) cards in Europe, unless a particular merchant wants to ban those. I suspect this is only sometimes legal for them to do, but more importantly, it’s often a bad business decision overall for businesses with an international clientele. So for merchants in any country worldwide, this problem has only been solved decently well if they want to region-restrict their cards.
I've seen 3d secure in the wild here in Michigan as far back as two years ago. My boss (a pretty high net worth individual) gave me a card to pay for something online with and ended up leaving before I hit pay.

Got sent through the flow but couldn't complete the purchase as he wasn't answering his phone.

One and only time I've seen it though and I wouldn't doubt its a fancy card or enabled due to account value or something.

Yeah, the good version of 3-D Secure does exist in the US, but it’s rare as you say. If the vast majority of US cards don’t have it, including many from major issuers, then the problem isn’t really solved for merchants (in any country!) who accept US cards.
(comment deleted)
The card issuer will always have the final say when it comes to chargebacks. Each issuer has a different policy, and Stripe cannot (or should not) gamble on whether the issuer shares their view on a dispute, lest they be left holding the bag when the issuer claws back the money. Deferring to the issuing bank for disputes is a reasonable policy.
Maybe the solution then is regulation of issuer chargeback policies, or of the ability of issuers to claw back money from payment processors or merchants. Yes, the issuer knows the cardholder better than the merchant, but the payment processor knows the merchant better than the issuer. Why is it right for one of those two sides to automatically get the final say, even when they use such a spurious basis for their decision as Bank of America did here?

As I said, figuring out the right fix is not easy. But I don’t see how the current situation is defensible as okay, except as maybe reflecting the natural way for each of the individual actors to behave given the various incentives which are presently applicable to them, or as better than any specific proposal currently available for how to fix the situation.

Stripe notifies you of an issuer dispute raised through the respective scheme. They have no control except being a messenger back and forth between you and then customers issuing bank and the scheme. So not on Stripe this one. And this is coming from someone who absolutely despises Stripe. Especially you, Alan from Stripe.
Zarar means loss in Turkish/Persian by the way.
It seems the problem here is the bank, not Stripe.
I actually appreciate that banks are on the consumer side.

In a developing country, the bank would accuse the customers of fraud on behalf of the merchants.