# Who uses Stripe for payments? Beware, they seem to not validate cards.



## drmike (Oct 28, 2013)

Who around here is using Stripe (stripe.com) for card transactions?

Beware, while Stripe claims PCI-compliance and to be all secure, they fail to even do basic live authentication on accounts presented.

I would say no way, not true had I not seen 4+ examples of this utter failure this morning.

The examples are all involving stolen and previously known and reported to be stolen major credit/debit cards.  We confirmed this by actually reaching account holders.

Stripe rubber stamped the transactions as valid and fine to deliver services to.  Only the good eyes of one company owner caught the oddness after a flurry of orders in same geographic area (state) and with similar account abnormalities (all CAPS use on same fields).

If you are using Stripe, it is time to audit your transactions.

Original thread with more details --> http://vpsboard.com/topic/2396-whmcs-exploit-involving-stripe-payments/


----------



## WebSearchingPro (Oct 28, 2013)

The bad thing is if stripe gets a chargeback there is a $15.00 fee, which essentially wouldnt have happened if they could verify stolen cards...


----------



## rds100 (Oct 28, 2013)

I wonder, how could transactions go through with known stolen cards? Don't the banks block / cancel these cards if it's known they are stolen?


----------



## WebSearchingPro (Oct 28, 2013)

rds100 said:


> I wonder, how could transactions go through with known stolen cards? Don't the banks block / cancel these cards if it's known they are stolen?


My guess is they pre-process the transaction, then they find out later its a bad card and charge a fee to the seller.


----------



## Patrick (Oct 28, 2013)

They do an authorisation for a small amount like £0.1 or whatever to verify CVV/AVS then if it passes it charges the actual amount.


----------



## shovenose (Oct 28, 2013)

We use them and never have had any problems or disputes/chargebacks.


----------



## KS_Phillip (Oct 28, 2013)

shovenose said:


> We use them and never have had any problems or disputes/chargebacks.


We've only had a single chargeback, which we contested (and won).  No other issues thus far with stripe


----------



## concerto49 (Oct 28, 2013)

We have Stripe but haven't started using it. Was just going to.


----------



## drmike (Oct 28, 2013)

I am utterly dumbfounded how the transactions were authorized by STRIPE.

I made recommendation to push on Stripe about these and get an answer.   Since Stripe has no phone and sticks you to e-ticketing hell who knows when/if a response will be coming.

Stripe had better come clean on this and why they rubberstamped fraud transactions.   Hitting seller with fees?   That happens Stripe is going to get smashed.   Almost certain they are violating multiple regulations based on this... Ho hum...


----------



## Damian (Oct 28, 2013)

I *was *trusting that Stripe were authenticating/validating transactions, until this happened:







Since the best response that they could give me that their system allowed the same person to use four different cards in eight minutes was "sorry!" and still charge me a fee, I now look at Stripe transaction records every day.


----------



## SkylarM (Oct 28, 2013)

I had a similar issue as Damian. They basically claim no responsibility for fraud checks, even though they run their own. The fee sucks, paypal doesn't charge a fee unless you fight a CC dispute and lose. Stripe just tosses on a hefty fine just because they can and say "You should have better fraud protection methods!" when the stuff they run isn't totally great either. We go through all orders more closely as a result.


----------



## drmike (Oct 28, 2013)

^--- that's scary Damian.  Thanks!

More evidence to support auditing Stripe payments and holding accounts for manual approval when Stripe is payment method.


----------



## DomainBop (Oct 28, 2013)

INIZ said:


> They do an authorisation for a small amount like £0.1 or whatever to verify CVV/AVS then if it passes it charges the actual amount.


The small amount was $1.62 when I paid an invoice last week with Stripe (temporary authorization, disappeared the next day)



Damian said:


> Since the best response that they could give me that their system allowed the same person to use four different cards in eight minutes


Most merchant accounts (at least the better ones) offer rate limiting fraud filters that allow the merchant to limit the number of transactions that can be submitted per IP per hour  (something like AuthorizeNet's IP velocity filter: http://www.authorize.net/support/CNP/helpfiles/Tools/Fraud_Detection_Suite/Transaction_Filters/Transaction_IP_Velocity_Filter.htm )?


