Practical Ecommerce

Credit Card Processing Sucks

Credit cards are cool. They make online shopping possible. But credit card processing, the system by which money moves from a customer to a merchant, totally sucks.

It sucks for three reasons: cost, liability, and security.

Let’s outline each in their stunning absurdity.

Credit card processing costs a fortune! Typical fees range from 2.5% to 3.5% of every transaction. That’s nuts, y’all!

Why should the credit card company collect 10 times as much money on a $10 transaction than on a $100 transaction? They’re simply processing data and there is no inherent cost difference in processing one transaction over another transaction. This is reason #1 that credit card processors sucks. Unfortunately, there is no great alternative at this time. So, we have to live with the cost. But, that’s the least of your worries.

However, it’s still interesting to think about why the fees are so high. I don’t work in that industry, so I’m only guessing, but I suspect the percentage-based fee is used to cover the cost of rewards, points, and miles to their customers (the cardholders).

The other “argument” I’ve heard for the exorbitant fees is that the credit card company’s liability increases as the dollar amount of a purchase increases. Nonsense! The credit card company protects their customers from fraud, but not at their expense. No, no, no! Instead, if fraud occurs, they recover the funds from whatever merchant allowed the fraud to take place. That could be you, my friend!

This is reason #2 that credit card processing sucks: liability.

Let me break it down. Let’s say someone steals a credit card and uses that stolen card to buy $500 worth of merchandise on my website. A month later, I’m notified that it was fraud. The $500 is removed from my account and the legitimate cardholder is reimbursed, but so is the credit card company! I’m out $500 plus the cost of the merchandise plus the cost of shipping plus a “chargeback” fee for the credit card company’s “inconvenience”. I’m completely screwed and everything is tilted in favor of the credit card company.

To make matters worse, there are no decent tools out there for a small business to completely eliminate this type of fraud. It’s simply a cost of doing business, I suppose. But it’s completely absurd that the merchant is left holding the bag because the credit card industry created such an insecure product. It’s way too easy for cards to be stolen and it’s way too difficult for online merchants to determine if a transaction is fraudulent.

The credit card company’s provide us with no effective tools to help determine if fraud has taken place. We get AVS (the address verification system) which is basically useless and the card security code (the 3-4 digit code on the back of the card). Are you kidding me? These two services suck.

Let’s start with AVS. This system is supposed to verify whether the billing address entered by a customer matches the billing address that the bank has on file for that credit card. Wonderful, right? No. It’s terrible because not every bank participates, banks often don’t have a customer’s latest address on file, and it’s too easy for hackers to obtain this information. AVS is essentially useless.

What about the card security code? Well, what’s so secure about a code written on the back of a card with all of the other crucial data? You wouldn’t write the combination to your safe ON the safe, would you? Every time you give your credit card to a waiter, they have unfettered access to this information. Nice “security”, guys.

As a merchant, we’re left to try to figure this all out. The credit card processors provide us with “tips” (inane PDFs with stellar tips like, “Be careful!”) Seriously, their main tip is to only ship an order to the AVS-verified address of a cardholder. That sounds fine in theory unless your customer wants to ship to a friend, their business, a family member, a second house, etc. You’ll kill your business with a policy like that. So, as a business owner, you take 100% of the risk AND pay the credit card company for the pleasure of taking the risk.

That’s reason #2 that credit card processing really sucks.

But the most horrifying aspect of credit card processing is security. The acronym PCI should send you running for cover. It stands for Payment Card Industry and they have a “security council” whose job is to ensure that inherently insecure credit card information isn’t compromised by the merchants who are forced to use an outdated system.

The PCI council has a 60-page-long checklist of things every merchant should do to secure their business from hackers. They certify companies to provide security analysis and training to merchants in order to protect themselves from hackers. As a merchant that deals with credit cards, you must be PCI-compliant.

Becoming PCI compliant is not easy and it requires annual or quarterly scans by an ASV (approved software vendor). That’ll cost you a few hundred a year (if not more).

But even though you are PCI-compliant, you’re still vulnerable to massive fines and penalties should the card issuers (VISA, MasterCard, etc), at their discretion, determine that your business was hacked and credit card information was stolen.

