
Screwed by Square - rajbala
http://alexshvartsman.com/2014/02/11/screwed-by-square/
======
dangrossman
This is the experience you get with traditional merchant accounts (what every
business had before 3rd-party processors like Square and PayPal, and most
large and B&M businesses still use). You get chargebacks, you lose the money
immediately, you often lose the disputes even if you shipped items, and if
your CB rate is over 1% of your monthly volume for a few months, your account
gets closed. Period. The only way to stay in business if you're a target for
fraud is to become very good at screening orders, whether it's through systems
or manual review, because nobody else is going to protect you.

This is the value of PayPal's Seller Protection Program, which people probably
undervalue since they've never dealt with a real merchant account. If you sell
with PayPal, and ship a tangible to the address on the buyer's PayPal account,
and have proof of shipment, you have 100% liability protection. Someone
charges back the payment, and it's PayPal's problem, not yours; even if they
lose, you don't lose your money.

~~~
300bps
I agree. The headline should have been, "Screwed by Thieves that used
Fraudulent Credit Cards". It perhaps should have had a subtitle of, "My
Education on Implementing Adequate Anti-Fraud Measures at my Company."

I'm not sure I understand why he thinks Square screwed him.

~~~
fnordfnordfnord
Well, he alleges that Square cancelled his account without notice, and
describes how that affected his business because he had made efforts to drive
customers to use the Square payment method. He also admits that he should have
developed a more robust solution, but rationalizes that he stayed with Square
due to good prior experience.

Even if Square is perfectly in the right based on their user agreements they
may be throwing good money away, and chasing off good customers. It's not hard
to understand why a retail business owner would appreciate a little notice
before an account cancellation.

------
nathanb
This is such a common refrain in the tech space.

"We provide you with this disruptive new service that's really cool. Oh, it
doesn't work for you? We also provide you with absolutely zero support."

Sometimes this means you lose business for a few days, realize you were dumb
for building your business on top of a company that can't even be bothered to
give you a phone number, and move on.

Sometimes the company takes the money out of your bank account and gives you
absolutely no recourse.

If Alex had time and money, he could bring charges against Square. Not that
he'd necessarily win, but he'd at least get himself on their radar (and
hopefully get a settlement just to get him off their back). Thanks to Square,
he has too little of both right now.

It's stories like this that make me realize how grateful I am for companies
like Zappos, whose big selling point was (and still is, reputedly) "we're not
jerks". I had to contact their customer service back when they were still
independent, and I was very pleased with the experience. I still shop there,
even when it feels like I'm paying a premium, because a company that treats me
decently is worth it.

------
ROFISH
This sounds like more of an issue with our card payment systems rather than
individual merchants. All it takes is 16 digits to fraudulently use somebody
else's money and the merchant is typically liable in case of that. And to add
insult to the injury, they add a $20 chargeback fee on top. The banks and
processors aren't taking responsibility and instead forcing merchants whose
core focus is on selling and shipping rather than the intricacies of payment
handling.

Due to this lopsided arrangement, banks and processors have no reason to
change the system. We should force them to take the risk of fraud; it's the
only way to make the system better for everyone.

~~~
keithpeter
Is it not 16+3, the code on the back of each credit card?

If not, why not?

~~~
dangrossman
The exact number of digits you need to know isn't relevant. The problem is
that you can spend someone else's money just by knowing their digits, the
recipient is expected to reject that money if it's not your digits, but is
given no way to truly verify identity or ownership.

~~~
Silhouette
_The problem is that you can spend someone else 's money just by knowing their
digits_

That's part of it. The other parts are that unlike a PIN or password, people
routinely tell others what those digits are, and that the system works as a
pull (the merchant decides when to collect the money and informs the
customer's bank via the payment processing system) instead of a push (the
customer decides when and where to send the money and informs their own bank).

Most of the problems with security, fraud, chargebacks and related areas in
the card payment industry ultimately start from this fundamentally flawed
model.

------
pkteison
Not square at all, this is a fundamental problem with credit card processing.
As long as the costs of fraud are borne by the individual merchants I doubt it
will be fixed. Fundamentally flawed system design / perverse incentives.

To the best of my knowledge, anybody taking a credit card will lose a
chargeback if they don't have a signature. And you never have a signature in
an ecommerce transaction, so you will lose all disputes. (I know the very
large company I used to do the CC processing for routinely lost our
chargebacks for ecommerce transactions, and at our volume we should have been
able to find a system for not losing if one could be found.)

The only current "solution" is to do a good job of filtering up front and
rejecting suspicious transactions, which can be helped by requiring AVS and
CVV2 matches and phone calls for large orders - but there isn't really a good
system for handling this at all. The best I've seen so far is a company that
would verify new customers by calling and asking them a question about their
neighborhood from google maps. And it's a shame that each individual merchant
has to come up with something convoluted like this, and the payment processors
don't provide technical help or financial guarantees for the transactions they
authorize. But that's just how it is right now, and it isn't Square's fault.

