2025-08-14: Payment Processor Fun 2025 -- Making Your Own MSP

Valve and Itch have been in the spotlight for being more or less forced by "Payment processors" to pull certain adult content off their storefronts. The short story of it is Valve pulled a couple of games down while Itch pulled down everything marked mature/adult temporarily and had to sort through their entire library to find certain kinds of content to remove. One of these responses drew more ire than the other, understandably.

I tend to believe this is a factor of how big they are and how much weight they had to swing around to fight back. But that's not really the point of this ramble.

Two of the big things I see repeated over and over in criticism of Itch specifically here:

  1. "Itch should just make their own payment processor!"
  2. "Itch should use one of the payment processors that handles porn then!"

Neither of these are workable, but to understand why you need a weird hybrid background in finance and tech. I happen to have such a background (as much as I loathe the time I spent in fintech). So I've been spending a lot of time trying to express that neither of these are as easy as they seem.

So I'm going to centralize that here.

So Who The Hell Am I?

I'm a career Site Reliability Engineer (SRE). I'm a sysadmin, I'm a coder, I've had my hands in things that run the internet. I also have dual education in Computer Science and Economics (which okay, Econ isn't Business or Finance), and I spent several years working in the Financial Tech (fintech) sector.

I don't anymore. I couldn't handle how awful it was anymore. Outside of the moral concerns, ever see me rant about what I call "helljob"? Fintech, baby! Video and CDNs are a lot more fun.

I have been in conference calls between Visa and banks to sort out funding automation issues. I've had my hand in databases of merchant bank accounts. I've written code for POS terminals.

I would consider myself in the top 1000 or so people in the world qualified to talk on this specific matter.

What Is A "Payment Processor"?

Let's start with this: what are people actually saying when they say Itch should make their own Payment Processor? Well, that's not entirely clear.

"Payment Processor" is an umbrella term that can talk about this entire weird pyramid of institutions that hand payment information up a chain of trust and eventually end up at either banks, or a crediting company like Visa or Mastercard. When you swipe a card or do an online checkout, you talk to one shopping cart provider and it all just works, but there's about five layers of handoff that go on under the hood...

The difference between an MSP and a PayFac is largely academic for a lot of people. It boils down to "Is the company handling the payments acting as a bank for you while holding the funds?"; this is not entirely accurate but close.

So when you deal with a "Payment processor" you're mostly dealing with either an MSP or a PayFac. The key for both of these is to actually get those payments up to Visa/MC/banks/etc, they have to be sponsored by an Acquirer. In layman's terms, to build a payment processor, a bank Visa/MC/etc trusts has to sponsor you.

So a customer buys a thing. Their card info goes to a PayFac, which either goes to the Acquirer to be processed by them or goes straight to a PCN using the appropriate Acquirer's sponsorship and credentials, then when the cash is transferred it is deposited into a merchant bank account. If the processor is an MSP, it goes straight to the merchant. If the processor is a PayFac, it gets paid out to the merchant's bank account in an additional step.

That's a 10,000 mile high view that's also wrong in many discreet but immaterial ways.

Making Your Own PayFac

So let's assume when someone says "Itch should make their own processor" they mean a PayFac. It makes the most sense.

You have to get an Acquirer to sponsor you. Again by "Acquirer" I mean almost universally "Bank". The Acquirer's responsibility in this is to underwrite the PayFac's transactions. This process varies by institution and involves a calculation of risk, the PayFac's assets and ability to handle shortfalls and chargebacks, and what's in it for the sponsor. The Acquirer gets a cut, of course. Many times, the PayFac is a sub-business of the sponsoring bank, or eventually ends up that way.

Sidenote: Look into the weird T-1000 amalgamate that is FiServ sometime. It's fascinating how it's kind of globbed together into a fintech superpower like AT&T did in the 70s/80s for telephony.

This isn't something you just do because you want to. To even get on the radar you need to register with PCNs and pay a large yearly fee. Then you have to find an Acquirer that'll carry and sponsor you. The calculation of "risk" is very particular and I'll get into that later, but needless to say, if your entire business model is "PayFacs keep shutting me down for handling porn so I'm making my own", this is not going to go well for you.

You also have a massive responsibility for security and reliability. Your sponsoring Acquirer will be up your butt making sure your system is secure, reliable, accurate, and trustworthy because it's their money and reputation on the line. You'll need an entire fleet of engineers and ops people to keep this operation running to the specs of the Acquirer and PCN. Not to mention audits, certifications, etc.

