
Ask HN: How does onlyfans.com work around the “no porn” Stripe rule? - capableweb
For reasons beyond this ask, I&#x27;m needing to use a payment processor that is fine with high-risk transactions (which the porn industry certainly fits in) so started looking around what adult websites are using.<p>Many are using probiller, vendo and similar, since Stripe and others have rules against porn&#x2F;adult industry, citing high risk transactions for this.<p>But then I came across onlyfans.com, which is using Stripe for its payments, although Stripe has a strict &quot;no porn&quot; rule in their terms of service.<p>How does this work? Onlyfans is by now a huge website, with lots of transactions, so it&#x27;s surely not flying under the radar. It&#x27;s the only adult website I could find that is using Stripe.<p>Is it as simple as they have an agreement with Stripe to bypass the rule? Or am I missing something else obvious here?
======
disillusioned
Cascading payments might be the real answer, and shuffling higher risk charges
to non-Stripe providers, but in my experience, Stripe can get pretty
moralizing pretty quickly.

We built an adult ecommerce site (purely toys for purchase, no porn) and
because other adult toy sites had been successful on Stripe, Stripe assured us
this wouldn't be a problem.

Six months and several million dollars processed later, Stripe informs us
we're going to be deplatformed because Wells Fargo (their banking partner) had
reviewed our account (apparently because of its volume) and determined we
violated their standards because of the nature of the toys.

We did a bit of back and forth where Stripe suggested we alter the colors
available (seriously) to assuage Wells Fargo's puritanical concerns, and
Stripe insisted it wasn't _their_ moralizing, but rather Wells Fargo (paragons
of fucking virtue as they are), but we weren't willing to compromise on the
nature of our product or have our product's options or colors dictated to us
by one of the most corrupt banks on the planet.

We ended up deplatforming and moving to a high-risk processor who was willing
to match our competitive Stripe rate. That processor sucks and their fraud
protections are weak and their interface is garbage, but they're not telling
us how to run our business.

Was mostly disappointed that we went through an arduous review process with
Stripe beforehand and received assurances we'd be fine since our chargeback
rate is insanely low and we ship actual physical product and have no nudity on
our site, but alas.

~~~
haltingproblem
This is an incredibly frustrating read. I know, I know there are far worse
things in the world but _fucking_ Wells Fargo dictating to people when they
evict homeowners who have no relationship with Wells Fargo, commit wholesale
wire fraud, destroy people's credit and then turn around and lecture a
_honest_ business.

This is why banking is a rent-seeking and though we need the financial
industry they are ghoulish vampires sucking the lifeblood out of everything
they touch.

/rant

~~~
lukifer
> we need the financial industry

Do we, though? I don't know whether the answer is distributed blockchains, or
the Department of the Treasury creating an API for USD, or both; but the
current banking system seems to me like the legacy code of feudal landed
aristocrats. (I will never stop being disappointed that we didn't let the
financial system crash in 2009.)

~~~
rumanator
> Do we, though?

Why, yes? Isn't it blatantly obvious? What exactly leads you to believe we
don't?

> I don't know whether the answer is distributed blockchains, or the
> Department of the Treasury creating an API for USD, or both;

I'm dumbfounded how someone even comes close to believe that any one of these
ideas comes even close to provide the service that financial institutions
provide. Either you have a very specific and very niche usecase in mind, or
maybe you have absolutely no idea about the services that financial
institutions provide to society.

> but the current banking system seems to me like the legacy code of feudal
> landed aristocrats.

This comment leads me to believe that you are confusing stuff that has no
relation whatsoever. Your dislike of caricatures and ideological strawmen you
associated with financial services has absolutely no relation with the
services provided to society by the whole banking industry. Just because you
don't like Scrooge McDuck that doesn't mean most of us don't depend on loans
to, say, buy a house or a car or store our savings or pay for everyday stuff.

~~~
errantspark
We don't need usury. I'm confident we could figure out how to make things work
without it.

~~~
Nasrudith
We know how it works without it - stagnation and the those currently at the
top staying there due to lack of capital. Usury is a religious fundamentalist
term divorced from the systemics and the reality of what works and what
doesn't.