If one of the credit card companies even suspects that card data was compromised from your business, they give you an ultimatum: Hire a PFI (which stands for PCI Forensics Investigator) to determine if, how, and to what extent your business was compromised. The starting price for a PFI is about $10,000! And when the PFI is done, they submit a report to the card company which they use to determine the amount of fine they’re going to assess!

That’s reason #3 credit card processing sucks and it’s the most insidious.

If you’re starting to feel that the entire process is rigged against the merchant, you’re right!

There isn’t much you can do about #1 and #2 (until a whole new paradigm of direct transfers is created and credit cards are eliminated). But, you can reduce your exposure to #3 down to zero. And because #3 represents an open-ended liability, it’s the most important.

The solution?

JavaScript. Yep. JavaScript! If you employ a credit card processing system on your website in which card data is transmitted to your processor via AJAX (Asynchronous JavaScript and XML), your website never sees credit card data. You eliminate the need for PCI-Compliance entirely. Your liability is zero.

There are possibly several companies that offer such a processing solution, but the first I found was

I suggest switching to Stripe or a company like them immediately. You won’t have to pay for quarterly PCI-compliance scans anymore. Your liability drops to zero. You can drastically lower your cyber liability insurance coverage (which should have in place if you don’t!). And you can sleep easier at night.

Now, if we can just figure out how to deal with reasons #1 and #2…


Sign up for our email newsletter

  1. Ben Dwyer June 20, 2013 Reply

    You make a few good points, but avoiding PCI fees isn’t quite that simple. PCI validation is not a card brand mandate for level four merchants (most merchants are considered level four).

    The card brands have left PCI validation to acquirers, and acquirers handle validation in several different ways. Some charge a "PCI Fee" and do nothing to support merchants, others charge a fee and offer scans and such, and other ignore PCI all together and charge nothing.

    In the first two cases, it doesn’t matter if a business is technically PCI compliant — it will have to pay a PCI fee if its acquirer dictates that one be paid.

  2. Jamie Salvatori June 20, 2013 Reply

    Ben – Unfortunately, your statement illustrates just how insane the whole system is! Nobody (especially merchants) can understand its intricacies!

    It’s a 70 year old system that is inherently broken. It’s too easy to hack and desperately needs to be replaced. It’s a joke that we, as merchants, are put entirely at risk for a system that the card issuers have not yet found a way to make secure.

    That being said, I’m fairly certain that your website never touching credit card data makes PCI compliance a non-issue. Hit up the guys at Stripe for more details, but they’re very clear about that fact.

  3. cdamron June 21, 2013 Reply

    Jamie I’ve worked in the credit card industry for 20 years and your right it sucks. There are a few things that you wrote are stretched but for the most part everything in here is correct. The fact of the matter is merchants have a wobbly leg to stand on and at the end of the day at any point it can be kicked out from under them. Part of the problem is these massive breaches that you hear about. When a big breach happens very little of those costs are recovered by the merchant. Thankfully over the next few years our system in the US is being replaced with chip cards like they already have in Europe. At that point we will all have chip cards with a pin which will hopefully eliminate a lot of the fraud and hopefully drive down costs. Now whether merchants really see pricing go down and whether we see major industry changes or not comes down to the all mighty Visa.

    And as for Stripe I know them well and right now they have a good setup. At least for now! With them taking on 100% liability we’ll have to see if they can sustain that. Fraud happens everyday and all it will take is for one case to mess the entire apple card.

    Thanks for posting this Jamie I love your straight forward analysis. Our industry is a crazy industry which will probably not change anytime soon, but it is what it is and unfortunately we all love our credit cards…

  4. Richard Stubbings June 22, 2013 Reply

    I must say that it is certainly different here in the UK. Card rates are typically 1.2% -2%, and a fixed 0.10 – 0.25 for debit cards. The verified by visa system passes the liability to the banks away from the merchants. PCI compliance can be cheap and not need security scans if you use a gateway hosted form.