----------



## XFS_Duke (Oct 28, 2013)

I used Stripe for about 2 months. Had 3 chargebacks and I disputed them. I won them, but for some reason they still keep trying to take the money BACK out of my account... What they keep saying is that "we have money waiting for you but we don't have a valid bank account." I told them, yea, that is because you keep trying to take the money OUT of my account instead of putting it back in... So far, I was only out of a little money, but I have since moved to Authorize.Net... Much better, slightly higher fee's but oh well.


----------



## notFound (Oct 29, 2013)

Honestly, I've never actually looked at my Stripe log since the first live transaction. I did notice that the verification didn't matter as in the name was different etc., good thing I only allow select clients to use it otherwise it'd be a disaster.


----------



## drmike (Oct 29, 2013)

So, this morning was talking to a seasoned provider about this issue.

*FOR THE RECORD* historically I've only dealt with real merchant accounts I've negotiated with large banks and require proper credit worthiness and are regulated fairly heavily.

Take on the Stripe situation seems to be much like all other payment gateways --- PURE SHIT.

They aren't validating the accounts per se.


Transaction goes through the modulo 10 checksum,  then pre-auth transaction against the account.   They use the pre-auth to levy a charge against the account to prove the account is valid.  Pre-auth later is removed/reversed and actual charge is pushed through.

That sounds great, but the breakdown is in instance yesterday accounts were stolen and long ago flagged (i.e. yesterday wasn't first day of fraud against these account).

Belief is the account issuers allowed the transactions.  That part makes little to no sense.

It was said that other payment gateways would likely have handled these transactions the same way.

Problem here is this isn't complex fraud.  It's very simple.   Same thing could happen with ever credit account ever stolen and in mass.

Now the approach should be to let one of these accounts through and see what they use the service for and monitor the activity entirely.  Bound to be the DDoS folks and/or spam operators.


----------



## LorenKelley (Oct 29, 2013)

I work for Braintree Payments (full-disclosure) and we hear stories like this quite a bit. While Stripe and Braintree both have an instant signup process and ease of integration this is where the similarities end. We have fraud tools designed specifically for this issue. The two types of fraud we see most often are stolen cards being used to make purchases and fraudsters using multiple stolen cards to determine if they are valid. We've partnered with Kount to protect our merchants from fraud. Kount draws on over 200 data points and cross references the card's activity across thousands of merchants to determine if the transaction is valid. Couple our gateway and braintree.js with Kount and you have a robust fraud solution. 

In the event you do have issues we offer white glove support by phone or email. We have a team dedicated to chargebacks. They will work with a merchant directly to try and win disputes and prevent them in the future. Possibly the best part is that all of this is covered under our standard pricing.


----------



## drmike (Oct 29, 2013)

@LorenKelley,   welcome to the site and glad to have you on board.

There are lots of merchants here and the entire card gateway concept and protections is mostly absent to them.

I'd like to chat with you / help define some information for the providers for anti-fraud and alternative payment processors.  I'll PM you here.

How does Braintree compete cost with say Stripe, PayPal and others?  Might you folks have a pre-built competitive matrix?


----------



## XFS_Duke (Oct 29, 2013)

We use Authorize.Net now through TransFirst. Just got it setup, ran tests and everything seemed to work fine. Activated it a couple of days ago. I wouldn't really recommend Stripe for anyone.. I mean, yea it is low cost, but you get what you pay for..


----------



## LorenKelley (Oct 29, 2013)

@drmike,

Braintree's standard pricing is the same as our competitors at 2.9% and $.30 a transaction. However, we wouldn't be working with companies like Uber, Livingsocial, or Airbnb if we were charging those rates. We offer discounts based on volume, but they are custom pricing schedules per each merchant's specific needs. 

Cost is really important, but keeping your customers data safe and keeping the money you make is paramount. You can find cheaper processing, but are they giving you the tools to generate more profit and keep your company and customers safe?


----------



## XFS_Duke (Oct 29, 2013)

LorenKelley,

How about you put together a proposal for web hosting companies on this forum? Call is a VPSBoard Group Plan if you will.

You could make some good commission (if you get paid commission) from this forum. I'm sure all those Stripe people would love to switch. I'd say, provide your best quote here and let people feed off of it... After all, this forum is dedicated to providers that want to better their company, right? 

