Taking on Fraud as a Bootstrapped Business

Hi all,

I am currently running a boostrapped startup that generates revenue. It’s basically a simple service that helps others sell digital downloads. We make use of Paypal and Stripe and take a 5% commission as the transaction happens. There is no risk for us as all the money goes to the seller immediately.

However, the Paypal API has lots of limitations and we now feel the need to take ALL payments and pay out to customers every week. But we are afraid of fraud. The limitations are:

  • Turning some customers away based in India, Nigeria etc locations Paypal does not support.
  • The Paypal API forces us to use the old interface for some reason. Can’t take advantage of the new design that Paypal has
  • We can’t offer features customers would like, like refunds from within our dashboard. API Limitation.
  • The code base will be a lot simpler with the newer method as there is lessing moving parts and we can use a unified library
  • Slightly lower fees for customers if we use this new method

Does anyone have experience with fraud via payments? Should we stick with what we have or change?

You probably don’t need to worry about implementing tools to protect against fraud until fraud starts to happen, but it’s good that you’re thinking about it early. The reason I say that you don’t need to protect yet is because you don’t really know what it will look like.

We see a bit of fraud at DNSimple. Initially we had problems where fraudulent users would purchase domains and certificates with no intention of paying for them. We also saw fraud by users who were trying to separate good cards from bad cards. We started by putting in limitations that prevent future purchases once you have one outstanding invoice. This stopped some of the fraud, but not completely.

After those initial changes, I started using SiftScience to score customers, and based on the scoring I can typically identify a fraudulent account before they do too much damage. I implemented this in steps, initially just using it to identify fraudulent accounts post-purchase, but more recently I started using them to score customers before purchases are made.

Ultimately fraud just needs to be considered a cost of doing business. For now your approach is probably fine, but you may need to reconsider it once the downsides you mentioned become more of a nuisance.