Your analysis is good but there is one element you're missing: chargebacks. People who accept a lot of donations get hit with chargebacks from time to time and they can be so difficult to deal with that they actually cost the recipient money.
This is a common complaint among people who take donations for a living, such as Twitch streamers. If you ask any streamer, they will tell you they prefer Twitch "bits" over any one-off donation specifically because bits are non-refundable.
Unfortunately, there are people out there who go around donating and then doing a chargeback just to troll streamers they don't like. It's a really frustrating element of the system which happens to be set up to prefer the customer over the vendor in all disputes, making it ripe for abuse.
It seems like any dispute involving a donation should pretty much be lost by default. It’s not as if anyone delivers an inappropriate product for a donation...
Chargebacks are for disputes, not fraud. Provided the merchant did not incur liability by doing something immensely stupid and insecure, the bank is on the hook. If the perpetrator is caught, they will pay restitution to the bank.
That's completely wrong. Chargebacks are _primarily_ for fraud. And any merchant that accepts credit cards over the phone or Internet ("card not present") is liable for fraud, not the bank.
> Provided the merchant did not incur liability by doing something immensely stupid and insecure, the bank is on the hook. If the perpetrator is caught, they will pay restitution to the bank.
Source? As someone who helps support an online credit card gateway, in my experience it is the merchant who has to shoulder the cost (plus an extra penalty fee) of the transaction. Perhaps there are different chargeback policies for card present transactions for physical products, but for online (and therefore card not present) transactions for digital products, I have always seen the merchant have to cover the cost of the chargeback (plus fee). There's a process for disputing the chargeback, saying the customer absolutely made the purchase and got what they were asking for, but almost every time the card would side with the customer, because there was no physical product.
This is one of the reasons when card companies pushed for chip cards, merchants pushed back for chip and pin like cards used in Europe -- to cut down on fraud, which they end up paying for. The only system I've seen where the cost of a chargeback is on the bank instead of the merchant is if the merchant has setup 3D-Secure/Verified by Visa with their products, giving the banks and card companies the opportunity to have an extra login for making the purchase. However, those verify pages are made by the bank, not the credit card company, and are widely unreliable. I tried to set it up for our payment gateway, only to find that some of the banks had completely broken systems for it, leaving customers at an error page instead of buying the product.
It took me giving up buying several products over the last year and complaining to the bank every time before I eventually had the correct key to that puzzle.
The details it asks for are not much better than random.
Stuff like mixing your residential address and postal address, using a neighboring postcode, including random stuff like a building number or weird artifacts like " , ,".
How anyone is expected to figure out the frankenstein address that MasterCard want's by themselves is beyond me.
> The only system I've seen where the cost of a chargeback is on the bank instead of the merchant is if the merchant has setup 3D-Secure/Verified by Visa...
Verified By Visa is a nightmare, and was killing conversion rates by up to 60%. [1] I'm not sure if it's still the case, but when it first came out Amazon refused to integrate it.
Yes, that was definitely also part of the calculation. We expected clients would not use it, because every extra step destroys conversation rates, but we wanted to at least provide the option.
... But even providing the option was a non-starter, because of how many different banks had completely broken systems. We ended up ditching the feature entirely.
Chargebacks also occur for fraud. It's the merchant's responsibility to detect fraud, not the bank (though banks usually do their own screening too). Worth remembering that if your fraud rate goes above 1%, you can be blacklisted for life by Visa & MC. [1] [2]
You can avoid chargebacks by pro-actively refunding any transactions that look suspicious. And if a real customer asks for a refund, you should always give it to them since they can chargeback anyway. But if it's a stolen credit card that got through, the first you'll hear about it is when you get the chargeback from the real cardholder's bank.
Side note: back in the days of shareware, a few of the 'cracking' groups didn't do any cracking at all. They just used stolen credit cards to buy the software and post the licence codes online - no technical talent involved. I'm looking at you, Team OXiDE....
You would think so, but that's not the case. The problem is that people who receive donations don't have any special status with the payment processor. They are treated like any other vendor, so chargebacks are handled the same way.
This is a common complaint among people who take donations for a living, such as Twitch streamers. If you ask any streamer, they will tell you they prefer Twitch "bits" over any one-off donation specifically because bits are non-refundable.
Unfortunately, there are people out there who go around donating and then doing a chargeback just to troll streamers they don't like. It's a really frustrating element of the system which happens to be set up to prefer the customer over the vendor in all disputes, making it ripe for abuse.