I've worked on both sides of this Acquirer/PayFac relationship. Neither side is particularly fun.

Speaking of certifications and security, let's talk about KYC. KYC (Know Your Customer) and KYCC (Know Your Customer's Customer) is a set of regulations built around knowing who is behind a bank account or payment processing transaction. It attempts to tie any transaction of funds to a single human being that can be traced and investigated if money laundering, sanction violations, or fraud is identified. It is not optional.

KYC rules vary by country but for the most part they follow a minimum standard and many countries require KYC to be followed to talk to that bank at all. At minimum you have to tie a bank account/payment relationship to a person's government identification numbers or a business's identification number.

If you're dealing with Paypal, Stripe, etc that is at least bundled up in a much larger deal where hopefully this mega-corp is giving a damn about your security (haha, okay no they aren't). If you're making your own PayFac, you're suddenly responsible for getting and securely storing that information and handing it up to your sponsoring Acquirer. You're also responsible for verifying it, which is an entire new tech stack of regulations and in many cases regulations that conflict.

Frex: Navigating US KYC and EU GDPR at the same time is Fun(tm), which is why most financial systems don't and simply segregate their environments. Another thing that adds complexity and difficulty here.

One of the big things for KYCC though if you're dealing with adult content is enhanced regulations on age verification. If you're taking card swipes for porn, you need to make sure you're not facilitating the participation of minors therein, on either side of the transaction. More verification, more data, more tech, and more security requirements.

How This Relates To Itch

So Itch is, as I understand it, run by one person with some part time help that might add up to 3 or 4 full time workers. Also as I understand it, that one person has to actually cut digital checks to creators by hand, or at least manually run batch payouts. In a way Itch is already acting as a PayFac but not really. They're just taking in funds and handing them out over a real PayFac like Paypal. Like I said, this is a merchant/sub-merchant relationship.

As they sit today they're not getting within a parsec of being able to do all this.

Hell, Valve probably doesn't have the staff to do it. They'd need to double their staff and make a dedicated PayFac division for it, given Valve is about 300 employees total.

And if either of them did? They're still beholden to a bank that wants to minimize risk and maximize reputation, and that bank is still beholden to Visa and Mastercard. So if Itch did all of this, they'd still end up in this same situation sooner or later because the actual problems in that chain are still there and still have power.

What About Becoming An Acquirer Then?

Visa claims to have a "Direct transaction submission API" and you'd think that means they have a pathway to hopping on and doing the thing. Well it's limited to Acquirers and entities sponsored by Acquirers specifically for "Direct API Use" only.

Becoming an Acquirer has requirements in the "If you have to ask, you don't meet them" bin, but you need to be or partner directly with a bank, pass a ton of certifications, and have the credit and cashflow to cover all the transactions swiped through your infrastructure.

"Be a bank" is a tall hurdle to cross. I recall reading, but can't source it properly now, that to even get past the first line of forms, you need $5m in cash on hand or investments.

But Wait, Itch Was Violating PayFac TOS All Along!

Yup. Both Paypal and Stripe forbid using them to transact for sales of adult content.

The PayFacs though, when they're not moralizing, don't actually care about the "Eww porn" aspect. They care about the risk. So unless a ton of chargebacks show up, or someone points out the violation and demands it be corrected, they don't tend to run to squash this kind of thing.

Tend to. I've heard stories of indie furry artists getting their accounts nuked for someone going "Thanks for the porn :)" in checkout comments. Furry artists: Always invoice; commissioners don't get a comment field then.

But yeah, Itch was violating both TOSes all along and was just hoping they didn't call them to task on it. Now that this has happened I imagine that's a far bigger problem to be addressed.

You Keep Using That Word: Risk

"Risk" when talking about banking has a specific definition and feel to it. It's not just talking about the chance something may happen, but a specific financial formula accepting that fraud and chargebacks are going to happen, and who has the funds to cover those when they do.

Every business relationship in the financial world has a risk assessment attached to it. Two entities getting bed together say to each other "If something bad happens and money disappears, whose wallet does it come out of?". The shape of this is almost always an entity on the chain is directly responsible to everyone above it. So a PCN looks to an Acquirer to underwrite transactions, the Acquirer is looking to MSPs and PayFacs to be able to cover if they screw up, and MSPs and PayFacs recover lost funds from merchants when possible to cover those mistakes.