~~~
krageon
> those currently at the top staying there

And you're sure you're not describing the current day, but instead some
hypothetical bad scenario if we had no financial sector? It seems to me that
if we have this problem now _and_ without a financial sector, that's not
really related to them at all.

------
mrdumas
Since, I know a friend in this industry, let me explain what's going on here.
Yes, OnlyFans uses Stripe, but that's not the entire story.

In the adult/porn world, there's a high amount of chargebacks and fraud
relative to low-risk industries like SaaS software. If you pass a certain
chargeback threshold in the adult industry, your account is terminated, and no
payment processor will do business with you.

To reduce the likelihood of passing that chargeback threshold and being
banned, OnlyFans uses "cascading payments", which essentially load balances
the payments across multiple payment processors in order to reduce their
chargeback ratios across their merchant accounts.

The payment is either processed by Stripe, Securion, CCBill(the leading
payment processor for adult), or another company.

Last time I checked the network requests, I noticed it was storing the card on
Stripe, CCBill, and Securion, but using CCBill or Securion to process the
payment.

I think Stripe is there for models on the site who don't sell adult content.
OnlyFans probably does a check to see if the page is adult-related and if it
is, then routes it to the correct payment processor.

~~~
techsin101
loading across multiple providers won't alter the chargeback ratio so what is
the point?

~~~
fooey
Chargeback ratio's are per account, but also have a minimum absolute
threshold. So it's say, 2% chargeback AND at least 200 chargebacks before
penalties kick in.

In a past life I worked for a place who had a few hundred processing accounts
to load balance it all out because their chargeback rates were way too high.
If an account gets close, you just don't use it for a month, or you throw a
bunch of "safe" recurring charges at it to dilute it, or you hold a batch and
send them through right before the rollover. Lots of ways to play number
games.

Most of the execs did go to prison though, so don't take this as advice, but
to be fair, the processors are the ones who told them to use those tactics.

~~~
folli
They went to prison for load balancing, or how does this relate?

~~~
thinkingkong
Gambling.

~~~
fooey
The business was just run of the mill "get rich on google" and "free
government grant" garbage that was common in the 2000's.

Ironically, they made so much money doing their regular business the owner
bought a small US based bank and was running online poker processing through
it.

When "black friday" in the poker world happened, the bank failed and
everything fell apart, but so far as I know, no one involved was ever charged
with anything related.

------
adwi
My understanding is the rules are dictated by Visa/MC/Amex, and are largely
based on chargeback risk for categories of merchants. There are likely further
legal and pearl-clutchy reasons that combine to just out and out ban.

Anecdote: we talked with every payment processor around for a product we were
making that involved storing and spending value from a digital wallet. It was
close enough to various Visa/MC rules and money transmitting statutes that the
usual response was arguing for a few weeks about why we comply until higher
management decided something akin to: well if you had a lot of volume we’d
take the risk dealing with it, but you don’t so it’s not worth our time.

Last ditch effort was Stripe, who said: sure! And we asked again with more
detail, making sure they saw the same issues and wouldn’t make us tear it down
in a month. They said: sure! Did it a third time higher up for diligence, and
finally just came to the conclusion they have different priorities and are
getting big enough to use their scale to throw some weight around for all the
small merchants.

~~~
preinheimer
+1 to the rules coming down from Visa & MC. Amex doesn't allow adult.

There's a bit more nuance there, as the rules actually come from the bank
issuing your merchant account, rather than some master "Visa" entity. So if
you're a big player in the adult game you're going to work to find the right
banks willing to issue you merchant accounts.

Those banks will also have a compliance department which will look at your
content and make sure it's inline with what they're willing to allow. If you
want to make adult content where consensual adults do things together there's
one group of banks you can go to. If you want to make niche content with acted
out violence and such you're going to find a much smaller group of banks
willing to issue you merchant accounts. Or possibly no banks at all. It's
interesting that the thing deciding what adult content will be easily
monetizable on the internet is small merchant account issuing banks.

