Payment Processors are Not Your Friends
Because after all, it is business, not personal.
Rabb Con Content Team
Read Our Editorial Policy
Editorial Policy
All of our content is created by subject matter experts with decades of technology and business systems experience and structured by writers and educators for clarity and ease of use. Every article is fact-checked to ensure accuracy, and we remain objective when analyzing tools, strategies, and methodologies so the information shared is practical, reliable, and grounded in real-world application.
TL;DR
- Payment processors make money when you process transactions, not when you're protected from fraud.
- The settings that would actually protect you? Off by default.
- Merchants lost over $115 billion to ecommerce fraud in 2024, and North America saw a 207% jump in a single year.
- The biggest danger isn't jumping in too fast. It's waiting too long while the gap between you and your competitors widens
- The good news is most of the exposure is fixable — if you know where to look.
What's Actually Happening Out Here
Google recently rolled reCAPTCHA into a broader platform called Google Cloud Fraud Defense. If you sell anything online and don’t know why they made that change, that alone is why this read concerns you.
Here’s what the numbers look like right now. Merchants lost over $115 billion to ecommerce fraud in 2024. Fraud in North America alone jumped 207% between 2024 and 2025. Go argue with your mama about how something can be more than 100% — we are not doing that here. What I will tell you is that for every dollar fraud takes from you, it actually costs you $4.61 once you factor everything else in. Chargebacks, lost product, investigation time, account flags, reputation damage — all of it adds up fast. If you’ve done any online selling this year, you already know first hand why that number is not an exaggeration.
So what is actually happening? It’s the bots. Bots are killing business operations and it’s because payment processors have been too lenient with their default settings. Let’s talk about it.
Need a Primer? Read this first:
- AI SEO vs AI EO — How They Work, Compare, and Which Is Best to Use and When: Understanding how your site gets found is the first step before you can worry about who can use it once they get there.
- Top 10 Design Tips and Cues for 2026: Good design and accessible design aren't competing priorities — here's how they actually work together.
How We Got Here
Bots have always been around, and they aren’t going anywhere, but they only succeed when a new technology or sales strategy is created and the people using it don’t understand the tools they’re working with. In this case, it’s payment gateways and payment processors.
Think back to 2020. The pandemic did more than just change how people bought things, it also changed who was selling. Businesses that had refused to go digital were suddenly forced to. Others who could never afford to make the leap finally had the means, thanks to PPP loans and other assistance that was available at the time.
That was a rough period, no question. But you cannot deny that eCommerce went absolutely berserk. US retail eCommerce grew 33.6% in 2020 alone, hitting nearly $800 billion. By 2021, it climbed to over $900 billion. In two years, the eCommerce market added more new sellers than it had in all of the previous 10 years combined.
That’s a lot of people setting up shop online for the very first time, in a hurry, without a full understanding of the infrastructure they were building on.
And the Fraud Followed Them In.
You’d think that out of the box a payment processor would want to protect itself by defaulting to the most secure settings. But noooooo, they don’t. They typically start you out with the bare minimum — “check if the balance is there” verifications. That’s it. Everything else is on you to configure, and most people never do because nobody told them it was their job to.
Unfortunately, coaches over the past five years have been following a strategy promoted by celebrity coaches — hire the cheapest IT person you can find so you can maximize profits. Go on Fiverr or Upwork, find a nerd, and have them do the work. Small businesses tried to do it themselves, failed, then hired agencies who turned around and subcontracted to those same platforms. Round and round it goes.
That’s not how it works. You’re gonna get what you pay for. A low effort payment setup opens you up to exponentially more fraudulent activity with bare minimum support on the back end. You’ll be able to take people’s money, but security isn’t a real conversation beyond your website’s SSL certificate. When you’re willing to pay people who actually know what they’re doing, you win in the short and long run.
The Real Problem Runs Deeper Than the Budget
But hear me out — honestly, the cheap hiring culture isn’t even the biggest issue. The brunt of the problem is that most people are entering spaces they’re completely unfamiliar with. Tech is booming and it takes way more involvement than hiring a web designer and an automation specialist from Fiverr to run your social media and ads. Couple being under-supported with a fraud network that knows your systems better than you do, and you’re cooked.
And the Consequences Are Not Small.
We’re not just talking about a few unauthorized charges. We’re talking about your merchant account getting shut down entirely. Multiple disputes and chargebacks that seriously damage your financial reputation and your business reputation. Once your account is flagged or closed, getting back into good standing with a processor — or finding a new one willing to work with you — is a process that can take months and cost you significantly more than the fraud itself did.