Just my 2 cents


----------



## SkylarM (Oct 29, 2013)

XFS_Duke said:


> LorenKelley,
> 
> How about you put together a proposal for web hosting companies on this forum? Call is a VPSBoard Group Plan if you will.
> 
> ...


+1


----------



## NodeKid (Oct 29, 2013)

Oi! @LorenKelley! get your (Braintree's) marketplace in the UK/EU

LIKE YESTERDAY!


----------



## Damian (Oct 29, 2013)

@LorenKelley I too am interested in moving away from Stripe, but have a few questions I'll ask here for the mutual benefit of all, as they may be interested too:

-How integrated is Braintree with WHMCS? Currently, when a user pays through our website, they can choose the Credit Card payment option, and everything appears to happen on our website: the user is redirected from where they click "Submit Order" to "Your Order is Complete etc" without needing to be redirected to Stripe or any other website. I'd like to continue that.

-Will Braintree accept any major credit card? We're having issues with Indian credit cards being rejected despite being a Visa-branded card.

-Will Braintree accept VCCs? Can I choose to NOT accept VCCs if I so desire?


----------



## tchen (Oct 29, 2013)

@Damian jclark's Braintree module like his other one for stripe will inject the CC form on page.  The only difference between this and the Stripe one is that it uses the S2S method.



> S2S works in a similar fashion to accessing any API over HTTP. First, you create a form on your website where the user enters their credit card data, billing information, etc. When the user submits the form, the contents are sent to your server. Using the data you’ve received, you make an API call to Braintree using one of their client libraries, check the result and display necessary information to your user.
> 
> This approach is simple and flexible. You can perform your own validations on the data you’ve received from the user as well as performing any necessary data formatting. However, S2S has a serious drawback. While you may not be storing any credit card data, the simple act of that data passing through your system creates a security risk and complicates the steps necessary for you to achieve and maintain PCI compliance.


There's another transparent mode one (direct to Braintree's servers) although I can't say it gives me a warm fuzzy.


----------



## concerto49 (Oct 29, 2013)

I tried to apply for Braintree. My problem was they required me to be in the USA with a USA bank. Stripe didn't require this.


----------



## trewq (Oct 29, 2013)

concerto49 said:


> I tried to apply for Braintree. My problem was they required me to be in the USA with a USA bank. Stripe didn't require this.


Doesn't it say on their site they allow Australian merchants?


----------



## concerto49 (Oct 29, 2013)

trewq said:


> Doesn't it say on their site they allow Australian merchants?


That requires an AUD bank. Enjoy conversion rates.

Customers pay in USD. You take AUD after conversion from Braintree. You convert AUD from Braintree to pay for USD server/colo.


It's a big hit.


----------



## trewq (Oct 29, 2013)

concerto49 said:


> That requires an AUD bank. Enjoy conversion rates.
> 
> 
> Customers pay in USD. You take AUD after conversion from Braintree. You convert AUD from Braintree to pay for USD server/colo.
> ...


Yeah, fair enough. I thought that the merchant accounts are multi-currency, I stand corrected.


----------



## Echelon (Oct 30, 2013)

Lets be honest -- any payment method that has the capability of reversing charges and chargeback requests should be approved manually on the first payment. Payments afterwards shouldn't be such an issue, but you simply can't trust fraud automation to catch a fraudulent charge as it comes through the pike.

There's no alternative to vigilance.


----------



## shovenose (Oct 30, 2013)

True but I'd be interested in Braintree services. We use stripe now.


----------



## ShardHost (Oct 30, 2013)

We've had a massive jump in CC chargebacks from addresses in Cali.

The services purchased were used for carding related activities.  We managed to refund most of the charges before the disputes started to roll in.


----------



## buythiscomputer (Oct 31, 2013)

Hello,

Do you think that any other processor is better than Stripe ? You are dreaming...

They all just take our money and do nothing !

At least Stripe is easy to get approved and to use compared to some monkeyx as 2checkout..

I love Stripe and wish that they become the first real Paypal concurrence !

Thanks for reading.

ps: the big difference with braintree who is not even able to remain independent is that Stripe accept sellers without any registered company just as Paypal, but not Braintree !