On the charging side I believe Stripe uses Wells Fargo, which has pretty
strict rules.

Source: worked for one of the large players in the adult market a while back.
Some info may be dated.

Note: one of the fun things about credit cards is that Visa and MC are issued
by banks, and Amex is issued by Amex. There was a new fraud style a few years
ago that amex was able to lock down pretty quick due to its centralized
nature, while Visa and MC had a harder time.

Note2: I may define fun differently than you.

~~~
us0r
Visa is absolutely a master entity that dictates nearly everything including
consumer credit reporting requirements and minimum credit lines. They publish
an 886 page "public" version which is actually kind of an interesting read:

[https://usa.visa.com/dam/VCOM/download/about-visa/visa-
rules...](https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-
public.pdf)

~~~
gruez
> They publish an 886 page "public" version which is actually kind of an
> interesting read:

yet a search for "adult" only yield one result, and it's in the context of a
card for minors.

~~~
preinheimer
and as with all things, interpretation is key.

~~~
marcus_holmes
As pointed out, the banks also have a say. And banks are notoriously risk-
averse and prudish. It's much easier for them to say "no" than "yes".

~~~
unnouinceput
+1. For anyone, watch the movie "Yes man", with Jim Carrey. It's a run of the
mile chick flick, but the bit about banks, which is fairly at beginning, it
portraits the "we prefer to say NO" policy of banks very accurate.

------
gojomo
Often, when the market doesn't provide an essential gateway service to a law-
abiding subpopulation, some sort of 'public option' is proposed.

Not enough market housing, offer public/subsidized options. Not enough low- or
no-cost private education, offer public schools. Too little affordable
healthcare/insurance, offer Medicaid, a 'public option', single-payer. Public
transport.

Should the government offer a 'public option' payment-processor of last
resort, with guaranteed service for all legal but unpopular businesses? A
service that couldn't reject camgirls, weed-sellers, Alex Jones, gun shops,
etc?

~~~
Noos
You have this already. It's called "using checks and money orders."

The problem is that people want the convenience credit cards use, and don't
want to wait for the check to clear to get their stuff.

~~~
jimmydorry
Banks can and will close your account for any reason under the Sun. How do you
write a check or receive one without a bank account? I'm not familiar enough
with money orders, but I assume the same applies.

Then, on top of all of that, you can't run a business through a personal
account. So you still require a business type bank account, and the above
options are terrible for any eCommerce site, which is pretty much the only
kind of business that will be discussed here on HN.

~~~
totalZero
You can get a money order without a bank account. There's often a limit on the
amount, so in some cases you may need to buy several in order to amass the
full balance. You may also need to show ID.

You can also cash a money order without a bank account.

------
tzs
How do you find out what payment processor(s) a given site uses?

I know that some provide methods whereby a site can have the actual payment
entry form served and processed by the payment processor instead of by the
site's own server, so you'd be able to see from the user's end where they
payment is actually being processed.

I've never done a survey, but just anecdotally most sites I've encountered
seem to not be using that option. Their payment entry form comes from their
own site and posts back to it, where their own back-end handles dealing with
their payment processor's API.

Using the method where the user interacts directly with the payment processor
does have the advantage that it simplifies PCI compliance. If your systems
never even see the credit card, just receiving a token from the payment
processor at the end of the transaction that you can use to initiate
subsequent on-file or recurring transactions, most of PCI goes away for you.

On the other hand, that also means that you are stuck with that payment
processor for on-file or recurring transactions for that customer. Your token
from payment processor X is completely worthless for doing charges at payment
processor Y.

If I was in a business that has a significantly above average risk of running
into payment processor trouble so I might need to change processors, I'd want
to store the credit cards myself. That makes it possible to change payment
processors without having to get all of your subscription customers to come
back and re-enter credit card information [1].

[1] Well...at least for now. I'm not sure if that will still be possible if
the Visa stored credential framework ever actually becomes required. Briefly,
under the SCF requirements when you store a credit card, you have to send a
flag to Visa with the transaction saying you are storing it. On subsequent on-
file or recurring transactions, you have to send a reference to the
transaction that stored the card.