So the merchant is left holding the bag unless the MSP or PayFac legally can't get their costs back that way, or they consider it worth the good press to let it go. You see this a lot in Paypal where a chargeback or dispute will eventually end up as a debit pulled back out of the merchant's account.

Risk that cannot be covered like this manifests in one of three ways in a business relationship:

  1. Termination of the relationship because the risk is too great for the rewards
  2. A requirement someone escrow funds as a "rainy day fund" if something bad happens
  3. Higher fees to justify the risk

When we're talking a giga-corp like a bank dealing with a small potato like Itch? You're more likely to see result No1 than the others. No, you need to lump that risk in with a bigger fish that Acquirers will deal with...

High Risk Facilitators And You

All this talk of risk leads into the other criticism I've been hearing: Why doesn't Itch just find a payment processor that won't screw them? Welcome to the world of High Risk PayFacs and MSPs!

High risk processing is exactly what it says: processors, MSPs, PayFacs, etc who are willing to shoulder the risk of more dangerous types of processing in exchange for, typically, massive fees. Adult content is by definition a high risk industry, mostly due to chargeback rates and PR.

You can get into the why of porn being high risk, and if it should be. Truth is for whatever reason you have more chargebacks in porn; you just do. People who buy something then regret it, people who buy something then their spouse sees their credit card bill, people who just think they can buy something and dispute the charge later. My first real job was a cable company CSR gig. I got 3-4 calls a day where people went "Where did this porn PPV come from? I didn't buy it!"; it happens. Multiply that by hundreds of CSRs and 365 days... Yeah, high risk.

Also a lot of "High risk" PayFacs still don't support adult content, because its legal risk surface is huge. They'll handle gambling, and guns, and short margin trades on the stock market, but not porn. Tch.

But let's talk about one that does: CCBill.

You're most likely to see CCBill if you deal with an APAC region indie or doujin storefront that offers hentai or ecchi content. They have a pretty dang wide content policy on what they'll handle, and their TOS deals mostly in "Don't do illegal stuff that'll get us in trouble". They would, 100%, service Itch for their adult content!

...for a 15% + $1/swipe fee, with a requirement that the payout go to their sponsoring bank. They're a proper MSP where they partner with a bank and you run a merchant account with them as a bank customer. Their merchant bank charges handling fees of their own; I did not get a clear picture of what they are, but 15% and a buck is just a starting point.

Oh, and that whole "Risk may require an escrow to cover chargebacks" thing? They require 25% of a rolling total of your yearly payouts be kept in the bank account to pay off chargebacks and potential fraud.

To compare: the average fees for normal risk payment processing are around 3% and can pay out in as little as 24 hours. High risk payment processing is ridiculous.

Also there's a decent chance your bank will just say no to CCBill, because it's so intertwined with high risk industries. You may set off fraud alerts trying to pay out to them to buy something. I have every time I've dealt with them.

Yeah, I've bought horny stuff. Fight me.

CCBill is pretty industry standard for high risk. Epoch is another high risk processor that pushes a 15% rate. Just to address any concern that I cherry-picked the worst example. These two are considered the big players.

On top of this, if you're in a high risk industry someone has to register this risk with PCNs. They charge $500-1000/yr each to do this. Who pays this fee depends on which MSP/PayFac you use. CCBill manifests this as a monthly fee on the account they're holding your money in escrow in.

They'll also just happily screw you over, because they know your options are limited. Every high risk MSP has shite reviews for a reason.

What I'm saying is yes, Itch could deal with CCBill or Epoch for porn. It would be a nightmare at every level and they probably can't afford to. Even only sending 18+ game purchases to them, there's giant recurring fees just for the privilege.

Also there are people I trust who have been around this block, like the Dreamwidth founder who say every high risk MSP ever forbids this practice of split horizon processing.

None Of This Would Actually Help

But at the end of the day, none of this would actually improve the situation.

What happened here was the entire payment processing chain reached down and told Itch to stop taking swipes for not just "adult content" but specific titles they found morally objectionable. They did this under pressure from a political action group who pushed them to do this.

If you take anything from this awful wall of ADHD infodumping it should be this: No matter who you are in the stack of payment processing, you are beholden to someone that can be influenced either by a PAC, by moralizing busybodies, or by an annoying aggressive call-in campaign.

