The second, major issue was that I had hoped, naively, that the web community will swoop in and pony up some cash.
With JS Bin, everything users need is given away and open source. That's honourable, but doesn't pay the mortgage.
He has come up with a very jaded either/or point of view. You can visit Patreon and find sites being supported by user "donations". There are sites making money on ads. There are sites making money on product sales. There are sites supporting staff from a combination of the above.
It is naïve to think "If you build it, they will throw money at it," but that doesn't mean you can either cut your own throat by giving it away for free until you feel like a chump or you can hold everything hostage until people pony up.
It's fine if you have a service that works well with a pay per use or subscription model of some sort, but lots of services are not monetizable that way. Television, print magazines, newspapers and on and on have to find ways to pay the bills using a combination of charging the end user and selling advertising and possibly other things I am not thinking of. As far as I can tell, it would not work to only charge the end user for quite a lot of things we use regularly.
The world would be a poorer place if the only services that lived were ones that charged the end user. There are some services that are just not conducive to that model.
I hope he revisits the question of how to monetize JS Bin. Do some brainstorming. Do some research. Try to figure out a monetization scheme that is a good fit for the specific service in question.
I think the best salve for this wound would be a monetization scheme that works. There are enough embittered, jaded people in the world already. We need to find more ways for people to follow their bliss and also pay their bills.
I discovered a similar problem with writing, which is that writing an email or a comment takes no time at all, but when someone is paying for what I write it takes a lot more effort. I wrote a column for a couple of years and it wasn't until the second year that I actually took my editors advice to just send her the first version and work on it collaboratively rather than try to get it perfect.
I see side projects also get bushwacked by this mental shift.
That was a good read, but there was a different mechanism at work for me. When I do something for free, and someone complains about it or finds it wanting, it does not bother me. Sort of like "Double your money back on Free Advice you don't like." But when I am being paid to provide the thing I am providing, a big sense of my wanting to make sure they are getting their value kicks in, and since I undervalue my time tremendously I try to over deliver on value. And that slows me down. Letting my editor have an early draft let her decide if there was sufficient value and on at least one occasion she took my column as written and said, "This is great, we'll have proofs ready tomorrow." Had I not sent the draft I would have spent at least another week writing and re-writing.
I guess I've just become a bit more jaded. Or maybe I always have been. I used to maintain a good amount of open source stuff, and the entitled complaints really got to me.
But if I'm being paid for something, I feel the obligation to deliver what I've promised, and I feel bad if I fall short. I do struggle sometimes with valuing my time "correctly", but overall I think I've experienced less stress building software for a paycheck vs. dealing with the (minority of) ungrateful leeches in the open source community.
Having done some voluntary work long time ago - I would say providing value to a community in any context seldom pays in direct gratitude.
In direct communication, complaints are always more likely than compliments. The value must come from somewhere else than direct feedback from beneficiaries, like observing the thing you just pulled off being enjoyed by a lot of people and being pleased of it. The corollary to this is that it's much more enjoyable to work for free in a friendly group than alone because then the company and support of peers can be an equivalent source of joy.
I suppose a lone free software project lacks these both, unless one can visualize the value by looking at the number of downloads...
Boy, can I identify with this. It can be very hard to turn off that impulse to over-deliver. It can also be hard to objectively look at your own limitations and not overcommit yourself, and hard to adjust when you find out too late you've overcommitted.
I find this so interesting as I have always felt if someone is paying me I make sure to give them exactly what they paid for and not a bit more. A market economy does not allow me generosity. When I'm writing code for myself or others the upside feels boundless as appreciation and enjoyment are much more difficult to quantify.
I worked differently as a contractor. I over-delivered by a little, especially if it was easy to do. By delivering code on time plus a feature or mockup of the next stage, I often got a follow-on contract. Its like the novels that end with "Here's a chapter from their next book!"
Regarding his fraud issue, I found that my website was being used in the same way when I added a credit card payment form. I implemented a system that first does an "Auth". If that passes, then I pass details to MaxMind and get back a response with a "riskScore". If the score is too high, I void the auth and decline the transaction. This has saved me a lot of chargeback fees, though it's still not perfect. I prefer PayPal because a "not authorized" just reverses the transaction; there is no chargeback fee.
Definitely definitely definitely use something like Minfraud from Maxmind. The cost is negligible. We set the score we block transactions at rather low, and manually approve anything over that.
It's super cheap and has saved us tons of money and headaches!
Unfortunately for merchants, no, the legal responsibility for fraudulent transactions rests entirely with the merchant.
Not only that, but processors routinely penalize merchants who fail to screen fraudulent transactions sufficiently with fines and eventually banishment from the processor.
A few processors might provide something like this as a paid value-added service, but it's unusual. The next-gen all-in-one card processors would make a lot of money if they offered this.
By "all-in-one card processors" do you mean payment gateways? The majority of them do offer built-in fraud protection, though the efficacy varies a lot. In fact, Stripe also offers it: https://stripe.com/docs/fraud
But if you think about the case he describes in the article, there is very little distinguishing a fraudulent purchase to test the validity of a credit card vs a legitimate one, unless they are completely careless and initiate multiple transactions from a russian IP, in the middle of the night.
The biggest problem is the very expensive chargeback fee from Stripe. It looks like he could avoid some of them by, for example, reporting accounts that had no activity as fraudulent and refunding the purchase before being hit with a chargeback claim, but I don't see how putting such a burden on businesses makes sense to begin with. A fee that grows in proportion to the % of chargebacks the company generates would be more fair.
risk score means the possibility of a transaction being fraudulent. here's another way you can do this for cards issued in Europe: if the risk score is too high start a 3D secure transaction. if the risk score is acceptable then start a normal transaction. a full 3D transaction will never mean it is not fraud however you will have no liabilities when a chargeback is issued by the card holder. many of your US customers, if not all, will fail to pay via 3D-secure because god knows why tons and tons of US card holders or issuing banks are not enrolled in 3D-secure system.
