Is this true? I would expect most of Stripe's fraud overhead to be statutory in nature, not something they hire for because they're a concentrated target.

(They certainly have more staff because more volume, but the actual regulatory requirements I'd expect to be roughly the same for the service they provide.)

Stripe was already a big target for basically anyone and anything 10 years ago. Fake merchants, card testers, the works. People were selling guides to defraud Stripe. And we are not even counting just losees due to nonsense like the Fyre festival.

You really don't have to be that big a payment processor for dozens of malicious geniuses to decide that they want to fleece you. If anything, the ROI is better in less sophisticated companies. Most ways to trick a payment company are, if anything, standardized. The smaller company can often be attacked by just changing the API calls, but otherwise taking basically the same actions you would to try to defraud a bigger fish.

> Stripe needs all that byzantine fraud prevention, on top of what they had a decade ago, because they are a huge concentrated target.

This is not true. Every payment processor needs this effort because as soon as you broadcast that you're a payment processor you're going to get about 3-5 scammers a day.

As an aside I really think Mercury bank should audit their onboarding process.