The problem is that you reference that transaction by sending Visa's
transaction number. But Visa's number for transactions is generally _not_ the
transaction number you get from your payment processor. The payment processor
has its own transaction numbers and those are what you see.

I believe MC is also doing SCF. Not sure about Discover and Amex. It was
supposed to become mandatory something like two or three years ago, but
payment processors kept asking for extensions.

~~~
capableweb
> How do you find out what payment processor(s) a given site uses?

I'm a developer so looking at what kind of request the application is doing
when interacting with anything involving payments. In the case of OnlyFans it
was easy as they make direct requests to Stripe. In other cases, I've looked
at the data structures stored in the current page by using the JS console and
compare it to the API docs of various payment processors.

~~~
pottertheotter
I'm not a web developer but I always assumed that happened on the backend, so
it wouldn't be visible. I guess not?

~~~
justinholmes
Most websites can't/shouldn't store the card number, they embed Stripe
JavaScript that sends card number to Stripe and get a token id to use on the
backend later on. Can't store CCV or number without passing PCI compliance.

~~~
tzs
For the CVV you can't store it even if you have passed PCI compliance. You are
only allowed to collect it for a specific transaction, and are required to
forget it when that transaction is complete.

~~~
8192kjshad09-
That can't be right. I entered my credit card information once into uber eats
and I can buy food whenever without entering a CCV and my credit card is
immediately charged.

If this were true 1000s of large companies would not be PCI compliant.

~~~
JoeMalt
It’s possible to process transactions without a CVV, but it often costs
slightly more due to the increased fraud risk. In the case of Uber Eats,
they’ve presumably decided the increase in purchases from removing that
friction makes up for the higher fee.

------
tejasmanohar
Many of the rules aren't rules. We ran a travel company and used Stripe in the
past, which is also one of the disallowed industries. We got approval from
Stripe after proving that we have a negligible fraud & chargeback rate due to
being focused on business users

~~~
dotBen
This, one of the biggest blinkers technically-inclined founders have is that
they forget or ignore that so much is relationship driven.

Rules like Stripes (+ Wells Fargos) are not interpreted like code, everything
is open to negotiation and degrees of freedom depending on the relationship
established.

~~~
Nasrudith
Those blinkers are called "not being utterly insane". The whole model of
disruption is seeing a stupid practice saying. "No we aren't doing that stupid
shit." watch practicioners of the existing stupid froth at the mouth and then
either succeed or fail.

Seriously that is why honor based lending died to banks centuries ago.
Relationship driven is a fucking stupid way to do finance.

~~~
dotBen
Finance is totally relationship driven (and 'honor systems' isn't really a
good example of it). My bank waives fees on everything because of my personal
friendly relationship with my banker. They gave me preferred terms of my
mortgage rate because of my formal relationship - it wasn't just the product
of a formula at the end of the banker's computer screen.

I know they'll do all sorts of shit for me because of the hard (account age,
$$) and soft (personal) relationship.

But my point is more broad - API agreements come to mind as an example, just
because that is a space I've played in prior jobs. "But the API Ts&Cs say you
can't do _xx_ but they are doing _xx_ ". Yeah, they have a relationship and
got a dispensation.

------
__ryan__
Onlyfans is a platform for content subscriptions. It just happens to be a
popular platform for adult content.

Also, it surely makes them a ton of money.

~~~
lovegoblin
You can say this about literally anything: Pornhub is just a platform for VOD.
It just happens to be a popular platform for adult content.

~~~
__ryan__
I think that’s a stretch. There _is_ a line and OnlyFans is at the very least
_on_ it.

While I am aware of the adult content on the site, the only people that I know
of that use OnlyFans are subscribing to physical training, musical talent, or
other creative content. Unironically.

------
bokohut
As a payment processing fintech builder for several decades the many comments
about diversifying across processors is correct. The misunderstanding here for
many may be that knowledgeable business owners (merchants) always have more
than one processing account each with a different entity holding the risk,
think multiple banks. Having multiple processors, aside from the point of this
question, directly relates to up time and availability of which nearly all
rely on the "middleman" \- Have a backup! However problem businesses and their
business owners that get caught being nefarious earn a permanent place on the
card brands "list" that forbids them from taking card payments in the future.
An individual business can have multiple merchant accounts and as with
anything else once one understands how a system works it can then be
manipulated to fit ones need.

------
raxxorrax
Probably because the content is not public. I heard users just share cat
pictures, so there is plausible deniability.

------
larrik
That's a good question, since Stripe backed out at the VERY last minute for a
customer of mine who sells alcohol over the internet, despite repeated
assurances it would be fine.