Visa and co. are big—really big—so I've never understood why they've not just leaned on the OS manufacturers and browser makers to provide them some form of unique, unforgeable signal to users that they're interacting with a real bank.
There could be, say, an HTML5-exposed API capable of triggering "super-modal" forms (like OS UAC does) if-and-only-if the page is being served from a secure origin cross-signed by some "Web Banking Working Group Certificate Authority" that all the banks and OS makers are members of.
The better way to do this would be some sort of two-factor thing – e.g. imagine if the physical card had the equivalent of an embedded RSA-style one-time code generator or, better, a U2F USB/NFC device – which would be resistant to UI spoofing or, in the U2F case, phishing.
Unfortunately the banks have less motivation to invest in this as long as the costs of fraud are pushed onto merchants and all of the major players charge similar fees. If something like Apple Pay starts to catch on, perhaps we'll see that change once the banks’ main concern is avoiding a single vendor getting too much market share.
Norwegian here. It's very common. It doesn't say "3D-secure" or "verified by visa", but logging in with your bank credentials (Bank-ID) sometimes feels like it's more common than not.
I'm in France -- I still see it for almost 100% of the purchases I make online if the merchant is here in France, and a decent number of them when the merchant is in the UK. The last purchase I made with my bank card that got the interstitial page was about half an hour ago.
It sends a text to my mobile for me to plug into the form to approve the txn -- thus, not like phishing in this case. But for a while this was a real nightmare because my mobile number changed, and I couldn't figure out how to convince my bank to store the new number (it turned out after many months and phone calls I was sending the requisite paper form to the wrong address for my type of account...).
in turkey, any purchase online over 300 turkish liras must be 3D-secure. all debit and credit cards issued in turkey are automatically enrolled in the 3D-secure system. all 3D-secure transaction pages are hosted by issuer banks. they send us an SMS including a OTP and we enter it on the page and that's all.
in turkey, banks automatically enroll your debit or credit cards to 3d secure networks so you don't have to do it yourself. all you have to do is to enter a one time password sent to your mobile phone during payment.
with full 3d secure payments the liability shifts to the customer and you will have no liability. because the customer verified the payment him/herself by hand with the otp.
many of your US customers, if not all, will fail to pay via 3D-secure because god knows why
As I mentioned in another reply, "Verified by Visa" is a stupid joke. Which, fortunately, I don't think I've seen anymore in at least 10 years. The paper linked in the other reply to you provides more details of how stupid this thing is.
IIRC basically the first time you encounter it you get a popup asking you to create an account. Yeah, right, I'm on some random website and I'll just start entering all sorts of security information into a popup. NOT! I did some checking when I first encountered it, and decided it was legit. But 99% of people won't. They'll just say "fuck this, I don't need this shit". They will then go elsewhere.
I encountered it a few more times after I first signed up. And it would have maybe a 50% success rate of actually "verifying" my transaction. I'd enter the information and nothing would happen.
It's the antithesis of the friction-free way that Amazon does business. I probably use Amazon once every few years but they still have all my info saved. I don't have to enter an address, I don't have to enter a CCV, I don't have to enter a credit card number. It only takes a few mouse clicks to complete an order on Amazon.
So, which payment method would the average person prefer?
I've been bugged by the "Verified by Visa" thing in the last month when trying to add Skype credit for my parents. Completely stupid implementation that didn't even work; I clicked "cancel" and my Skype transaction still went through.
> The minFraud service determines the likelihood that a transaction is fraudulent based on many factors, including whether an online transaction comes from a high risk IP address, high risk email, high risk device, or anonymizing proxy. One of the key features of the minFraud service is the minFraud Network, which allows MaxMind to establish the reputations of IP addresses, emails, and other parameters.
> it's cost me, £21.54 to allow some shithead to use JS Bin as a stolen card testing facility.
Not sure if it's standard practice, but in our case we let the users use the "free tier" service first, and we offer the paid plans only once we can validate they have a genuine interest in the product . It works well for us to avoid these cases.
That's an interesting approach, but if the "pro" features are something the user really needs, then don't you risk losing a sub if the feature is withheld until you "get to know each other?"
You could give them 15 days free use, and only charge it after that... there is a risk that the charge doesn't go through (in which case you've given a couple weeks free service - big deal), but otherwise, you've just made it much less useful for card testing (to the point that they certainly won't use your site).
Yeah, that's all of the upside and none of the downside really. Introducing ANY kind of delay between taking the order and charging the card will just about eliminate these kinds of fraudulent transactions.
Another thought I have on this is that getting the user to sign in via Google/Facebook/Twitter might help. There's nothing stopping fraudsters from having a Google or Facebook account with a dud identity, of course, but at that point it might seem much easier to hit a different business. Has anyone had any experience with this approach? Does it work?
If that works for you I'm glad, but I've had to deal with credit card fraud hitting my service, and it tends to be an arms race. There's simply too much money it for them to be deterred. If you are an attractive target it's difficult to find something which prevents credit card fraud without also hurting your business.
Like mentioned above, when you sign up with the service, you're giving the card info and then you're automatically enrolled in a 2 week trial that will automatically charge afterwords.
This should suffice. I don't think they'll wait 2 weeks for the charge to go through.
You can automate the process of disabling charges to if nothing happens. Say 2 days before the charge is about to happen, you do an automated audit of the account and if there hasn't been any activity, fire off an email stating that their trial is about to expire and they're about to get charged and you noticed they hadn't used the service yet. If still no activity when you're about to charge, then cancel charge and disable account and chalk it up as avoiding a chargeback. Make sure to email the user saying that you disabled the pro features and voided the charge as to not automatically charge them for something they're not using.