    The credit card company’s liability certainly does increase as the transaction value goes up. At the end of the day the credit card company HAS to refund the customer if there is a fraudulent transaction, and then obviously tries to get the money back from the merchant, but if the merchant has gone bust the credit card company foots the bill.

    Regarding tools, many UK payment gateways interface with a tool called the 3rd man. This has a fraud score against the transaction (e-mail, address, value, and other data).

    Overall I have to agree that the system sucks, that scam artists steal from the merchants, but it is no where near as bad in the UK as you say it is in the USA.

  5. Jamie Salvatori June 24, 2013 Reply

    Richard – Good to hear that better tools do exist for determining fraud, but it’s a shame that they aren’t given to merchants for FREE by the credit card processors. You’d think it would be in their best interest to provide merchants with every possible tool to determine if a transaction is fraudulent. But they don’t. And that should give you pause.

  6. Richard Stubbings June 26, 2013 Reply

    But the 3rd man tool is provided free. (well included in the total charges)

  7. Ben Dwyer June 27, 2013 Reply


    A big reason why "credit card processing sucks" is that providers leverage the complexity of fees to take advantage of businesses, but there’s also a flip side — providers that over-simply processing fees to the same end.

    For example, you’re plugging Stripe as a good solution to simply PCI, but Stripes processing charges rely on a bundled pricing structure resulting in significantly greater costs than a merchant would be able to secure through a service like CardFellow that requires processors to separate markup from base costs (interchange-plus or interchange pass-through).

    Many merchants, especially higher volume merchants, would benefit more from a cost and value standpoint by taking advantage of more competitive pricing and a vendor that provides PCI validation assistance.

    Choosing a processing provider based on a single service detail like PCI support or ease of validation is a mistake.

    Granted, there are quite a few providers in this industry that profit from the complexity, but many tools and information are available to educate merchants about how processing and fees truly work.

    In this industry, simplicity is expensive, and thousand of processing options are available. There’s no substitute for due-diligence and educating yourself about what’s available.

    A word of advice to merchant…. start by learning the basics. Learn about the components of processing cost such as interchange, assessments, and markup. Learn about the pricing models that processors use to assess charges such as tiered pricing and interchange plus.

    Once you have a solid understanding of fees and pricing, look at details such as processing equipment, gateways, and software available. Various gateway options, like Stripe, have varying features and pricing. PCI exposure, validation and support is a single detail in what will be the ideal processing solution for your business. Learn the ropes, weigh the options, and make an informed decision.

  8. Kevin Woolf June 27, 2013 Reply

    Yes! Credit cards do suck, but I’ve found three alternatives. I happen to be in Taiwan, and ATM bank transfer is very popular. Green World ( offers a unique virtual transfer number for every transaction, so you know when a customer pays you money. They even link into the most popular carts like Magento, WooCommerce, Prestashop, and more.

    Ok, now my favorite–Dwolla! I love Dwolla. Sign up is a bit over the top, but once you’re verified, you can send and receive money using your account. And guess what. Only $0.25 per transaction up to $5K ($10K for business accounts). Yes, only 25 cents no matter what dollar amount you transfer. Easy to use, but it’s limited to USD and people with US bank accounts. My referral link here

    Next is Coinbase. I like the idea behind Bitcoin, and Coinbase allows you to instantly cash out bitcoins to USD for zero exchange risk. No chargebacks, low fees. Only 1% + $0.15 per transaction. I can get with that. Again, a referral link

    As a side note, stay away from Stripe! If you thought Paypal arbitrarily changes the rules, locks accounts, and holds your money, watch out for this one. If you ever get an e-mail from a fake employee named Maria, you’re in trouble. Search and you’ll see what I mean.

    So ATM, Dwolla and Coinbase. Go!

  9. Bob Herman June 27, 2013 Reply

    Shipping only to the billing address of the cardholder, as mentioned in the article, does not protect the merchant for Card Not Present/Internet transactions. In fact, even having a signed delivery receipt from the carrier (UPS / Fedex) at the cardholder’s billing address does not protect the merchant. For Card Not Present transactions, the law simply allows the cardholder to commit fraud. The Visa arbitrator will always rule in favor of the cardholder. Oh, by the way, the cardholder can claim fraud up to 9 months after the transaction cleared. If the cardholder was actually defrauded by a friend/relative/worker etc. that had access to receive the package (happens all the time!), then the much larger issuing banks should incur the loss, not the smaller merchants. The law needs to be changed.