----------



## MichaelS (Oct 31, 2013)

I work on the support team at Stripe. We take risk and fraudulent activity monitoring very seriously here and do everything we can to help our users as quickly as possible, while still letting them reliably accept payments from legitimate customers.

For a bit of background information: we always obtain authorization from the credit card companies and banks prior to returning a successful charge via our API. If a cardholder reports their card as stolen to their bank, their bank should decline future payments; in that case, we immediately let you know and don't allow the charge to go through.

Secondly, if you send us the customer's address and CVC security code when creating a token or charge, we can run additional address and CVC checks with the banks to allow you to be more certain that the true cardholder is making the charge. Using this information, you can choose to refund suspicious charges in your application or setup your Stripe account to decline charges that fail these checks. You can read more about these checks here: https://support.stripe.com/questions/what-controls-for-fraud-prevention-does-stripe-offer. If you ship physical goods, we also recommend checking to see that the billing and shipping addresses match or are similar for further protection.

Finally, in addition to the bank's checks, we have systems monitoring activity globally throughout Stripe, looking for and proactively blocking clearly fraudulent charges. We expose as much data as possible about each charge so that you can reliably determine whether or not any individual charge seems suspicious. Given that you know your customers best, we've found this approach particularly helpful in finding the balance such that our automated systems block as much fraud as possible while not affecting your legitimate customers, who should always be able to pay you.

It's very important to us that you're able to avoid as much of this fraudulent activity as possible. We have people working full-time on these tools, and are continuously working toward making more of this information available on your dashboard and through the API, giving you an intuitive and automatable way to review your payments.

If you have any questions, please feel free to get in touch with me directly at [email protected] and I'll do everything I can to help.


----------



## shovenose (Oct 31, 2013)

MichaelS said:


> I work on the support team at Stripe. We take risk and fraudulent activity monitoring very seriously here and do everything we can to help our users as quickly as possible, while still letting them reliably accept payments from legitimate customers.
> 
> For a bit of background information: we always obtain authorization from the credit card companies and banks prior to returning a successful charge via our API. If a cardholder reports their card as stolen to their bank, their bank should decline future payments; in that case, we immediately let you know and don't allow the charge to go through.
> 
> ...


I know you copy and pasted that because the font is wrong. Just saying. And you have the same initials I do lol.


----------



## Magiobiwan (Oct 31, 2013)

shovenose said:


> I know you copy and pasted that because the font is wrong. Just saying. And you have the same initials I do lol.


So anyone who has your name is unoriginal and copy/pastes stuff?

Low blow, I know.


----------



## shovenose (Oct 31, 2013)

Magiobiwan said:


> So anyone who has your name is unoriginal and copy/pastes stuff?
> 
> Low blow, I know.


The first half of my post is serious. The second half is sarcasm.


----------



## SkylarM (Oct 31, 2013)

shovenose said:


> I know you copy and pasted that because the font is wrong. Just saying. And you have the same initials I do lol.


It's def a copy/paste, I got the same message via a support request when inquiring for more information relating to fraud.


----------



## shovenose (Oct 31, 2013)

SkylarM said:


> It's def a copy/paste, I got the same message via a support request when inquiring for more information relating to fraud.


See, that's what's frustrating - they don't even take the time to think about a response.


----------



## WebSearchingPro (Oct 31, 2013)

I can attest that DigitalOcean uses BrainTree, so it works well for a provider of that caliber.


----------



## drmike (Nov 1, 2013)

Lousy response from Stripe.   Marketing wrote that response.

They obviously DO NOT DO NOT DO NOT have fraud protection.  Stolen cards folks.  Cards reported to banks prior as stolen and still rubber stamped by Stripe. 

If other card processors allow the same shit to slip through, they should be put out of business.  No logic in them facilitating theft/fraud through not truly verifying the account.  Can't believe bank issuer would allow the transaction either.  But hey, maybe it's just like I've always thought, banks make a mint on "fraud", even when they are perpetrating it.


----------



## KS_Phillip (Nov 1, 2013)

http://www.rollingstone.com/politics/blogs/taibblog/outrageous-hsbc-settlement-proves-the-drug-war-is-a-joke-20121213

Nuff said


----------



## gwseward (Nov 1, 2013)

Isn't it possible they took the whole conversation seriously, spent time drafting a response and copy/pasted it from whatever editor they were using? And from Stripe's about page there is a Michael Schade that works there.