It's a win/win situation. If the customer was legit, you just saved them on paying for something they didn't plan on using, and they may actually re-enable it and start using the account because they see you actually care about them as a customer and aren't just hoping they forget about such a small charge and it goes on for years before they audit their card charges and cancel any small things.
If it's a user who was just testing stolen cards, well 2 weeks is a long time to gamble on if it's valid or not, so they move on.
Okay, say you're a US citizen building some digi service like JS Bin, and VATMOSS starts fling threats at you, for how long can you go about ignoring them? I mean 3.5k GBP and however many weekdays it took isn't exactly affordable for every small business, and if you don't even have many Euro pro-users, I don't see the cost-benefit justification of giving VATMOSS priority unless they can reach across the Atlantic.
VATMOSS is a nightmare for small businesses. I am lucky that authorities in my country decide that I can avoid it with my project (because it doesn't fit exact definition of electronic service so I can pay VAT in my country as it's a place the service is provided in according one interpretation of the new law) but they have plans to extend it and I may be forced to go through accounting hell to comply with this regulation in the future.
It's one of the most ridiculous regulations there could be. As a small business founder you are not really in position to do the accounting for it properly and most accountants here have very little idea how to prepare all the documents either. You are required to keep 2 pieces of evidence of customer's location (IP, address etc.) which you often just don't have access to in the first place (if you payment gateway provider doesn't make this information available to you).
So not only you need to find someone who knows what to do (already very hard), pay them significantly more than you would for normal accounting (big burden for small business owners and especially people who start), keep accounting information you often don't have access to, then prepare this accounting information as well (which means you spend resources for writing the scripts yourself as most tools accountants use don't track needed info).
Additionally to all of this there is no more VAT free quota for people who just start (usually there is for business who don't qualify for VATMOSS, size of the quota depends on the country).
When I've learnt about it (I started my business in 2015, the regulations started to be law Jan 1th 2015) I was really depressed about the whole thing. I was spending my days reading some contrived law and various interpretations of it instead of doing the actual programming. Nobody had answers for me (I've got different opinions from 2 tax advisors, different one from our tax office and yet different one from national tax information line) and I was just close to giving up altogether (I didn't expect my project getting as much traffic as it did and I wasn't really in position to spend significant resources for accounting when I didn't even know I would make enough to cover it).
It's a hostile piece of regulation which very severely disincentivize you from starting a business or paying your taxes properly. It only shows how out of touch EU bureaucrats are. I guess they think typical business is like Google or Amazon or something.
> I guess they think typical business is like Google or Amazon or something.
Exactly. Many in the EU imagine that "business owner" is a synonym for "evil capitalist plutocrat." For them, if you are not someone's employee, you are by definition rich. Questions of scale are ignored.
I don't think, that so many (at least educated) people in the EU believe that ... but the problem is (and I saw evidence for that again and again), that the politicians like to talk about the "Founder culture" or that they want to aid smaller businesses ... but in fact, they do the absolute opposite.
I see that, because at least in Germany (where it is very chic in the political class to talk how to aid smaller businesses and startups ...!) the tax rules are in favor of the big corporations (they have been changed in the last decades, so the corporations got better and better conditions) ... but of course this relieves for the big ones must be compensated somehow -- so the smaller companies have to pay even more taxes.
The current VATMOSS legislation is also a good example: It was announced to be a means to counter the fact that bigger corporations like Amazon avoid VAT by having subsidiaries in Luxembourg. But the biggest problems with the new rulings have now the smaller companies, that never had the chance to open subsidiaries in Luxembourg. For Amazon it is a small drawback and they may have to raise some prices -- but the troubles of other companies are tremendous.
So: The politicians are talking much about smaller companies -- but are only thinking about the bigger ones. And in Germany, many laws are even written by people from the bigger corporations.
I know two people who tried to start a business in Germany and failed, not because of the EU but because of domestic, German rules.
One tried to start some kind of innovative form of pharmacy (the details weren't clear to me), but found himself unable to join the pharmacy guild, and apparently it is illegal to start a business without joining the guild. The other tried to start a bed & breakfast business, but the 'breakfast' part was closed down indefinitely when the food safety inspection found he didn't have the right license for a Sandwichtoaster. Apparently there are different regulations for serving a hot breakfast.
Yes, all professions are regulated. Sadly this has less to do with an overzealous government and more with lobbies and accidents of history.
Guilds used to rule all professions in the middle ages and a lot of the regulations are sadly derived from that. This means you can't do certain things without the proper certifications (e.g. if you're a licensed car mechanic or "KFZ-Mechatroniker" that doesn't mean you're also allowed to do paint jobs because for that you'd need to be a licensed "Lackierer").
Likewise, pharmacies and pharmaceuticals in general are heavily regulated, especially with regard to prescription drugs. I think online pharmacies only became legal quite recently (previously most of them operated out of other EU countries, effectively creating a grey market with all the problems that entails for the customers).
What killed your friend's B & B idea was likely the strict requirements for food safety. It's practically impossible to use private kitchens to produce commercial food products and commercial kitchens have to conform to various rules (plus the employees working in them have to obtain the necessary certificates). IMO this is a good thing, but it can of course make easy things (like serving a breakfast in a single bedroom B & B) very difficult.
The huge difference between the US and Germany is that in Germany suing for damages results in compensations that are a fraction of what you see in the US. But at the same time companies are more likely to run into trouble with the authorities before they can harm you and even if you end up with permanent injuries the public healthcare covers them in most cases -- i.e. you're less likely to be harmed and the economic damage of that harm is likely considerably smaller.
But as an employer I have to say some of the regulations, laws and restrictions can be incredibly tedious and annoying. Especially if you're running a very small business.
