Every business that accepts payments takes on risk. In the UK, over £570 million was stolen through payment fraud in the first half of 2024. Fraud, chargebacks, and regulatory missteps eat into a business’s revenue. This can convince payment processors, banks, and financial institutions to consider a business as high-risk—and in some cases, levy fines or lock them out of payment processing. Some risks become obvious quickly, such as a surge in chargebacks or fraudulent transactions, or a business model that operates in legal gray areas. Others are more subtle, and patterns emerge only after the damage is done.

Managing merchant risk means understanding which risks are worth taking and which ones can sink a business. Below, we’ll explain how to assess risk before it becomes a problem and how businesses can protect themselves from the main types of merchant risk.

What’s in this article?

• What is merchant risk, and why does it matter?
  
• How is merchant risk assessed?
  
• How can businesses manage merchant risk?
  
• How does Stripe Radar help mitigate merchant risk?
  

What is merchant risk, and why does it matter?

Merchant risk encompasses all the ways a business can be a financial or legal liability for a payment processor. If there’s a chance that a business’s transactions will cause fraud, chargebacks, compliance issues, or reputational problems, that’s merchant risk.

Here are some different types of merchant risk:

• Fraud risk: Some industries attract more fraud than others. A business that sells digital products, for example, might see more fraudulent purchases than a local coffee shop. If a company’s transactions appear risky, a payment processor must decide if it wants to do business with that company.

• Chargeback risk: When customers dispute charges, banks issue chargebacks, which cost businesses money. Too many chargebacks can put a business in a high-risk category or even get its account shut down. Payment processors keep a close eye on businesses with high dispute rates to avoid financial losses.

• Regulatory risk: Payments are heavily regulated, and businesses have to follow rules around data security, fraud prevention, and Anti-Money Laundering (AML). If a business isn’t following the rules, the payment processor could be liable for fines or other penalties.

• Reputational risk: Some businesses operate in industries that are inherently risky, such as gambling and adult entertainment. A payment provider has to decide whether working with such a business could invite scrutiny or harm its reputation.

How is merchant risk assessed?

Merchant risk is assessed by determining whether a business is a safe bet for processing payments, or whether it’s a potential liability. Payment processors, banks, and financial institutions carefully consider whether a business’s revenue is sustainable and compliant, or whether it’s likely to lead to fraud, chargebacks, or regulatory trouble. Here’s how they calculate merchant risk.

Industry risk

Some businesses are inherently riskier than others. Anything with high chargeback rates, frequent fraud, or regulatory scrutiny is more likely to be flagged. For example, subscription services, adult content, travel, and CBD products tend to have more disputes and compliance challenges than low-risk categories such as food and beverages.

Chargeback and fraud patterns

Excessive chargebacks are a warning sign. The threshold for concern is usually around 1% of transactions (e.g., Mastercard’s monitoring program fines businesses with chargeback rates of 1.5% or higher), but even approaching that can be a problem. High fraud rates from stolen cards, friendly fraud, or transaction laundering are also a concern. A business with a history of chargeback issues or fraud exposure might need a mitigation plan (such as fraud prevention measures and better customer communication), or it might be considered too risky to onboard.

Business model and revenue stability

Businesses with large up-front payments but delayed fulfillment—such as travel agencies, custom manufacturing, or preorders—pose a higher risk. If something goes wrong, customers might not get what they paid for. Processors examine whether the revenue model creates future liabilities that could lead to mass refund requests or chargebacks.

Compliance and regulatory risk

Payments are heavily regulated, and processors have to make sure businesses aren’t cutting corners. That means checking for Payment Card Industry Data Security Standard (PCI DSS) compliance, adherence to Know Your Customer (KYC) and Anti-Money Laundering (AML) rules, and any industry-specific regulations (e.g., cannabis businesses operating legally within state laws). If a business operates in a legal gray area, the processor has to decide if it is worth the risk.

Financial health and history

Processors want to know if a business is financially stable enough to handle refunds, disputes, and operating costs. A history of bankruptcies, sudden spikes in refunds, or negative press can signal instability. Financial statements, credit history, and operational history help demonstrate whether the business can withstand economic downturns or unexpected losses.