Let's talk about Fetlife. Fetlife is a fetish/BDSM hookup site and discussion forum. They take donations. In 2017 they announced they had been contacted by one of their MSPs and told they were being dropped, because "a PCN" reached out to the MSP and said to drop them. Fetlife had two MSPs, just in case this happened. The second MSP dropped them a week later.

This wasn't a single MSP doing it. This wasn't needing to find a high risk merchant account. This was a PCN itself (they never disclosed which one) shutting them down. They did it over hypnosis and TPE groups and claiming they dealt in non-con and human trafficking. To keep being able to take in funds, they eventually had to ban multiple groups and any discussion of multiple fetishes.

I'm not getting into the morality of this, that isn't the point. The point is Visa and MC themselves can and do moralize over the content they allow to be bought with card swipes. In my opinion, even the immorality of some of this? It's not their job to police that.

But they do, and it manifests here in targeting specific titles on Itch that danced in the same spaces. It's a pattern, and it would continue even if Itch found a different avenue for taking payments.

What If We Did It Without PCNs?

All of this talks about the payment card ecosystem. What if we tried to Not?

Let's propose a service that takes funding by other means, runs a balance for you, and pays out to merchants via other means. What means? You have a few options for funding:

... this is looking a lot like how ransomware and scam artists solicit payments, isn't it? Your bank will think so too.

ACH is insecure to the point of being dangerous. More and more sites are starting to prefer it over credit cards because of processing fees. My local power company keeps trying to get me to pay my bill with ACH; heck that. I don't think many people will willingly plug their bank details into a random website that may get popped and spill them to an attacker. At least with PCNs you're supposed to hand the card info up to an API and get a token that can expire and not be re-used.

Wire transfer could be neat. A lot of banks offer online wire transfers and you could push funds into a wallet somewhere. They come with huge fees and big turnaround times, and most banks will panic if you do a lot of them; but that can be dealt with. The consumer has zero protection though; a storefront can just pocket the money and walk off. A lot of entities that can't deal with PCNs tend to do it this way. The fees would require a change of approach where you fund a wallet with a lump sum, rather than one transfer per purchase: you can expect $20 fees per transfer. Not great for a digital storefront.

Post-edit: I'm learning now wire transfer is far more common in the EU than it is in the US, with lower fees and faster turnaround time. For a comparison point, that $20 fee per transfer comes straight from my personal banking stories. I used to pay rent with wire transfers (I'm now realizing it's possible my former landlord didn't even own the house I was staying in; that's a story for another day).

No one is going to send paper checks to Itch to buy games. I don't think anyone could reasonably disagree here.

Crypto ... I could write an entire article about crypto and its problems and benefits. Let's say here "Yeah they could, but that's an entire other discussion and a hotly contested matter"

Payments cards are interesting though because some regions have this. This is something I'm just learning about myself, to be honest. The main example I see is the Japanese "Convenience store prepayment" method, where you go to a convenience store and fund an account with cash, then spend that cash on digital storefronts. This would probably be your killer option if it existed globally. It doesn't. Itch might be big enough for "Itch cards"? I doubt it though. Steam already is and does.

Oops, A Regulator Said You're A Bank Now!

The US and EU banking regulators would be all over most cash escrow things in a heartbeat if it got popular. In reality, banking regulation tries to slither in to anything that lets you buy points with cash then exchange those points back out for cash. Anything trying to play in this area would probably fall under US 12 CFR 1005E in the US. Then you have the risk of someone using this for laundering. That's a government-sponsored colonoscopy you do not want.

At the end of the day you have to pay creators back out. Which is this entire thing but from the other side, and you can't use Paypal, Stripe, PCNs, etc to do it because that would expose the same attack surface as before.

Finally, none of these options protect anyone in the chain. A fraudulent transfer typically, if the sender can get it pulled back, gets pulled straight out of the recipient's account. Paper checks are a bit harder to pull back but the processing time is weeks once you include sending the check. Payment cards are an entire fertile ground for fraud but at least the storefront and creator would be protected.

tl;dr: PCNs and PayFacs also insert themselves into the process as a big meaty target for fraud accusations and regulatory action. Without them you don't have that protection, token as it is in some cases. I don't think Itch could afford to litigate Collective Shout suing them, or reporting them to the FBI, any more than they could afford to fight Collective Shout having their PayFac kill them.