> But as an employer I have to say some of the regulations, laws and restrictions can be incredibly tedious and annoying. Especially if you're running a very small business.
Yea. My impression is (too), that the regulations in Germany are much more harmful to smaller companies than to big corporations. As big corporation, you basically can do very, very much, without being penalized much. In Germany, you always can say, that health costs are covered by the public health insurance. So, it is common, that compensations are small fractures of that which is paid in the US or even no compensations are made.
My feeling is, that German judges are much more reluctant to rule against corporations, as long as their fault can not be proven 110% -- for common people on the other hand, 80% prove are enough most of the time (I remember, that not long ago a young girl was convicted for computer fraud, just because Siemens said, that the 4 digit PIN-system for EC cards was 100% secure -- something we soon later found out, was never true!).
In germany there is a saying: "If you work independently, you are always with one foot in jail". It is not unreasonable either, because I know of accountants and laywers (ie: people who do this all the time) who sometimes get lost in the jungle of regulations and decrees (European, National, Subnational, Communal, Branch of work, Union/Worker-regulations etc.). It is also no uncommon for some regulations, depending on the type of work, to be mutually exclusive.
I live in germany and I am willing to be independent in the mid-term (~ 2-4 years), but I have major doubts about doing it here...
Look across your north western border. Many people, especially in the tech and creative industries, work as freelancers there. As long as you have no employees other than yourself, it is made very easy.
When you look over the borders, maybe (can you be a little more specific, btw?). In Germany, being a freelancer can be a big hassle, again! There is currently again a hunt for so called "Scheinselbstaendige" (Fictious-self-employed) and when they catch you (even when you are really self-employed, they just don't agree with you) you can be held liable for it and have to pay huge compensations. It is even worse, because there are different degrees of it and the situation is every time different. So they have different ways to hold you liable for something, you have not done.
Here a link from a German organization of self-employed people that informs about the current situation and what is planned (it is planned to worsen the situation):
(sorry, only in German)
The big corporations, of course, which really use different models to betray the social system and their employed people, they have the lawyers and the tricks to come away with it. And again, they are the reason for this hunt ... because they are searching for ways to cut costs -- the state tries to close the holes that make such things possible -- but currently the only people they hurt, are those that are innocent, because the big corporations are always ahead of the game. And additionally I am not sure, if the politicians are really willing to hurt the real big players, because those have so much power -- so they merely show "actionism" and make laws that are ineffective or even hurt innocent people.
At the end (if by intention or just stupidity), they hurt the country ... but we Germans still vote for those people!
I thought north western border was specific enough. It's a smaller, less formal, less regulated copy. The only difficulty I can think of is that you have to prove you worked for more than one customer during a fiscal year if you want to make use of the tax deductions for the self employed.
I never was that good in geography. I can only think of the Netherlands or Belgium.
One fiscal year can be very short in the IT sector. In some cases, you need halve a year to get to know the complete topic.
According to the link I have given, at least in Germany the situation is now such, that even when you have more than one customer in a year, you can be accused to be "Scheinselbstaendig". The offices just search for evidence that you might be, but not for evidence that you are not. One such evidence for "Scheinselbstaendigkeit" can be for example small investment needs ... something you typically have in the IT sector as freelancer ...
It seems that the new law in preparation shall codify this practice.
But of course, when the situation is better e.g. in the Netherlands, it could be worthwhile to work there. But (since I already thought about that possibility) would it also be possible to do so without moving there and still earn the benefits?
>I guess they think typical business is like Google or Amazon or something.
I guess, that is all they want -- and it very likely could be, that this is all they will get, when they are not stopping this. The EU is about to kill inventions in the online business. With this kind of regulations, the EU will become a dessert with the Amazon's and Googles ruling over it.
But I think, many big systems tend to go in this direction: The dinosaur corporations are going to win, because after the day, they can change the rules to their favor and the small businesses are going downhill, because they are to small to be recognized -- but those are those that innovate. And remember: Google and Amazon once also started small, but those where the days, where the focus of the big players where mostly elsewhere.
The intention with EU regulations like these is usually to prevent a 'race to the bottom' as they call it. They're turning the EU into a common market without internal trade barriers, but when you do that, what happens when one country has a VAT of 15% and another of 25%? Businesses that can move, will move (administratively) to the 15% country, forcing all countries to lower their VAT to the lowest level. You can argue that this measure isn't working, or that the cost outweighs the benefits, but I don't think it is regulatory capture. Brussels is really trying to minimize the impact of the common market on member states' domestic policies.
Regulatory capture is almost always given some reason behind it. As such when determining if something was regulatory capture, the stated reasoning behind it is ignored, which is why I was asking to what extent did multinational organizations influence this decision.
It's difficult to see why the EU would try to favor large, usually American and Asian tech giants like Amazon, Samsung and Google versus local startups through tax regulation. The most likely explanation if you ask me is that the motivation behind VATMOSS is exactly what it says on the tin: harmonization of the common market without forcing every member state to adopt the same domestic policies.
The dynamics are different in the decision making processes in the EU. None of the commissioners are elected, they don't have campaign funds to worry about, so there is no legal veneer for corporate 'lobbying' as you would call it. I can't tell you for sure that it doesn't happen, but it can't happen out in the open as it would be considered corruption, and illegal.
The problem instead is that the commissioners are put forward by the (elected) governments of member states, so there is always the danger of them either deliberately or unwittingly favoring their national interests, and it makes them potentially vulnerable to domestic political pressure.
>It's difficult to see why the EU would try to favor large
It is just as difficult to see why the US population would support laws that favor massive companies at the cost of the general populace but they still do. Large companies have no nationality in the realm of politics.