Why Processors Aren't Going to Save You
So shouldn’t payment processors be more strict out of the box? Why would they do that? Their goal is to make money from YOU. The way they see it, they put the risk and liability in your hands to control, all the while the door silently stays wide open for you to bring in as much money as possible — and when something goes wrong, that’s your problem, not theirs.
The best defense you have is to review your settings inside your payment gateway, your processor, or both. Most people don’t even know those settings exist.
The Settings Most Processors Leave Off by Default
Stripe, PayPal, and Square are the three most common. Here’s what they’re not telling you.
Stripe
Radar rules are off by default and you have to manually enable blocking rules. CVC and zip or postal code verifications are collected but won’t automatically decline mismatches unless you turn that on. 3D Secure authentication is not enforced by default. Velocity limits have no cap on how many attempts from the same card or IP out of the box.
PayPal
AVS, which stands for Address Verification System, is available but not enforced. Seller protection filters require you to opt into stricter transaction reviews manually.
Square
CVV mismatch blocking is not automatic and suspicious activity alerts exist but notifications are off by default.
To be fair, these three processors do have other security protections in place and they typically outperform a lot of other payment gateways on the market. The tradeoff is that processors designed to be more lenient about the types of transactions they allow — the ones that appeal to higher-risk merchants — often come with that leniency baked in by design, and you pay for it one way or another.
Coaches, This Next Part Is Specifically for You
The hardest hit right now are coaches, and a big reason why is the payment infrastructure a lot of them are running on without fully understanding it.
If You're Using NMI With Deposyt, Hold on to Your Seat.
These two are even more relaxed with verification methods than the processors listed above, and the reason is the same — they’re built to allow transaction types and business models that stricter processors won’t touch. Here’s what’s left wide open by default.
Transaction velocity filters are available in the gateway but not enabled by default. AVS mismatch blocking collects the data but won’t act on it unless you configure it manually. The same goes for CVV decline rules. Device fingerprinting exists in NMI but isn’t active out of the box, and duplicate transaction detection has a window setting most people never touch. IP blocking and geolocation restrictions are available but you have to build the rules yourself.
Because Deposyt runs on NMI infrastructure, the settings issue compounds. You may have a layer of settings in NMI and a separate layer in Deposyt that both need to be configured, and most people only know about one layer or neither.
Think about it like comparing a car from 2005 to a car from 2025. Same basic concept — four wheels, gets you where you’re going. But the 2025 version has built-in navigation, backup cameras, lane assist, Apple CarPlay, and you can start it from your phone. And critically — you don’t have to be an engineer to use any of it. The access gap has collapsed.
The chatbot era required technical expertise to deploy and maintain. The agent era is being built on no-code platforms, drag-and-drop automation tools, and subscription software that plugs directly into what you already use. That’s not the same technology at a faster pace. That’s a different category of accessibility entirely.
And Well, Because It's Cheaper
A year ago, building an agentic marketing system required a developer, a serious budget, and a tolerance for things breaking in unpredictable ways.
That’s still true for the complex stuff. But the barrier to entry for the core workflows — lead nurturing, content generation, campaign monitoring — has dropped dramatically. Platforms like Make, Zapier, and n8n now connect directly to AI models. Tools like HubSpot and ActiveCampaign have baked agent-style functionality into their existing interfaces.
You don’t have to build from scratch anymore. You just have to know what you want to automate and be willing to set it up.
Turn These On Regardless of Which Processor You Use
Decline on CVV mismatch. Decline on AVS and postal code mismatch. Block the same card after two to three failed attempts. Flag or block multiple transactions from the same IP in a short window. Require 3D Secure for transactions over a certain dollar amount.
Now be mindful — making your account more restrictive by enabling these settings will almost certainly increase false declines, especially if you turn everything on at once. Some settings could disallow gift card purchases or CashApp cards, for example. Yes, there is a tradeoff. But it is a lot cheaper than losing revenue, losing your merchant account, or spending months trying to clean up your financial reputation after a fraud event takes it out.
One More Layer of Protection
Remember how we started talking about Google Cloud Fraud Defense? Beyond your payment processor settings, there are additional precautions you can put in place at the site level to deter fraud before it even gets to checkout. Things like reCAPTCHA on your forms, bot detection on your landing pages, rate limiting on your checkout flow, and monitoring tools that flag unusual traffic patterns before they turn into disputes.
Your payment processor is one layer. Your site is another. Both need attention.