  10. Colleen September 20, 2013 Reply

    Is there any action I can take on a credit card company that charged our business a “cancellation fee” without my knowledge? I changed processing companies after my contract was up, but they are saying my contract renewed automatically and took $495.00 out of my account.

  11. Scott Rogers December 16, 2015 Reply

    Stripe is unfortunately ruining my life my business, my employees, and Christmas for their kids.

    We have been running various websites for many years and have always used traditional merchant accounts. Unfortunately, we run many websites, and with traditional merchant accounts the processors want an account for each site and business. When you have 15 sites, having 15 merchant accounts in nearly impossible to manage and we found ourselves creating more problems trying to manage each one vs finding a processor like stripe that we could create sub accounts or something of the sort and be up and running with each new website we launched in hours or less. We were finally making progress and excited to begin using stripe. Money was flowing, deposits were coming, orders were being shipped, chargebacks were low and next to nothing. Refunds, were only our own transactions that we were testing our sites with.

    Things were good as all stories start out in the beginning. Unfortunately that lasted just a short while. We began to slowly receive notifications for each account one by one over time with each notification having different reasons. None of this made sense to us, we were shipping orders, refunds were low, sites were doing good, chargebacks were next to nothing, and everything was in place. The relationship should be perfect match and fit.

    Recently as each account was being shut down, they were starting to place holds, change deposits to 7 days, then no deposits, and a constant loop of scheduling transfers that never happened. You can’t reach them, explain, discuss, or anything. I have managed to get some email responses here and there with very little information flowing, we are left with no choice but to share our story and hopefully avoid this happening to others.

    We now have around $15,000 tied up with stripe. That is a lot of money, and we are 9 days away from Christmas, we have employees to pay this week, they have Christmas to buy for their kids, travels to see family, all to be destroyed over Stripe and their lack of willingness to work with their supporters. I was a big fan, loved their concept and ease to do business. I was like in my head, saying Finally a company that gets it and if for the small businesses out there. I love Stripe.

    That is all being erased with the stress and frustrations they have caused on our business and our personal lives. We need our cash flow and rely on it to operate. They never inquired to see if our orders were fulfilled, customers happy, or anything just shut us down with no information or reasons that we could maybe provide documents, information to satisfy their concerns. While I realize businesses like theirs have to manage risk, I respect that, but did they reach out, inquire, or anything? NO. Worst of all, CHRISTMAS IS RUINED for many!

    I also realize there is lots of fraud out there, they have to take preventative measures, but don’t hurt the good guys, or penalize the ones who run a legitimate operation.
    As we are respected in our industry already which is internet marketing, It is not difficult to prove that a company who by procedure does not communicate by telephone with people, and has more negative press than a presidential nominee already ( as we learned in doing diligence on this issue ) is engaged in unreasonable business practices and unfairness to its clients. We will show this. Sorry your “Hands are tied”. We were hoping for a more favorable response as my concern is for the survival of our small business and my staff and their families.

    This is December 16th today. We will not be able to pay our employees for Christmas without our money. We have been effectively shut down by Stripes actions. Our business will be entirely shut down until we can reapply, open new merchant accounts and go through the painstaking process of integrating the new processors etc to our websites. Stripe didn’t provide a shred of evidence of chargebacks, or what risk level they speak of. Please define how you qualify “Higher than normal risk”. Because form the outside, it looks like you are using MY employee’s paychecks, to fund their company. However; we can absolutely prove we have shipped and continue to ship products. We can absolutely prove any chargebacks or disputes are handled by our accounting staff, we can absolutely prove that the level or “risk” you assess, is probably not based on anything specific to our industry or actual performance.

    Stay clear of Stripe if you want to avoid things like the above, shame on me for taking a chance with a company that does not provide phone support or publish a phone number at all.

    Scott Rogers