Can't you just assume the highest tax rate and pay that on every sale so you don't have to guess the country? Seems like it would save everyone money for a small business like this.
Depending on the kind of service, a good solution is to use a third party provider that handles VAT payments for you; FastSpring, for example: http://www.fastspring.com/vat
(disclaimer, I am a happy FastSpring customer in the US, but have no other relationship with them)
I've had maybe one or two chargebacks that made it past their filter in the ~three years I've been with them, and I don't remember having to pay any extra fees for it.
It sounds like a part of OPs issue was not the "cost" so much as trying to do to much himself, which ended up being costly.
Another +1 for FastSpring (happy customer from Australia here). This is exactly why you would use such a service, even though it takes a higher percentage cut. It's worth it for reduced tax hassle & improved fraud screening. If they detect fraud on one customer's site, they can block the card for all their customers.
I love Fastspring but they're not the only game in town. I used to use Kagi, and Avangate & Cleverbridge are two other companies I've heard of. There's lots of them out there.
I think the obligation to pay customers' VAT goes back way before VATMOSS. That said, I think you've answered your own question. Unless you're at a size that would be drawing attention, it would be logical to ignore this if you're not in the EU.
> I think the obligation to pay customers' VAT goes back way before VATMOSS.
Yep, VOES was put in place in 2003 and that was a simplification, before that businesses were supposed to register themselves with each country's tax office and fill VAT everywhere. For non-EU businesses VATMOSS mostly updates the scheme: register yourself in any member state and use their MOSS portal as a non-EU business, the tax office is supposed to redistribute VAT based on your fillings.
The business also has the option to forego MOSS/VOES and register itself in each country of course.
A business outside the EU has no obligation to do anything, unless it makes itself subject to EU jurisdiction. Just as you don't have to collect US state sales taxes for any US state unless your company has a legal presence in that state.
That doesn't help you if you're in an EU country, of course.
I have a complex notice written entirely in Spanish that I can't understand, but which with the help of Google translate I have decoded to indicate that some 100 odd euros is being withheld from me as the customer paid for my services and has voluntarily paid some kind of tax on my behalf. I am sure with sufficient effort I can probably find a way to get that 100 euros refunded, but boy, it sure aint worth my time. But I mention it because while you may have no obligation to do anything, you can find oneself in this "withholding" situation if you don't.
I suppose that's a good point - it would be a remarkably well executed scam, since it had all the account numbers, and details that I use with that client, as well as the actual amount from the invoice I sent them, printed on it. I didn't hesitate to believe it at the time.
This is correct. Our payment provider GlobalCollect has passed us on a court ruling from Netherlands to state we don't need to pay any VAT since we're not physically there, even though we do sell there. A lot of payment processors like FastSpring, Avangate and Cleverbridge act as resellers for your products and are therefore obligated to charge and pass on VAT even if your company is not located there.
You only needed to register in different countries once your sells to them are above a quite hefty limit though so when you started you just paid VAT in your country and that was it. (I am talking from EU citizen perspective)
Please, please, anyone, if you are getting started in online payment processing, don't do it yourself. Use a service that already handles the VAT and fraud detection issues.
Then, when you've proven your product, and got substantial sales, you can write your own. Maybe.
The author of the article spent weeks and thousands of euros to implement a payment system. And yet he had only a handful of customers.
Well, he used Stripe, so he didn't write his own. Personally I wasn't aware that there was such a high fee for a chargeback. Is that because Stripe doesn't handle fraud well?
Seems like most of his time was spent dealing with tax issues, which you'd have to do regardless of how money is actually transferred.
Good point. I consider using Stripe a "do-it-yourself" solution, which requires manual coding. As far as handling EU VAT, Stripe offers nothing, and you need to manually implement this.
I meant that you should use a service last FastSpring or Avangate initially, which require no coding, and completely take care of VAT.
I don't know about Braintree, but I can report that for my SaaS app (https://www.wisecashhq.com, currently priced in $ but France-based), I used Recurly (https://www.recurly.com) which handles EU VAT very nicely (including VAT changes happening in 2015).
I use them together with Stripe as my gateway, it generates proper invoices and applies the rate of the buyer's country unless a valid VAT number has been provided. They also provide a stripe-like js library so that the credit-card number doesn't go through my server.
With regard to VAT MOSS report, they do most of the checks, I only wrote a little ETL script using http://www.kiba-etl.org/ to create a break-down of the related amounts for each quarter and each country, which I then submit manually to the VAT MOSS French website.
So in my case, this is fully automated, and I'm pretty happy with this :-)
We use stripe for egghead.io and process lots of payments. Chargebacks happen, but it isn't terribly significant for us. Our subscription fee is higher, so perhaps that helps.
Not much choice here (Poland). You can use payment gateway (say PayPal) but no luck with VAT and ridiculous VATMOSS regulations like being required to keep 2 pieces of evidence of customer location (say address and IP) which for example PayPal doesn't give you access to (you only go the address).
I use PayPal for donations to an F/OSS project (which are subject to VAT in my country). This is how I "solved" the VATMOSS problem:
1. Generate different PayPal buttons for different countries (depending on IP). The country of the IP is included in the receipt. Currently I only have Sweden and "other".
2. For other countries, I'll manually ask the user to confirm the transaction (the intention is to make it count as a manual transaction, so I can simply use 25% VAT of my country). If the user doesn't respond I'll have to issue a refund.
Foreign users are _very_ uncommon in my case, so it works for me (my software is specific to my country anyway). I'm not even VATMOSS registered, only VAT registered.
We use http://paddle.com (they're based in UK) for payment processing. They take care of VAT and fraud prevention. There's no need to implement these services yourself.
Following the bliss isn't supposed to pay the bills.
Following the bliss increases skill-sets, creates necessary connections between persons, and gives the bliss-seeker an out. Out is good.