Warning signs of business conduct

If a business has a history of deceptive marketing, misleading subscription models, or legal disputes, that’s a warning sign for processors. Some businesses try to make themselves look more appealing by running transactions for illegal sales through lower-risk accounts (i.e., transaction laundering), which can get both businesses and payment providers in serious trouble. Processors look at customer complaints, reviews, and industry reputation to gauge whether a business operates fairly.

How can businesses manage merchant risk?

For businesses, managing merchant risk includes maintaining fraud prevention measures, keeping chargebacks under control, staying compliant, and taking on only liabilities it can handle. The right tools help businesses strike a balance between preventing bad transactions and not causing undue friction for real customers. Here’s how businesses can manage risk without negatively impacting the customer experience or slowing down operations.

Fraud prevention

Fraud is one way businesses lose money and credibility with payment providers. The best fraud prevention tools analyze patterns across broad networks of transactions to flag suspicious activity in real time. Stride Radar, for example, assigns risk scores to transactions, blocks high-risk purchases, and applies extra authentication (e.g., 3D Secure) when necessary.

Chargeback monitoring

Chargeback monitoring tools track disputes in real time, flag patterns before they become a problem, and help businesses provide effective evidence. Some tools let businesses preemptively issue refunds when they see a transaction that is likely to lead to a chargeback, which reduces the risk of getting hit with chargeback fees.

Customer verification and compliance

KYC and AML regulations prevent fraud and financial crime. Compliance software automates customer verification, flags suspicious transactions, and generates the required reports for the authorities. This is especially helpful for industries under strict oversight, such as fintech, gaming, and anything involving high-value transactions.

Proactive risk assessment

Payment providers and platforms use risk scoring to evaluate a business’s financial stability, chargeback history, and overall risk level before approving it. This helps platforms make better decisions about who they work with, and it helps payment processors avoid high-risk accounts that could become liabilities.

Customizable, adaptive security

Customizable fraud tools allow businesses to block transactions from certain locations, flag high-value purchases for review, or require extra authentication when a transaction appears suspicious. The best systems combine smart rules with machine learning and adapt automatically to new fraud tactics.

Payout management

Payout management tools help reduce financial risk for businesses dealing with large transactions, delayed fulfillment, or high refund rates. Some solutions hold a portion of funds in reserve to cover potential chargebacks or delays. Others adjust payout schedules based on risk level to prevent businesses from withdrawing money before it’s clear that transactions are legitimate.

How does Stripe Radar help mitigate merchant risk?

Stripe Radar helps businesses reduce risk with AI, network-wide data, and customizable fraud prevention. These features help stop fraudulent transactions before they cause chargebacks, revenue losses, or compliance issues. Here’s how it works:

• AI: Radar analyzes patterns across millions of businesses worldwide to identify fraud trends in real time. If a stolen card is used on one website, Radar learns from that and can block it elsewhere before it causes more damage.

• Adaptive fraud detection: Radar evaluates every transaction using thousands of signals, including device fingerprinting, IP geolocation, behavioral patterns, and past chargeback history. It also continuously adapts to new fraud tactics.

• Customizable rules: Radar lets businesses fine-tune fraud protection by creating their own rules—such as blocking transactions from certain countries, requiring additional verification for high-ticket items, or flagging specific behavior patterns (e.g., a sudden flood of small transactions from the same IP).

• Risk scoring: Radar gives every transaction a risk score and explains the reasoning behind it. This allows businesses to make quick, informed decisions about which transactions to approve, review, or block.

• Dynamic 3D Secure: Radar triggers Dynamic 3D Secure authentication for extra security only when it detects a high-risk transaction, rather than putting all customers through potentially unnecessary extra steps.

• Dispute and chargeback protection: Radar mitigates the cost of chargebacks and reduces fraudulent disputes by blocking high-risk transactions up front. It also integrates with Stripe’s dispute evidence tools to help businesses respond to disputes.

• Scalable solutions: Radar works with businesses of all sizes. Larger businesses with dedicated fraud teams can use Radar for Fraud Teams, which includes more granular controls, detailed reporting, and advanced automation.