And Remember: Itch Probably Isn't Making Money

You can buy something on Itch and give Itch itself $0. Many people do. Many more people are doing so now as some form of boycott or protest. There are many anecdotes that say that Leafo runs Itch completely on their own, even going so far as to hand-process payouts and do their own social media and PR. I'd call that overworked, but that isn't the point either.

Recently a journalist (I don't want to even draw attention to the thread) reported Itch "knew for two years this was coming" (dubious), and did nothing about it mostly due to a lack of resources. They recommended boycotting Itch to punish them for this.

My take here is this: there was never a reality on the table where pressure would force Itch to somehow find a solution faster, or a better solution. They lack the resources and can't absorb the fees of high risk processing. The reality here is this pressure is more likely to kill Itch than improve the situation.

In my opinion, what they need is support coupled with the pressure to use that support to find a better solution. That may involve a surcharge on adult content and piping those transactions through a high risk MSP. That may involve saying "We have to institute a minimum share on purchases" and using those funds to expand staff and develop a better option.

To do so at this particular moment though would be the PR nail in the coffin. But regardless, if they didn't "do better" because of resources, denying them resources won't fix it!

If you're thinking, or saying "Maybe Itch, run by basically one person, shouldn't be holding up the entire indie gamedev space and especially the entire queer space", I can't fault you for that. I think you're right.

Actually changing that is hard AF though. It's gonna need work from many people.

What About That FOSS Storefront Someone Made?

lol, lmao.

Okay, to be serious, I applaud it. Having more options is good. Being able to self-host this stuff if you choose to step away from Steam and Itch is good. In a way you even distribute your risk of things becoming lost media. Cool.

It does little to help the people most impacted: broke indie devs buying food with sales, and the people targeted by the takedown.

The former group isn't gonna be jazzed to take on more work and cost to self-host their storefront, and the latter is assuming all the risk of running a storefront in violation of their PayFac's policies on their own. Now, how likely is it that the dev of "Backdoor Sluts IX" or "My Queer Fetish VN That Is Actually About My Trauma" is gonna be singled out by Collective Shout's PAC, or a PayFac, and shut down? Far less than if they were swept up in a content purge of Itch. But also if it happens they're completely on their own to navigate it.

Those storefronts also typically recommend using Stripe, who was first in line to bonk Itch at the start of all this.

So basically this entire thing is an expansion of the boycott/protest movement and doesn't actually help the people impacted, short of a show of token solidarity.

So my take on it is "Ignore the moral/sociopolitical surface and make the choice that fits your needs and risk the best". Hey, maybe do both!

For the love of gods though, don't get in bed with a high risk MSP as a small indie creator. They will take you to the cleaners.

I Talk Too Damn Much: tl;dr

In short, just making your own payment processor is hilariously difficult and far beyond the means of Valve let alone Itch. Depending on what the speaker means by "Payment Processor", they may be suggesting making your own bank, or somehow convincing a bank to let Itch shove payments through them; who will eventually do the exact same thing as what happened here. There's no winning play there.

Finding another processor comes with it dealing with "High Risk MSPs" that will charge you out the ass, keep your money for up to six months, and will just screw you over because they know they can. Every high risk MSP is both in the dumpster review-wise, and likely to trigger a fraud alert with customer banks.

And on top of all of that, Visa and Mastercard themselves can be pressured into censoring content, and they own the entire tree. No matter where you go, there they are. No matter where Itch goes here, it's likely this will happen again. This is not Itch's fault and they have no recourse.

So I guess I'm asking for some understanding, both of Itch's position, and the entire landscape, before declaring them at complete fault and dumping them in the sewer with all the other bad actors.

Because I don't think they can afford it and a lot more is at stake than one org and a couple of eroge devs.

At The End Of It, This All Sucks

Capitalism sucks. The economic ecosystem sucks. People unrelated to transactions in any way except "They have the tech to facilitate them" deciding that entire industries don't get to make money and feed their staff because "It's risky to handle these payments" suck. That these entities can also be attacked by PACs and shamed into being the morality police sucks.

This is a lot of "Talking about how it is" and I want to make clear I find it all disgusting. Your ability to buy things in a modern world is moderated by a bunch of rich people and giga-corporations that have a borderline feudalism system of trust where you have to pay big money and already be big money to get on the ladder. Then you can charge big money to anyone who wants to step on behind you.

And they're all moralizing jackasses or beholden to them.

We need far more than a different PayFac or a different Itch. We need an entire different way of transferring funds online.

But I still hate crypto.

tags: tech