The bliss is not the means to an end. The bliss is self serving and self improving, while also finding an escape from the daily grind and its deleterious effects.
Follow your bliss, by all means. But, at the same time, realize that it's not the end goal. You're not learning programming to make money. You're learning programming because you enjoy it, and or it increases your skill-sets.
Also, programming isn't bliss. Programming is an addiction. It's a sometime beneficial addiction, but an addiction nonetheless. Something to consider.
If you're dedicated enough to follow the bliss, it will pay your bills, and also do the other things. If you have failed personally, please don't discourage others.
Programming can be bliss, at least seeing the results. I mean, why else would anybody program? Just for the money?
Then, I would recommend, through experiences of doing what I dont love long enough, to reconsider what is more important, money or doing what you love. Of course, sometimes it can be just the money, or the learning, or working with a great team, but to recognize when it turns into a struggle and just drains our energy is something that is important.
Working with software, it is such a toll on the mind and the body, that doing it just for the money seems really pointless at least for me.
But I understand that this realization may come through only going through enough work that is not really fulfilling us inside on a deep level.
On a superficial level programming can be good just to gather resources, but is this really the best we can do? I mean, what if Elon Musk, Nikolai Tesla, Newton or other brightest minds would just worked for money ? Would we have the inventions we have today ? This is my point I want to remind people everyday.
I have worked for 5 years (3 of those fulltime, and so that I have always managed) on a project (http://GeoKone.NET and now http://Geometrify.net) that is the product of my pure love, and at times it has been difficult, yes, eaten a lot of porridge during those days, but the Universe has a way of supporting those who really want to help others, and to provide something to support others in their quest too!
But you have to give back something too in order for it to work. I think this is also a big problem in our society right now, not giving back, but just gathering resources for selfish uses, like many big companies do.
This is why I am reminding to really think about what we are putting our energy into.
How would the EU enforce VAT requirements on an online business based in the U.S.? If I have an online business in the US and no presence in the EU and no intention to ever go to the EU, I don't have to charge VAT, right?
Correct. In theory if the project grew large enough (as in "billion-dollar industry"), the EU might start attempting to control it or block it, or attempt to regulate transactions involving it under the auspices of import/export/tariffs, but in general the EU (or any non-US company) has no jurisdiction to impose taxes on a US company. (Nor does the US have jurisdiction to impose taxes or regulations on an EU company, for that matter.)
EU thinks you have to pay VAT if you sell to European countries of course (otherwise it would be unfair competition vs European businesses) by means of VATMOSS but I am not sure if they have any way to enforce or if they could have any kind of jurisdiction over you.
Remy, I'm sorry. JSBin is my favorite live JS environment, and I use it several times a week, and I haven't paid a thing. That's not fair to you.
I'm also sorry that I haven't sent the emails that probably still sit in my drafts folder, because I think that the JSBin genre of software development tools has a very bright future - and I encourage you to not give up.
For now, is it at all possible to just send you $100 via paypal?
This is why if any of my personal projects go anywhere they'll remain free while they are in my hands. They can act as a portfolio ("look what I've done, aren't I clever") for when job hunting but I'll not even try make money directly from them even to cover costs.
If they become worth charging for then someone can buy the rights from me and run it. Yeah they'll take the lion's share, but also all that hassle and I can still have credit for having created the thing in the first place. This is assuming that whatever project I'm talking about isn't released F/OSS of course, at which point if there is any sort of demand someone will already be hosting an instance or few.
If the costs of running one of the projects gets higher than pocket money and no one else wants to run it? It either stops taking new users or is otherwise rate limited, or gets turned off completely, or in the case of a F/OSS project my instances become "friends and family only" and others can host their own.
My side projects are just that: personal time projects, either just playthings or intended to grow my experience in something. They are not second jobs and I wouldn't want them to become so.
Similarly I'll be careful not to include any features that can send mail or SMS, or call other sites, in a publicly addressable service that isn't locked to F&F-only. I don't want the faf of accidentally becoming a spam source due to a silly bug in my code or some support library I happen to be using.
This is why Amazon DevPay(?) exists. You ship software, and Amazon directly bills your customers for the AWS usage. you don't have to get into the AWS-reselling business just because you wrote cloud software.
Sellers of Amazon DevPay applications must be able to do business in the
United States. Funds earned through the sale of Amazon DevPay applications
can only be withdrawn to U.S. bank accounts.
Q: How are taxes handled?
Amazon DevPay does not provide tax collection services for you. You are
responsible for paying the appropriate taxes (local, state, federal,
etc.) as applicable.
"Amazon DevPay removes the pain of having to create or manage your own order pipeline or billing system, which is traditionally a challenge for online subscription services or applications running on demand."
This was a great read. The VATMOSS stuff was especially scary. I don't understand why there isn't a lower bound on how much money you have to make before you have to worry about bureaucracy like that =/
Monetizing foss projects is hard. It's funny... at this very moment, in another corner of Github, there are people fighting against ads being introduced in Flyspray, a self-hostable gpl issue tracker. There's good discussion in the commit and it's a perfect lesson in how not to monetize FOSS projects.
This is incredibly interesting and something most pet-project hopefuls don't even consider. Building the project is the easy part, what comes next is where things sink or swim.
If $6 is too cheap and encourages fraudsters to test credit cards on your service because banks don't get concerned about transactions at that cost, how much should he have charged at a minimum? $10 $20?
I wondered that myself, especially since it doesn't have to be more expensive to the end user. Instead of selling them 1 month for $6, sell them 12 for $72 or some such, or make them buy a minimum of 10 accounts to get a monthly rate.
Yah, I know the trend is to do a bunch of little micro payments, but its not like you can't do the math for them an say "$6 a month" then when they go to order it, limit the minimum number of months in order to increase the total.