~~~
Silhouette
_To the best of my knowledge, anybody taking a credit card will lose a
chargeback if they don 't have a signature._

It's not quite as simple as that. The customer authentication problem is what
programmes like MasterCard SecureCode and Verified by Visa are supposed to
solve. The trouble is, their implementations are so clunky that a lot of
merchants/payment services don't use them, which in turn means a lot of end
customers don't expect or understand them either, damaging legitimate
conversions. I've heard that they are also not widely used in the US for
whatever reason(s), though they're somewhat common here in the UK now.

In theory, these mechanisms should fix much of the underlying weakness in the
current card payments model, because the end customer never gives the extra
security information to others, only to their own bank/card provider. And
there really are (or at least were the last time I checked) payment services
that will eat the fees for chargebacks on transactions that were authorised
using these kinds of 3-D Secure mechanisms given reasonable evidence that the
merchant did provide whatever was being paid for. Unfortunately, I'm not aware
that any of the new generation of online payment services offers 3-D Secure
yet, which I expect to become a significant headache for them as more horror
stories like the one we're discussing here come to light.

As a point of interest, much the same arguments apply to two-factor
authentication schemes for cardholder present transactions, such as Chip-and-
PIN, which has been almost universal in the UK for a long time now but again
doesn't seem to have had as much take-up in some other countries. It's normal
to consider a PIN-authenticated transaction at least as safe as one confirmed
with a written signature. But again, these technologies don't seem to be
universal in some other countries yet for whatever reason(s).

------
Glyptodon
Everybody's talking about how this kind of thing is baked into the credit card
system. Even a few days back there was the article about processors changing
to a system with PINs like in Europe or something.

What I don't get is why you can't do something much more simple.

Wouldn't 99% of these problems be fixed by something as simple as a credit
card companies just requiring transaction approval from the card holder?

It could be handled by text message or an app and show up as on your phone
within 5 seconds of running your card.

Swipe, okay it on your phone, done, forget giving everyone new cards with some
sort of complex PIN # system.

Heck, you could even go a step further and make a barcode on your smartphone
scan as a credit card at checkout, and then hit okay on your phone to complete
the transaction.

Get an alert for something you aren't buying? Hit deny, it doesn't go through.
No fraud, everyone's happy.

I'm guessing the reason there's not a system like this is that most credit
card terminals are too archaic and dumb to have a live link to the Internet to
handle something like this in real time? (Or the more obvious reason of not
being able to use it without a cell phone?)

~~~
ashray
Almost every credit card transaction in India goes through this kind of
system. At a POS terminal you need to enter a pin (same thing in Europe).

For e-commerce you need to enter a password after you enter all your CC
details. It's called Verified by Visa or Mastercard Securecode, depending on
what card you have.

The downside is that apparently the user agreement states that if your
password gets stolen (as well as your credit card details) then all liability
is on you.

~~~
Glyptodon
I think requiring the card owner to know and keep safe some password rather
than just okay a transaction seems more complicated.

------
carsonm
Shopify might be worth considering, they have a pretty good POS system
([http://shopify.com/pos](http://shopify.com/pos)), and probably more
experience dealing with these sorts of shenanigans, plus you can get them on
the phone.

And you don't have to sign up for the whole POS system to get the card-reader
for your phone/iPad. Their mobile app (available to any Shopify shop owner)
ships out a free reader. [http://www.shopify.com/blog/11013977-introducing-
shopify-mob...](http://www.shopify.com/blog/11013977-introducing-shopify-
mobile)

~~~
dangrossman
I wonder if Shopify actually has any input into the chargeback process and
risk evaluation of accounts. Shopify Payments are "powered by Stripe" rather
than something they run themselves. They do have a nice integration and you
get a discount compared to using Stripe directly without any minimum volume.

------
kochman
I don't like the trend of businesses becoming less and less easy to reason
with. If an algorithm, or even a person, decides to cut you off, that's it.
There's little recourse in situations like these.

~~~
DanHulton
Except, of course, internet diatribes like this.

I had a similar problem with eBay and the only way to get them to respond in a
timely fashion was a similar rant that made it to the front page of Hacker
News.

Customer support via blog post. Not the most effective method I can think of.

~~~
2pasc
>>Customer support via blog post. Not the most effective method I can think
of.

No - but the only one where a manager will have his job on the line.

(unfortunately)

------
Torn
Here's hoping a Square employee (or someone that knows one) reads this. It'll
keep happening to the small guys as Square scales - they need to tackle this
sooner rather than later.