~~~
edwinwee
Stripe can typically support alcohol businesses (assuming they hold the
appropriate licenses). Could you get in touch at edwin@stripe.com and we can
take another look?

~~~
ocdtrekkie
I love the subtle indication here that someone who almost certainly knows
"the" authoritative answer to this thread is reading it. Though obviously I
understand why you probably aren't at liberty to answer the question.

------
0xy
My guess is Onlyfans has a very low rate of chargebacks/fraud and negotiated a
special deal with Stripe.

The reason that rule is there is because most adult sites are dodgy.

~~~
fl0wenol
I suspect Onlyfans (like Patreon) has social pressure going for it such that
fewer people issue chargebacks because it'd be like yanking back money
directly from a person and not a faceless company; like the social pressure
against leaving a shitty tip at a restaurant.

------
hobofan
Doesn't Patreon (which also has a lot of porn content) also use Stripe as a
payment processor?

~~~
breakingcups
Patreon did crack down on some extreme content, stating they were forced to do
so by their payment provider(s).

~~~
dzhiurgis
Weird they wouldn't switch providers for specific use cases. Does Stripe
require to be exclusive provider for site?

~~~
lovegoblin
There are very few payment processors that will accept adult content, and
those that do exist (e.g., CCBill) are both expensive - on the order of 10x
the fees - and also a damn nightmare to work with.

I can _very_ easily imagine a scenario where Patreon looked at their options
and decided it wasn't worth it.

------
euix
How much of the internet traffic is actually pornography in general? I have
heard a lot of anecdotal hearsay that it constitutes a majority.

~~~
elorant
The thing about the online porn industry is that it's highly diversified which
leads a lot of people into making wild assumptions about its size. I doubt
porn traffic is that high. Stats show that one in three Internet users are
viewing porn, but the thing is that porn isn't something you can spend more
than 10-20 minutes consuming[1]. So if we say that the average user spends
some three hours online on average every day[2], then porn is about 5% of that
time. So one in three users online spend 5% of their time watching porn. In
total I'd guess that doesn't account for more than 10% of global traffic,
taking under consideration that video consumes much more bandwidth than other
forms of content.

That's all back of the envelope calculations off course.

[1] [https://www.pornhub.com/insights/2019-year-in-
review#traffic](https://www.pornhub.com/insights/2019-year-in-review#traffic)

[2] [https://www.statista.com/statistics/319732/daily-time-
spent-...](https://www.statista.com/statistics/319732/daily-time-spent-online-
device/)

------
Hackbraten
Why do you think the porn industry is prone to more fraud/risk?

~~~
tinus_hn
A man orders porn and pays using his credit card.

His wife looks at the statements and asks him what he’s up to.

He denies having made the payment so the wife initiates a chargeback.

~~~
im3w1l
I kinda wonder if it isn't the kids doing it with a parents card.

~~~
wil421
My friend and I were 13 and called 1-900 numbers back when it was popular. We
took his moms credit card and changed some numbers around. Eventually a number
we made up worked.

It was a hilarious moment but I was scared to death we would be found out.
Nothing ever happened but somebody got a charge.

~~~
saagarjha
Do they not ask for a CVV or any other verification?

~~~
soylentcola
We did something surprisingly similar once as stupid kids/teens and it was in
the days before CVV. Just touch tone to enter a card number (although we did
this little experiment from a payphone using a 1-800 (toll free) sex line).
Typically, you entered a card number after some initial "pitch".

AFAIK, 1-900 numbers only worked by billing you on your phone bill.