Fraudster doing credit card tests is something that happens everywhere. This is not specifically related the the type of service or to the amount charged.
Everything < 50€ / $50 / £40 will hardly trigger any security measures.
but then doesn't that require you to hold onto the credit card details to process two weeks later. One of the attractive features of stripe is that you don't store cc details on your system but rather they get passed on directly to Stripe. if you implement a delay, you have to hold the credit card to charge later
so after you charge the card two weeks later, the transaction still gets completed unless you've somehow figured out during the two weeks how to determine whether \the attempt was fraudulent. I don't think this strategy will work because it will depend on the fraudsters knowing that the payment won't be processed for two weeks and then deciding it's not worth it. Are they going to read the TOS?
JS Bin is a service that appeals to techies. As such, it should see moderate success accepting Bitcoin! Bitcoin transactions are non-reversible, which would solve the fraud complications.
I could see the location information being supplied using a Bitcoin service provider (Coinbase?), but whether it is accepted as "proof," is questionable.
A couple percent at most. I think companies who've implemented Bitcoin payment have seen a 1% or less. A good number of those would have been customers anyway.
I love Bitcoin and use it a lot, but the truth is, this likely wouldn't do much for jsbin.
> I can't win the complaint. The card was stolen, the £6 belongs to the original card owner, no question.
This is so wrong. Business owners, on average, have little to no information or power to deal with this. The only agencies that have ultimate ability to deal with fraud are the card issuers and banks. IIRC, it was Bruce Schneier who first clearly articulated this for me. By placing all fraud risk on the issuers, they're fully incentivized to fix the problem as well as possible.
But instead when small (or even large) business customers are subjected to ridiculous fraud charges as described in Remy's article, fraud is transformed into a kind of externalized cost imposed by these same issuers.
But it's not in the interest of Stripe et. al. to subsidize fraud. The fact that they have the penalty set so high is because they don't want services like JSBin acting as basically defrauded card authentication gateways (as a side effect of their legitimate business).
Unfortunately for Remy Sharp, he built a fraud enabling system that doubled as a pastebin, and the financial system responded as appropriate for an open fraud portal. It's a bit like calling foul when email gateways start mistrusting your server because it's a proven open-relay node for spam. Not fair, but the system has to protect itself and its users.
Yes, paypal seems to have very good fraud detection. I've been using them for the last 9 years for mostly $10 transactions (about $30k a year or so) and I don't think I've had a single fraudulent transaction in that time. Before paypal I used worldpay, and although their support is infinitely superior (paypal's support sucks balls), I did have a few fraudulent transactions a year.
Also, paypal's refund fee is just $0.30. (Not sure if it costs any more for a chargeback).
I pay for Gmail, because I need real business email accounts.
Did I get lucky with being one of the early Apps for Your Domain users? We don't pay a bean for our company's Gmail accounts but seem to get most of the features (no ads, custom domain, etc).
You've been grandfathered (i.e. you got lucky and Google decided to uphold the original terms you signed up on).
Frankly, as a European I don't find the paid version worth the price tag (which can be hefty if you have a lot of freelancers working for you). Yes, it's Google Apps, so if you use the entire stack you can avoid the cost of a lot of additional services, but at the same time that means you need to be okay with storing all your confidential data with Google.
But for me the deal-breaker was the way e-mail accounts work when using the same Google Apps for Business account with multiple domains. At least when I evaluated it, there was no way to define aliases per-domain. So if you add both domain-a.example and domain-b.example and want contact@domain-a.example to go to a different person than contact@domain-b.example -- no dice. Also if you want to be able to receive e-mails on firstname.lastname@domain-a.example but not firstname.lastname@domain-b.example, again: not a chance. I'm not sure whether this has changed since then, but this is why I took my business to Fastmail and other isolated services.
Good read, but I wonder why didn't he hire a tax advisor to deal with VATMOSS? It's usually not that expensive even if you are not doing revenue, and unless you are in the business of taxes there's little to gain in doing it yourself.
The VATMOSS rules mean that you need to collect, verify and store a bunch more info than previously: You need to be able to show evidence for the country the buyer is in, and check that ip address, address, credit card, etc match. It sounds like the cost came from the software development required to put the infrastructure in place to adhere to this and so wasn't something an advisor could help with.
With it being a new rule, there was very little info about the penalties for not complying. The penalties for normal UK VAT are only proportional to revenue, so not much risk for small companies getting it wrong. It wasn't clear that this was true for VATMOSS and so there was fear amongst even tiny company of big penalties for getting it wrong.
We went through the same worries last Nov/Dev, but were lucky that our billing provider dealt with adding in all the required logic. (Shout out to Recurly!)
There are various attempts, but currently no one - especially not HMRC - has any idea how to handle VATMOSS correctly.
I've heard a few stories about small businesses suddenly getting demands for thousands of pounds (etc) after only a handful of transactions.
But what I suspect will happen is that HMRC will realise that chasing and fining microbusinesses for non-compliance is a complete waste of everyone's time. They won't bother unless businesses are being obviously, blatantly fraudulent - and considering how short-staffed they are, perhaps not even then.
It'll be similar to the EU's legislation about cookie notices, which created a big initial compliance explosion, but now seems to be being quietly forgotten.
The UK is lobbying hard to set a minimum threshold for VATMOSS. It will take a few years for the idiot lawyers in Brussels to catch up, but even though some member states seem to think VATMOSS is a good thing, common sense and experience will prove that it's utterly unworkable and destructive in its current form.
