Stripe has shut down our payment processing

How it started: a prepaid card testing bot

Last Wednesday, 100 failed payment attempts appeared in our Stripe dashboard within a few minutes of each other, all with the same email address.

A screenshot of a redacted customer list in Stripe's Dashboard

Someone was testing prepaid cards in our hosted Stripe Checkout form. Fortunately, not one of these charges succeeded, which meant there was no need to handle disputes or refunds.

Raising the issue with Stripe

When I discovered the fraud, I immediately contacted Stripe’s customer support. I asked what I could do to prevent this from happening again and offered my assistance in their investigation.

At this point, I still had access to Stripe’s human 24x7 chat support. They let me know I’d hear back soon over email. Instead, I received this email from Stripe’s Accounts team:

Subject: [Action required] Closure of your Stripe account for smudge.ai

Screenshot of an email from Stripe, writing to let us know our account has been closed due to a high risk of customer disputes

While the email was alarming, I wasn’t too worried. It looked like an automated review. Surely an appeal via “Request further review” would get a human to see the context, realize it’s a mistake, and rectify it.

I submitted the appeal and reached out again for answers.

  • Was smudge.ai high-risk, or did a fraudster just use our form? Our account was closed the same day, which suggests the latter.
  • Could card-testing shut down any Stripe customer? Surely not. So, why us?

Risk assessment profiles

Despite their email saying we were being shut down due to a “high level of risk for customer disputes”, Stripe’s own fraud and risk assessment tools within Radar show no risk.  Screenshot of Stripe's Radar tool showing a perfect risk assessment score

Zero blocked payments. Zero disputes. “In good standing” with VFMP and VDMP.

Screenshot of Stripe's Radar tool showing no blocked payments

Our risk profile is clean, and we aren’t in a Prohibited or Restricted business category that would be considered high-risk by default.

Screenshot of Stripe's Radar tool showing zero disputes

Appeals to robots

When I tried Stripe support again, the “24x7 help from our support staff” was grayed out.

  • No live chat.
  • No callback option.

Screenshot of Stripe's limited customer support options

I was also no longer able to reply by email to the human customer support team that had helped me before. So I re-sent several questions in a new email and received this (automated?) response:

Screenshot of an automated reply from Stripe

With each new support request, my questions all went unanswered. Sometimes I’d get a person to reply that they’d be “back in touch” after further review. A day later, the “back in touch” email would inevitably arrive—its contents identical to the screenshot above. The longest period between email replies was a full week. I had exited the human communication process and arrived in a Kafkaesque loop of automated replies with no real answers—all while my business had been effectively halted.

Screenshot of a scripted reply from Stripe

Was the card testing fraud a red herring?

The timing suggests that the prepaid card testing that I reported was the reason for the account closure. But since Stripe won’t offer any explanations I can only speculate.

Screenshot from Stripe indicating we do not meet their Terms of Service

[Speculating on what else could possibly be the issue]

Maybe the card testing was the impetus that led to a deeper review of our account, after which Stripe assessed we were high-risk for unrelated reasons.

Stripe’s email says we were shut down for our risk of disputes. But Stripe’s dashboard says the reason was that we’re not following their Terms of Service. They won’t share what term we violated, and won’t say whether it’s something easily fixed, such as a paperwork issue.

After poring through Stripe’s ToS, here are some alternative guesses:

  • Is it that we’re a new business? The account has been active less than a year. But Stripe markets itself as a payments solution to young companies.
  • Is it that our low pricing encourages prepaid card testing attacks? Who knows. But I’d rather switch to quarterly billing than have no payment processing at all.
  • I discovered an autocomplete mistake in one of the occurrences of my legal name in Stripe. Is that grounds to shut down the entire account with no possible remedy? Unfortunately, there’s no way for me to correct it now that their support has gone unresponsive.
  • I didn’t pay for Radar at the time of the attack. Maybe Stripe requires that you pay extra to set up anti-fraud rules or risk being banned.

With any information from a human being at Stripe, I believe we would likely find a solution to reduce the risk profile or address whatever ToS violation I made. As it stands now, all I can do is guess and hope and wait.

It’s also strange that the ToS violation—whatever it may be—never surfaced during the account verification and KYC stage. Stripe asked for all the business details, then approved smudge.ai for payment processing. Why would I only be hearing about this now?

Maybe it’s time to find a new payment processor.

While I had read stories from other founders who had gone through similar issues with Stripe…

[A selection of accounts by other Stripe customers]

…I still wanted to use Stripe because:

  1. I knew the system, and their prebuilt flows would save me time. As a solo developer I have to prioritize, and that extra time could go into building features.
  2. Choosing another payment processor wouldn’t necessarily be better. As one of the largest processors, Stripe was bound to have more bad experiences surfaced.
  3. I had great customer support from them before. I didn’t know it could become so bad with the flip of a switch.

Our no-account-necessary signup flow is also deeply integrated with Stripe, so I would prefer to remain their customer. But this experience has soured my opinion of Stripe and shown me how vulnerable we are to the flow of money being immediately stopped—with no warning, no recourse, and poor communication.

Actionable suggestions for Stripe

  1. Maintain contact. Rather than shunting the customers who need your support the most into an automated customer support side channel, give those customers access to the same phone and chat support lines as the rest of your customers.
  2. Provide clarity. If a business is high-risk, explain why. If there is a specific ToS violation, cite it so that it can be corrected or at least justified. If even your own tools show zero risk, explain what risk metrics you are basing your assessment on.
  3. Warn before taking action, when possible. Before halting the flow of payments altogether, send a warning. Even 24h with good communication can be enough.
  4. Perform compliance checks before payments roll in. If a Stripe account is created and verified, then transitioned into Live Mode, by the time payments arrive the business should be able to feel reasonably certain that they’re operating within your Terms and are otherwise compliant, obviously barring any major changes to the business itself.

Moving forward

My hope is that a Stripe team member works with me to address these issues. Until then I will be evaluating other payment processors and planning for customer subscription migration. I’ll give Stripe another week to work with me through these issues, after which I plan to begin the migration process if no progress is made.

Customers, thank you for your patience. As always, feel free to get in touch with me directly at sebastian@smudge.ai.