- Lead qualification agents that score inbound inquiries, send personalized responses based on what the prospect asked, and route hot leads to a salesperson while putting cold ones into a nurture sequence — automatically, within minutes of form submission
- Content pipeline agents that take a topic brief, research current angles, draft an article, check it against SEO targets, and flag it for human review — compressing a multi-day process into a few hours
- Ad optimization agents that monitor performance across platforms, pause underperforming creatives, reallocate budget toward what's working, and generate replacement ad copy when a creative burns out
- Email sequence agents that monitor engagement patterns and dynamically adjust what message gets sent next based on what the subscriber has and hasn't opened
- Review and reputation agents that monitor for new reviews across Google, Yelp, and industry platforms, draft personalized responses, and flag anything that needs a human to handle it
This Is Already Somebody's Monday Morning Routine.
These aren’t cutting-edge deployments being beta-tested somewhere. They’re running in real businesses right now, at a price point that makes sense for companies of almost any size.
This Hits Different Depending on Where You Sit
Take a look at our profiler to get an idea of how things look from your neck of the woods.
The Risks Worth Taking Seriously
Look, the case for agentic marketing is strong. But it comes with real risks, and it’d be doing you a disservice to skip over them. Not trying to scare you — just want you walking into this with your eyes open.
Brand voice drift. The more content you’re generating at scale, the more chances something goes out that doesn’t sound like you — or worse, sounds exactly like you but says something you’d never say. Guardrails and review checkpoints aren’t optional. They’re part of the system design from day one.
Automation without strategy. An agent executing a bad strategy really efficiently is worse than no agent at all. The quality of what you put in — your brief, your audience definition, your goals — determines the quality of what comes out. Garbage in, garbage out. Except now it’s garbage in, garbage out at volume and at speed.
Over-automating the wrong touchpoints. Some conversations should never be automated. A client in crisis. A long-term customer with a real complaint. A prospect who just shared something personal. Knowing where the human line is — and actually holding it — gets more important, not less, as automated volume goes up.
The Goal Is Autonomy With Guardrails, Not Autopilot With Crossed Fingers.
Data and compliance exposure. Agents that touch your CRM, your customer data, your ad accounts carry real security and privacy implications. Know what data your agent is accessing and make sure it’s operating inside your compliance boundaries — especially if you’re in a regulated industry.
How to Start Without Blowing It Up
- Identify your most repetitive, time-consuming marketing task — the thing your team does over and over that follows a predictable pattern
- Map out the steps — what triggers it, what information is needed, what the output looks like, and where a human needs to be in the loop
- Choose the right tool for the complexity — simple sequences can live in your existing email platform; more complex multi-step agents may need a dedicated automation layer
- Run it in parallel first — let the agent do its work while a human does the same task manually. Compare outputs. Catch what it gets wrong before it's running on its own
- Add human review checkpoints before anything goes out under your brand — especially early on
- Measure it — not just whether it's saving time, but whether the quality of the output is holding up over time
One Workflow Running Well Is Worth More Than Five Workflows Running Badly.
Getting started is the whole thing. Momentum is real — and in this case, it’s structural. Once one workflow is running, you start seeing the patterns. You start noticing what else could be handed off. You build the muscle for writing good briefs, catching bad outputs, and knowing where to hold the line on human judgment.
That awareness doesn’t come from reading about it. It comes from doing it. So pick the smallest, most contained workflow you have, get it off the ground, and let that first win show you where to go next.
The Bottom Line
Agentic marketing isn’t a silver bullet. It won’t fix a weak offer, an unclear brand, or a product people don’t want. But for businesses that already have something worth marketing, it removes the execution ceiling — the point where growth stalls not because of strategy but because there aren’t enough hours in the day to do everything that needs doing.
The Gap Between Businesses Using This and Businesses That Aren't Is Growing Every Month.
The businesses that figure this out early don’t just get more efficient. They get compound advantages: more touchpoints, faster response times, more testing cycles, better data, and more time for the strategic and creative work that actually differentiates them.
The best time to start was six months ago. The second best time is now.
Sources
Ecommerce Fraud Statistics and Losses
- Capital One Shopping — eCommerce Fraud Statistics (2025 Report)
- Juniper Research — eCommerce Fraud to Exceed $107 Billion in 2029
- Veriff — Top Six Trends in Online Fraud 2026
Google Cloud Fraud Defense and reCAPTCHA
Ecommerce Growth During and After the Pandemic
Payment Processors are Not Your Friends
CROS™ Fractional vs. CROS™ Managed
See the difference and choose what’s best for your business.
