

Ask HN: Nightmares with Stripe? - silntbob

Have anyone of you had a nightmare with stripe? failed payments... holding of money... random charge backs... etc... I am about to deploy it on a project where the 'director' is a bit worried about not having a merchant account associated with stripe.<p>If you could share any bad times that would be great!<p>I have heard a ton of good but no bad so I don't have much ammo on possible situations...<p>Thanks HN!
======
adunar
We've been using Stripe to accept payments at <http://telerivet.com> for about
9 months now, and generally we have been very happy with their service.

One thing Stripe doesn't really mention up front is that it's actually your
responsibility to make sure that your customers aren't using stolen credit
cards. (I assume this is the same for other payment processors, not just
Stripe.)

We received a few payments that seemed suspicious (probably stolen credit
cards), which resulted in a couple of chargebacks ($15 fee each) that showed
up 3 months later. Since refunding suspicious payments to avoid chargebacks
still incurs Stripe's transaction fees, we ended up developing our own
heuristics to require manual approval of suspicious payments before sending
them to Stripe.

~~~
jaddison
Not to pry, but would you consider sharing the heuristics, even if at a
general level, perhaps via a blog post? I think that many hacker peers would
love to know what works for your team.

~~~
adunar
Here are some of the things Telerivet looks at to detect suspicious payments:

\- Credit cards that fail the address, zip, or CVC check. Stripe tells you
whether these checks fail, but will still process the payment anyway.

\- Unusually large payments. For some reason we often see suspicious credit
card payments of exactly $100. Maybe they're just testing if a stolen credit
card works?

\- Payments for very new customers, or for customers that aren't actively
using our service yet. Our service has a free plan for testing, so most real
customers don't pay immediately.

\- Same credit card used on multiple accounts. We store Stripe's card
fingerprint for each account so we can easily search our database for
duplicates.

\- Multiple payments in a short amount of time.

When someone tries to submit a payment, we create a "customer" record on
Stripe and test their credit card first without charging it. If the customer
looks suspicious, our servers send us an email and save a record for the
pending charge in our database. Then we can investigate further and either
process the charge on Stripe or delete it. If the customer is legitimate after
all, we'll mark their account as trusted so any future payments will be
processed automatically.

~~~
Lukeas14
What is your process for investigating further to prove the card is not
stolen?

~~~
adunar
We can't really prove that the card isn't stolen. One of the frustrating
things about the card-processing system is that there's no way for merchants
to actually initiate a fraud check (where the bank calls the cardholder to
verify a purchase), or even any way to warn the cardholder that their card may
be stolen.

Our manual review process usually consists of looking at:

\- When the customer first registers, we ask them an open-ended question, "How
do you plan on using Telerivet?". Did they provide an answer that would
indicate that they are a legitimate customer?

\- Does the customer's verified email address look suspicious (e.g. a
disposable email account, or something that seems randomly generated)?
Actually now we automatically block accounts from known disposable email
providers from registering for Telerivet in the first place, but that's a
whole different story.

\- Does the customer's name look suspicious (e.g. random letters/numbers)?

\- Does the customer's use of our service so far look suspicious?

Potentially we may also follow up with the customer over email. People who
seem suspicious typically don't respond.

------
procyon
We have been really happy with stripe as well. Past year or so we have built
several projects using stripe. The only time we had a scare was due to a rogue
administrator. Stripe helped us investigate the problem.

------
ia
my experience w/stripe just adds to the pile of awesome. on a couple of
occasions, i was in their support chatroom trading code snippets w/their
engineers who were incredibly smart, responsive, and friendly.

------
silntbob
Thank you for all of your comments :)!