~~~
timmaah
What do you suggest Square do? This is standard operating procedure for
merchant account providers.

~~~
Xdes
I thought Square was supposed to be one of those "disruptive" startups. If
they continue the status quo and don't try to improve their customer service
then why should I use them?

~~~
timmaah
I am not knowledgable enough about Square itself to know what they are
"disrupting", but their chargeback section in their sellers agreement is no
different than that of a standard merchant account. Seller liable for all
chargebacks; they reserve the right to hold an unknown reserve; charge a
larger fee; or close the account.

Do they try to differentiate themselves via customer service?

~~~
erichocean
_Do they try to differentiate themselves via customer service?_

Okay, that made me laugh. :)

------
ciokan
Paypal does the same. Blocked mine with 30k in it for 6 months and destroyed
my business with it. We had to sell stuff from our house to pay providers
(~20k) to survive that month. We lost subscribers and our business recovered
in almost 1.5 years out of that "High risk" ban.

To them "high-risk" often means "you put too many questions" or "we don't have
time to actually support you properly". By simply banning you they get rid of
businesses that require more attention instead of hiring more capable people.
That list of capable people should grow along with the customers list but they
stop at some point and that's when they can't deal with you.

It's good that stripe is not available in my country because I really wanted
to pick them after Paypal nightmare. I think I would have killed myself at
round 2 with this type of support and bans they throw at you when you need
help.

------
coldcode
Customer service is a cost center to most companies, even internet darling
companies like Square. So you won't get any because it's cheaper to piss off a
few customers than to invest in actual service. Until they feel some financial
pain they don't care about you. Which would make a nice new startup, someone
who actually worked with both customers (in this case sellers) and service
providers to provide actual service. But I won't hold my breath as there is
probably no financial reason to do this.

------
circa
Thanks for sharing. For nearly 10 years I managed and engineered a large
e-commerce site. I learned a ton in the process. These posts always hurt. I
feel the pain.

Also, reminds me of this post a while back -
[http://elliotjaystocks.com/blog/good-riddance-
paypal/](http://elliotjaystocks.com/blog/good-riddance-paypal/)

"PayPal have all the power of a bank and yet none of the responsibility."

------
args1and3
Most of the comments here seem to be that this normal practise, and he should
have known in advance to check for fraud or else he would lose money and have
his account closed.

If this is so obvious, why doesn't Squaree explicitly spell this out in a help
page? Is this some magical knowledge that can only be learnt first hand, and
never officially stated?

Square screwed him over by not being more transparent with their policies.

------
smackfu
Shouldn't Square be the one detecting fraud with address verification, CVV
codes, etc?

And while it's ok to cancel an account that has a high proportion of fraud,
it's wrong to do that AND take the money back.

~~~
dangrossman
AVS and CVV do not do much to detect fraud. Anyone that's bought a stolen
credit card has the address and CVV code too. Square isn't keeping any money
either -- that money is going back to the account it was stolen from (the
owner of the stolen credit card). It left Square's bank account before Square
was even notified of the chargeback; that's how the system works. The fact
that they don't immediately deduct the funds from the merchant, as a merchant
account would, is actually a nicety, as their own books are missing money
until that chargeback is resolved.

~~~
smackfu
>Anyone that's bought a stolen credit card has the address and CVV code too

Yeah, but for a shipped physical good, only being able to ship to the original
cardholder's address doesn't do you much good. That $1800 package isn't going
to you, unless you are physically close enough to steal it off their doorstep
which is pretty risky.

So either it's the correct address, which points to the cardholder defrauding,
or it's a different address, which should be caught by the processor. Or they
shipped to a different address than the billing address, which would be
totally the fault of the seller.

~~~
aetherson
Different shipping addresses from billing addresses are absolutely standard
practice. I don't know why you'd think that a seller would disallow shipping
to something other than the billing address.

~~~
calbear81
Back in the days when I worked at Newegg, average order values were in the
thousands from all of the custom gaming rig builds so fraud was taken very
seriously. Newegg did not allow shipping to an address that was different than
the one on file with your credit card company so the only way to do that was
for the customer to call the credit card company and add the new shipping
address. I'm sure they lost some customers who didn't want to deal with that
but they also severely limited their exposure.

------
fnordfnordfnord
Square makes merchant wish for PayPal.... Wow.

------
maximilian
Can't he use Strip for the online portion of these transactions? I don't know
if their customer service is any better, but at least he doesn't have to use
Paypal.

~~~
aetherson
My company uses Stripe. The chargeback resolution process described in the
original article sounds identical to our experience with Stripe.

------
cordite
I know some companies like Google and Amazon are trying to automate-away all
customer service.. but this seems exhaustive.

