Making a live-mode test payment to yourself = a payment processor ToS violation?
34 comments
·January 27, 2025Shank
> this is really pretty vital to what ALL of us do as part of our product development/launching/testing process
The whole point of test-mode is that you can run your transaction as if it was running on the live-mode network. The solution is to test in test mode. Live mode just runs real cards, it should be have identically to test mode.
The reason why this is a per-se violation is because you're playing on the real network with real cards, and that means the real anti-fraud systems are active, and the card networks are taking real interchange fees for doing their jobs. If you're already processing a ton of money per day, you probably can fly under the radar with 1-2 non-refunded test transactions that you reimburse yourself for later. But why risk it? If you're breaking the ToS you're risking account termination.
> The Stripe Services Agreement prohibits testing in live mode using real payment method details.
If Stripe or whomever else is your gateway to accepting all payments, why would you poke the bear? Section 6.2 of the Stripe Services Agreement:
> Stripe may immediately suspend providing any or all Services to you, and your access to the Stripe Technology, if:
> (e) you breach this Agreement or any other agreement between the parties;
It's just not worth the risk.
LiKao
> But why risk it?
Because testing environments often still mock some parts of the system and there may be subtle differences between mocked systems and live systems.
When I worked at a company that send out SMS to cell phones, we first tested our system without any connection to the network with our simulated SMS service provider. When we tried to go live, we tested a few live SMS on actual phones we controlled. It turned out, that there were some subtle differences between our mock SMS service and the real service, so we had to stop deployment and first fix the issues.
That was after months of testing in the test environment without any sign of the bug before we tried to go live.
TheRealSteel
But why do they care? You're paying the transaction fees. They're getting their money. If anything isn't it good for the payment processor to get more transactions?
It's a real transaction. Nobody was deceived, the money really changed hands, and the payment processor got their fee.
If I own a physical shop I'm allowed to buy stuff from it if I want, why isn't that also the case for an online store?
I'm not saying it isn't against the ToS, but I agree with OP it isn't obvious why it should be and it seems like almost everybody would test at least one real transaction at some point.
toasterlovin
I think the issue is that one possible scam is to sign up for a stripe account, run a bunch of charges from cards you control, then when the funds from Stripe hit your bank account, you run a bunch of chargebacks. So this policy that allows them to ban accounts that have even a whiff of this going on.
toasterlovin
> But why risk it?
Because production is not staging or test and never will be. At the very least, you’re risking that your production configuration is incorrect and you won’t find out until customers test in production for you. More commonly, as we experienced with Authorize.net, the test environment is subtly different from production and the only documentation for the differences are 6 year old posts in migrated support forum threads.
Just have someone run a charge on their personal card and reimburse them.
null
Brian_K_White
"it should behave identically"
Come on man. Please don't tell me you engineer things based on "should".
"should" means nothing. The only way test something is to test it, not test something else that "should behave identically".
Maybe payments are a special case where you have to do it wrong for some overriding reason, but the general premis to test for real was 100% correct.
king_of_goats
I'm not saying "yeah let's rebel and keep doing it!" or anything like that; now that I'm aware of this I'll be ultra-careful going forward.
My point is -- it seems absurd that people WOULD get their account banned for a couple of trivial test payments. And since this practice seems so widespread in the software developer / entrepreneur community, I think these doomsday soothsayers telling us that your account WILL get banned if you do this are clearly overstating how serious this is and how aggressively it's policed and cracked down on by PPs like Stripe.
theredsix
If you need to test in production, have a family relative or friend buy the product/subscription and then make them whole offline. Also, do not reverse or refund the transaction.
dqv
In SaaS/Software specifically? No. But we did get banned from a gateway in 2013 for doing this and had to switch to an entirely new gateway. We had similar reasoning - we wanted the processing to work seamlessly with our new clients, so we tested it to make sure it worked properly.
It didn't prevent us from signing up with the new gateway though, so I wouldn't be worried about going on any lists if you do get kicked off Stripe.
adrr
Used to do it all the time at a subscription company. Amex complained once since it was their corporate card but that was it. Something about generating fake revenue but it was a few hundred dollars and we were doing $10m in rev at the time.
I think it depends on your processor, stripe uses their own merchant account(PSP) so they are probably stricter. If you had your own merchant account, you can get away with lots of stuff be the processor complains.
matt_s
What you’re describing is probably being detected and flagged as fraud or money laundering by software. If they didn’t have protection in place this would be abused. You can use test credit cards.
They have obligations to shareholders to not allow fraud because that is their entire business on the line. I would assume their end of the integration is more like electricity and always on/working and if there are issues I’d be looking at my code first.
xtiansimon
If you’re really worried about, just get your mom to buy something.
aq9
As long as the amounts are small, and from a variety of cards, no normal (real) card processor is going to notice/care. Cannot speak for Stripe.
andrewfromx
i think the idea is if you code your app using TEST_MODE you can make all the test charges you want with 4111 1111 1111 1111 card. Then when you are ready go live switching to LIVE_MODE with no code changes is guaranteed to work the same but with real cards.
x0xrx
Having extensive experience running billions of dollars through Stripe, this is not accurate. Production is always different, except for the simplest cases.
blackeyeblitzar
> Is this not practically speaking just the common-sense norm before launching your live product? Did everyone else know this and I'm just a moron?