~~~
saagarjha
Guess I'm showing my youth, because I've never seen a credit card be used
without a CVV. And I think _that 's_ a poor security model…

~~~
wil421
It was at the end of the 90s maybe 2000. Messing with pay phones or prank
calling on one was another fun thing to do. The good numbers (1-900) didn’t
work on pay phones. ;-)

Call collect!

------
utf_8x
My guess would be that Onlyfans do a lot of fraud prevention on their end and
negotiated an exception with Stripe...

------
rglullis
Would it be possible to sidestep the issue completely?

Is your industry one that you could start pushing for cryptocurrency for
payments? You'd be basically reducing your risk to zero and by using a stable
token you would also have no volatility.

------
tyingq
Somewhat related, a story that digs into who's running onlyfans.com:
[https://forensicnews.net/2020/08/13/onlyfans-faces-
allegatio...](https://forensicnews.net/2020/08/13/onlyfans-faces-allegations-
of-fraud-theft/)

~~~
everybodyknows
> Weeks before Radvinsky purchased the OnlyFans holding company in the United
> Kingdom, he received a $250,000 tax credit from the state of Illinois. “The
> purpose of the Angel Investment Tax Credit Program is to attract and
> encourage the placement of investment dollars into early-stage, innovative
> companies throughout Illinois.”

Your tax dollars at work.

~~~
KaoruAoiShiho
You know what a credit is?

~~~
djellybeans
It only takes the word "tax" to make many people internally scream. Crude
heuristics, but hey it's human programming.

------
bravura
If anyone is interested in talking about fraud prediction or high risk adult
payment transactions, I have been looking at this space and think there are
some interesting opportunities. Email in profile.

------
mudlus
This thread is a aompelling argument for Bitcoin/LN as an intermediary--just
saying. It's getting easier every day.

Bisq for exchange will get easier over the next 5 years or so, too.

~~~
orthecreedence
It would be nice to see Bisq start to get more liquidity. It seems like a
really interesting way to sidestep traditional banking on/off ramps for
crypto. It's almost like local bitcoins with ACH.

I have to admit I don't fully understand how it handles disputes. I probably
need to look a bit closer.

------
ecommerceguy
We would use a multi-gateway round robin setup for volume over 50k per month.
I'm more than willing to point you in the right direction.

------
Sindrome
There are other payment processors other than Stripe....

Ever heard of CCBill?

~~~
rmoriz
Who is behind CCBill and what does it need to launch a competitor?

------
maps7
Probably cause Stripe likes money?

~~~
voxic11
A company I worked for tried to use Stripe but couldn't because they don't
allow "fantasy sports leagues with cash prizes". They definitely aren't
willing to make exceptions for everyone.

~~~
gowld
In practice, unregulated online gambling is much closer to fraud than porn.

------
frankdenbow
OnlyFans isnt a porn site in the same way that Twitter isnt a porn site. Many
of the high profile users are in the adult industry but people use onlyfans
for other types of content as well.

~~~
mfkp
I'd venture to say that 99% of onlyfans content (that people are paying for
anyway) is porn. Just because there's a small subset of non-porn doesn't
change the fact that they're selling access to porn. Twitter is a completely
different story as they're selling advertising, not access to nudes.

------
therealmarv
They are NOT using Stripe. Stripe has a no porn rule because they want to go
public at some time and everything needs to look clean, also on their customer
side. Also their (Stripe) backend banks don't tolerate porn.

Also there is not only Stripe out there!

Btw. you are in the wrong forum. Look on gfy.com forum for example

~~~
capableweb
> They are NOT using Stripe

Take a look at the requests their frontend is making and you'll see they are
indeed using Stripe. At least they were last time I checked.

> Also there is not only Stripe out there!

Indeed, I listed some of the alternatives in my opening question, but is
besides the point anyways, here we're discussing Stripe + OnlyFans.

> Btw. you are in the wrong forum.

Judging by the number of upvotes and comments, no, I'm not.

> Look on gfy.com forum for example

Thanks for the pointer, I'll take a look there.