----------



## Kakashi (Nov 1, 2013)

This is a bit worrying. We use Stripe and have had several payments go through Stripe that were clearly fraudulent i.e. Fraudster in Indonesia using USA credit card. So for the last couple of weeks all stripe transactions from new clients have been double checked. 

I didn't realise it was this dire though... time to hunt for alternatives that allow UK companies.


----------



## tchen (Nov 2, 2013)

tchen said:


> @Damian jclark's Braintree module like his other one for stripe will inject the CC form on page.  The only difference between this and the Stripe one is that it uses the S2S method.


I took a closer look and that module doesn't use the data.js which is required to integrate with the Kount advanced fraud detection service.  So you're basically looking at basic gateway-level things like carding detection - which brings us back to more or less the same level as the Stripe implementation. The WHMCS integrations both attempt to push a card through the gateway.  It's not listening for any fine-grained feedback other than yes/no so a lot of the flexibility both systems have to allow the provider to make a better decision aren't fed back.

Both will allow you to set AVS/CVV rules to have the API auto-reject cards for basic fraud before submitting it for authorization. 



drmike said:


> If other card processors allow the same shit to slip through, they should be put out of business.  No logic in them facilitating theft/fraud through not truly verifying the account.  Can't believe bank issuer would allow the transaction either.  But hey, maybe it's just like I've always thought, banks make a mint on "fraud", even when they are perpetrating it.


I'm starting to get the suspicion that they used fresh stolen cards (or via carding) and then just gave you some random name/phone that'd match the area.  As far as I know, only AMEX will bother validating the name.

And @*Kakashi*, neither gateway has the information required to deny that order.  All they get is the card's billing address and it's really up to the merchant to determine whether to allow cross-country/state purchases.  That's going to be a limitation of the WHMCS integration for either service.  Kount has more information like ip, past order attempts, etc - across multiple gateways that they can use to filter for fraud attempts, but that's not really available in the current implementation.


----------



## Damian (Nov 3, 2013)

So... it appears that LorenKelley has been murdered by a street gang of some sort. Can't think of any other reason to ignore a community that *wants *to give them their business.

Anyone have a non-drone contact for Braintree that I can pick their... brain? (HA!)


----------



## zzrok (Nov 3, 2013)

This is probably just a sign of what is to come now that Paypal owns them: http://techcrunch.com/2013/09/26/paypal-acquires-payments-gateway-braintree-for-800m-in-cash/.


----------



## XFS_Duke (Nov 6, 2013)

Oh well, I might switch, only because I don't want to pay monthly fee's, but at the same time, I'm wondering how great it will actually be. Anyone here actually use them and have you had any issues?

Also, what WHMCS module do you use?

Thanks


----------



## SPINIKR-RO (Nov 7, 2013)

BraintTree is already integrated with HostBill if anyone is using it. Honestly though looking through here I have not had a issue with Stripe, of course nothing is totally secure from fraudulent transactions. Stripe has honored a few that I knew were not legit and have always refunded the transaction prior to any sort of dispute or chargeback.


----------



## XFS_Duke (Nov 8, 2013)

SPINIKR-RO said:


> BraintTree is already integrated with HostBill if anyone is using it. Honestly though looking through here I have not had a issue with Stripe, of course nothing is totally secure from fraudulent transactions. Stripe has honored a few that I knew were not legit and have always refunded the transaction prior to any sort of dispute or chargeback.


You're the minority here... HostBill is another thread needing to happen... Can't believe nobody started one on here about HostBill and their issues...


----------



## SPINIKR-RO (Nov 8, 2013)

XFS_Duke said:


> You're the minority here... HostBill is another thread needing to happen... Can't believe nobody started one on here about HostBill and their issues...


Is that really the case?

There plenty of threads on it and mostly people bitching about the price, even I laugh at how that has unfolded but where are the complaints regarding the app itself? Most complaint about it and have never used it. I have used it in fairly large scale for 12 months now and it out performs WHMCS by a long shot, I also appreciate the weekly updates where todays fixed a SQL vuln.

Yes it has been a bumpy ride in terms of fixing some bugs, a few that were critical but overall better experience that I can say about WHMCS which I have used since 2008ish.