I can’t help you because I’m not familiar with this area. But I just wanted to say that what you’re describing seems very much like common sense to me, and it would seem crazy to me that someone would be placed on an industry wide blacklist for it.
I’m also surprised to hear of this industry wide blacklist. That type of collusion feels like it could easily be abused.
_DeadFred_
You are told very strongly that you are not to do this, way before you get to a point where you are even close to touching live. So it is not common sense at all.
Maybe not industry wide but you could just be banned from say Chase/Paymentech (long time away from payment stuff not sure names now) or whatever processor. But guess what, some vendors only support one processor, or a preferred one has WAY better fee structures so you don't want to be kicked off.
And sometimes when you are a franchise you have to use the franchise approved POS/payment vendor (when you buy say a gas station payment system it doesn't support every payment processor just the subset of those approved for it by the payment system company AND approved by the franchising company/brand for example Exxon).
Also some people own a lot of businesses under an LLC/Corp so getting blacklisted from a payment processor and having 40 sites unable to accept cards could be painful.
So not a good idea to risk it.
Finally the Federal government PROVIDES industry wide financial blacklists. Processors aren't getting in any trouble for collusion for unbanking people/businesses. The left wants to unbank all weapons dealers and right wants to unbank all porn distributors and everyone wants to unbank supporters of warcrimes, drugdealers, etc.
Shank
> I’m also surprised to hear of this industry wide blacklist. That type of collusion feels like it could easily be abused.
MATCH/Terminated Merchant File are well documented to those who pay attention. Visa, MasterCard, and AmEx are happy to rip the payment rails away from businesses who carry undue risk or are perceived to be dangerous. There's an entire list of Prohibited Businesses that Stripe maintains, which more or less echoes what their dependent card networks also have problems with: https://stripe.com/legal/restricted-businesses#prohibited-bu...
The truth of the matter is that this system is not fair, and if you want to use it, you're playing by the payment processor's rules.
king_of_goats
Absolutely makes sense to have something like that, for genuine scammers, mass offenders, etc. But being but on that list for a few measly test payments to make sure your software is working properly? That to me sounds LUDICROUS.
uudecoded
You'll be fine. BUT be sure to keep your live card out of a testing environment, because that's a PCI violation.
_DeadFred_
When I worked on PCI certified software it was a 'you will be fired' thing. If you are just implementing something for a single customer and they have a processor account for a single site, I wouldn't do it but I guess you could. But if they have say 40 sites using this payment processor, and you could bring down all 40 sites so that they can't make any sales?
Edit: Do you really think banks' compliance departments are going to care about your argument? 'I was only doing this thing your documentation says not to do a few times'? 'I only knowing made the first transactions across your gateway in intentional violation of your requirements but I was going to stop violating them later'? Do you want to put your job/work on the line for that?
TheCleric
In banking not only can this be common, sometimes it can be legally mandated. For example I can definitely see this rule being in place to prevent money laundering.
forgetfreeman
I've coded a few payment gateways over the years and spent several weekends neck deep in a few more. I don't remember all of the fine technical details of why payment handlers freak out over this kind of activity. What I do recall is spikes in small charges are a hallmark of a card dump being tested. Anyway this isn't the correct way to test a payment gateway. As stated elsewhere there's a mode flag and test card # that's used to confirm your code is working. Put another way, don't test in prod.
Wowfunhappy
> Put another way, don't test in prod.
There's a difference between "testing in prod", and "testing prod". The former is bad but the latter does seem to me like common sense.
forgetfreeman
If there's a distinction there I sure as hell don't see it. Either you satisfy the conditions (testing, prod) or you don't. Don't test in prod. If that seems questionable for any reason that's a clear indication your dev and/or testing environments are lacking and you know it.
devnullbeef
[dead]
guyfromfargo
[dead]
To me it seemed like common sense that before you push the thing into the real world, no matter how much testing you do, you'd fire a couple test payments on the live version.
Apparently, after reading more into it, if you make a payment to yourself, or to a business where your name is associated with it, this is a violation of the Stripe (and other payment processor) ToS, and you can get your account banned AND even potentially put on a MATCH list that effectively blacklists you from using ANY payment processor in the future. Well over the last several months I've made about a dozen such payments just to test things out and make sure everything was working correctly. Now I'm worried that I'm boned.
If you search the subject online you can find several posts on Reddit where people (mainly the same few people) detail the ominous "hammer-of-doom" consequences that can and likely will result from making a few live-mode test payments like this.
How big of a deal is this really? Is this not practically speaking just the common-sense norm before launching your live product? Did everyone else know this and I'm just a moron? Can anyone in the software developer / SaaS community point to one real-world example of someone they know who had their payment provider account banned for doing this, let alone outright blacklisted and put on a MATCH list, because of a handful of small test payments? I couldn't find any clear examples online, making me think, the severity of this infraction may be overblown.
I'm curious to see where the SaaS / software entrepreneur community is on this issue, since this is really pretty vital to what ALL of us do as part of our product development/launching/testing process. It's got me THOROUGHLY stressed out. Thanks.