Stripe needs all that byzantine fraud prevention, on top of what they had a decade ago, because they are a huge concentrated target.
A smaller firm could be way simpler. Because they simply wouldnt have enough money to provide a decent payday for dozens of malicious geniuses going at them 24/7/365.
Is this true? I would expect most of Stripe's fraud overhead to be statutory in nature, not something they hire for because they're a concentrated target.
(They certainly have more staff because more volume, but the actual regulatory requirements I'd expect to be roughly the same for the service they provide.)
Stripe was already a big target for basically anyone and anything 10 years ago. Fake merchants, card testers, the works. People were selling guides to defraud Stripe. And we are not even counting just losees due to nonsense like the Fyre festival.
You really don't have to be that big a payment processor for dozens of malicious geniuses to decide that they want to fleece you. If anything, the ROI is better in less sophisticated companies. Most ways to trick a payment company are, if anything, standardized. The smaller company can often be attacked by just changing the API calls, but otherwise taking basically the same actions you would to try to defraud a bigger fish.
> Stripe needs all that byzantine fraud prevention, on top of what they had a decade ago, because they are a huge concentrated target.
This is not true. Every payment processor needs this effort because as soon as you broadcast that you're a payment processor you're going to get about 3-5 scammers a day.
As an aside I really think Mercury bank should audit their onboarding process.
Sure, though not every small project needs to worry about that. Perhaps the payment workflow is a tight loop that has KYC through physical memberships (ID + Photo), say a gym membership for example, and the entire system is private just needs a gateway to do transactions.
Stealing someone's identity and pretending to be them and buying a gym membership with a fake id and a stolen credit card might seem far fetched to you, but Stripe doesn't want to be on the hook for that, especially if the scammer signs up for, say, Equinox and it isn't discovered for year+.
(ex-Stripe; didn't work directly on fraud,
however)
MichaelZuo|5 days ago
A smaller firm could be way simpler. Because they simply wouldnt have enough money to provide a decent payday for dozens of malicious geniuses going at them 24/7/365.
woodruffw|5 days ago
(They certainly have more staff because more volume, but the actual regulatory requirements I'd expect to be roughly the same for the service they provide.)
hibikir|5 days ago
You really don't have to be that big a payment processor for dozens of malicious geniuses to decide that they want to fleece you. If anything, the ROI is better in less sophisticated companies. Most ways to trick a payment company are, if anything, standardized. The smaller company can often be attacked by just changing the API calls, but otherwise taking basically the same actions you would to try to defraud a bigger fish.
krainboltgreene|5 days ago
This is not true. Every payment processor needs this effort because as soon as you broadcast that you're a payment processor you're going to get about 3-5 scammers a day.
As an aside I really think Mercury bank should audit their onboarding process.
hmokiguess|5 days ago
krainboltgreene|5 days ago
fragmede|5 days ago