----------



## concerto49 (Nov 8, 2013)

XFS_Duke said:


> Oh well, I might switch, only because I don't want to pay monthly fee's, but at the same time, I'm wondering how great it will actually be. Anyone here actually use them and have you had any issues?
> 
> 
> Also, what WHMCS module do you use?
> ...


Braintree has a whmcs module. You need your own merchant account to use it.


----------



## terafire (Nov 9, 2013)

I use stripe. Maxmind and manual checking is absolutely necessary with stripe


----------



## XFS_Duke (Nov 9, 2013)

SPINIKR-RO said:


> Is that really the case?
> 
> There plenty of threads on it and mostly people bitching about the price, even I laugh at how that has unfolded but where are the complaints regarding the app itself? Most complaint about it and have never used it. I have used it in fairly large scale for 12 months now and it out performs WHMCS by a long shot, I also appreciate the weekly updates where todays fixed a SQL vuln.
> 
> Yes it has been a bumpy ride in terms of fixing some bugs, a few that were critical but overall better experience that I can say about WHMCS which I have used since 2008ish.


Ha, well yea, we own a lifetime license... We use it, I like it to an extent.. But I don't like the fact that you have to pay for everything now. Oh, a new order page, charge. Oh you have a bug in the program, oh that is $75 to submit it and hope you get a refund. The price hikes are stupid. I understand you like it, but as I said, you're the minority. We switched from WHMCS to HostBill and back to WHMCS because of their lack of fixing real issues and when I found something I couldn't submit the ticket because I wasn't going to pay that clown for him to fix his script. I've had issues with the addon configuration using the scroll option and a few others.

But we can sit here and argue about it all day for a year, it won't solve anything. To each his own. I'll use HostBill only because we have a license but if it weren't for that... Well, i rather not spend more money for him to fix something, period.


----------



## ISG (Dec 12, 2015)

XFS_Duke said:


> We use Authorize.Net now through TransFirst. Just got it setup, ran tests and everything seemed to work fine. Activated it a couple of days ago. I wouldn't really recommend Stripe for anyone.. I mean, yea it is low cost, but you get what you pay for..





This is who I used for a while but keep using them wait until you get some type of chargeback or a declined payment. I moved from them because of the fees and poor support.


----------



## joepie91 (Dec 13, 2015)

SPINIKR-RO said:


> I also appreciate the weekly updates where todays fixed a SQL vuln.



This is a red flag. If they are still "fixing SQL vulns", that means they are not using parameterized queries. That's really not acceptable in 2015, and makes them negligent.


The entire concept of "SQL vulns" doesn't exist when using parameterized queries.


----------



## KuJoe (Dec 13, 2015)

joepie91 said:


> This is a red flag. If they are still "fixing SQL vulns", that means they are not using parameterized queries. That's really not acceptable in 2015, and makes them negligent.
> 
> 
> The entire concept of "SQL vulns" doesn't exist when using parameterized queries.



You quoted a post from 2013


----------



## Powerfulbox (Dec 13, 2015)

Used stripe for about 2 years and only ever got 1 charge back, I am a big fan of stripe and if I had my way I would push it as our main payment method. More then 70% of our customers pay with PayPal still which has been really good for the last year but have way more complications with them in the pass then stripe.


----------



## Licensecart (Dec 13, 2015)

KuJoe said:


> You quoted a post from 2013



Haha nice find  but I wonder if this is fake? If not wow!


https://twitter.com/CEHSecurity/status/671036495986323457


----------



## joepie91 (Dec 13, 2015)

KuJoe said:


> You quoted a post from 2013



It was true then as well 


Anyhow, hadn't realized this was grave-dug.


----------



## Localnode (Dec 15, 2015)

Braintree Australia requires a business bank account.


We switched _from _WorldPay ($20/mo) to Stripe. It's obvious Stripe doesn't have any fraud protection, as there's been quite a few obvious cases where the card was stolen (living in Panama, card in New Zealand type of thing). 
The only problem though, I don't think there's any real alternative to Stripe when it comes to ease of use.


----------



## estnoc (Dec 15, 2015)

I think once the buyer has inserted card data, stripe requests that amount of money from bank and bank places temporary hold on the funds on buyer's card/account. I think its quite strange that they processed known stolen cards.


----------