The stories you heard may have been due to the Irish fuck up a month ago. The Irish tax authorities mistakenly sent out a couple thousand notices claiming completely bogus deficiencies. More info here: https://news.ycombinator.com/item?id=10083238
Germany and one or two others have also sent deficiency notices to UK sellers. The UK tax authorities have complained about that, saying one of the main points of the VATMOSS system was that sellers would only have to deal directly with the tax authorities in their country. If Germany, for example, thinks a UK seller underpaid for VAT on German customers, the UK's understanding was that Germany was supposed to bring that up with the UK tax authorities, and they would be the ones to get it straightened out.
Yes. I've been researching this in recent weeks, and have found several operators that build on top of Stripe and PayPal, in various ways, to handle the VATMOSS burden.
Without offering any recommendation for them, here are two I've investigated:
I know PayPal isn't popular but it's by far the easiest way to accept payments online that I've found. You don't have to live in the US,Canada or EU, which is a weakness of all the new services like Stripe and every other startup promising to "fix payments". I set it up for my small business years ago with no coding or worrying about weird tax rules and it just works. I process each payment manually so there's a bit of a delay for the customers but I've never had a chargeback although my prices are a bit higher.
The main drawback is customers think they need a PayPal account and nobody wants to open one - for good reason. The payment page has a dark pattern that makes it look like you have to sign up to pay by credit card.
I can totally understand. I just read through each post and I can relate to pretty much every point.
For searchcode I have not implemented paid accounts though I have considered it for a while. This post pretty much confirms for me that it would be a bad idea. searchcode also gets a lot of abuse, particularly to the API's (millions of requests) and though hot-links. I think the worst part for me though is the constant takedown notices. Most are nicely worded emails, but quite a few have been very nasty threatening legal demands.
I haven't lost my love for my side project yet and the ad's that are running at least cover hosting costs. Really looking forward to the next part in the tale.
There is a need for services that can let indie developers do what they do best, and handle all the admin, business, marketing for them for a significant % of revenue and % of ownership earned over time.
Reading this stuff makes me glad my side projects are all native apps sold through app stores. No servers, no payment processing, little upkeep; once you're done, you're done.
Honestly, his target users are those who needs a free place to try out web coding, which means many of his users are likely not well off enough to be able to want to throw money at something that they get the full use out of.
I won't say the thing is bad, but the business behind it is bad. Got to have a viable targeted userbase as the core, and handle any new userbase as they come in.
Hope you got my point. The above are only meant as an example.
Main idea is to cripple* the free tier enough to push a chunk of current users from free into pro. Some will leave but you don't want them anyway (they will never pay).
* how exactly cripple? This is the product design / product-market-fit stage work that was skipped when building jsbin.com
Free products need to have a way to lock users in. It's not evil or unethical - In fact, it's the opposite;
if you don't lock your users into your free product, your competitor will lock them into an expensive alternative which will give them less
flexibility.
The credit card problem is quite easy to solve: allow a few months of free "pro" functionality upon signup, and then allow users to upgrade. During that period of time, you can also track whether they actually used the service at all.
But then you'll have people creating new accounts every time the trial ends, instead of paying! The sweet spot is probably 24 hours. Too long for a fraudster to wait around, and too short for people to bother making an account every day for pro fuctionality.
> But then you'll have people creating new accounts every time the trial ends, instead of paying!
These would be malicious users. Both words are significant here. People using the service just to check credit cards are malicious, but not users. Free users are users but not malicious.
I think for most services, the set of actual malicious users—people who do want to use the service for its intended purpose, but don't want to support it—is fairly small.
Every single dev group I've worked with has been too cheap (as individuals) to pony up for things $50-100 for jet brains software (pycharm and rubymine) and instead waste hours thinking up ways to change a license file or register with a different email.
I would never sell a product to devs. They don't know how to value their time. Which is odd considering we're in the business of automating other processes.
Yeah and if heavy users want to constantly deal with changing email addresses and moving accounts just to get out of it. Like you said is few. Let them be? It's likely they generate word of mouth and other value being invested enough to go thru the hassle.
>Like you said is few. Let them be? It's likely they generate word of mouth and other value being invested enough to go thru the hassle.
This sounds a lot like the arguments piracy apologists use. A lot like the arguments people looking for free web design use. I am very skeptical whenever anyone asks for anything to them for free now because it will somehow (nebulously) come back to me later in a good way.
I think he's just thinking about it practically. Its potentially not worth your time and effort as a business owner to go after that tiny minority who abuse the free trials.
Yes and no. If you have a physical presence in an EU state, that one will probably get you for tax fraud. If you have sufficiently high transaction volume they might find another way.
I have never heard of it happening, but theoretically any member state in which you sold can start a criminal trial against the responsible persons, making travel to Europe a bit more complicated.
With JS Bin, everything users need is given away and open source. That's honourable, but doesn't pay the mortgage.
He has come up with a very jaded either/or point of view. You can visit Patreon and find sites being supported by user "donations". There are sites making money on ads. There are sites making money on product sales. There are sites supporting staff from a combination of the above.
It is naïve to think "If you build it, they will throw money at it," but that doesn't mean you can either cut your own throat by giving it away for free until you feel like a chump or you can hold everything hostage until people pony up.
It's fine if you have a service that works well with a pay per use or subscription model of some sort, but lots of services are not monetizable that way. Television, print magazines, newspapers and on and on have to find ways to pay the bills using a combination of charging the end user and selling advertising and possibly other things I am not thinking of. As far as I can tell, it would not work to only charge the end user for quite a lot of things we use regularly.
The world would be a poorer place if the only services that lived were ones that charged the end user. There are some services that are just not conducive to that model.
I hope he revisits the question of how to monetize JS Bin. Do some brainstorming. Do some research. Try to figure out a monetization scheme that is a good fit for the specific service in question.
I think the best salve for this wound would be a monetization scheme that works. There are enough embittered, jaded people in the world already. We need to find more ways for people to follow their bliss and also pay their bills.