# Merchant Processors for Small Business: Keep More of Every Sale, and Don't Get Your Payment API Owned Two ways small businesses lose money on card payments: the processor's cut and a broken payment API. A 2026 read on Helcim, Stripe, Stax, Dharma, surcharging, and ACH, plus the prompts and checks that keep your payments from getting owned. Author: J.A. Watte Published: June 29, 2026 Source: https://jwatte.com/blog/blog-merchant-processors-small-business/ --- Money leaks out of a small business that takes cards in two very different places, and most owners only think about one of them. The first leak is the obvious one: the processor's cut. Somewhere between 1.9% and 3.5% of every card sale disappears into fees, and for a lot of businesses the wrong processor quietly costs four figures a year that the right one would not. The second leak is the one nobody puts on a spreadsheet until it is too late: a payment integration that an attacker can walk through. The first leak costs you two percent. The second one can cost you the whole account, your customer database, and your ability to take payments at all. This post covers both, because doing one without the other is leaving the back door open while you haggle over the rent. ## Part one: the processor's cut ### The only pricing models that actually matter Ignore the marketing names. There are really four ways a processor charges you, and the difference between them is most of your savings. **Flat-rate.** One blended percentage plus a few cents, the same for every card. Square and Stripe's standard pricing. Dead simple, predictable, and the most expensive option once you have real volume, because the processor keeps the difference whenever a customer pays with a cheap card. **Interchange-plus.** You pay the true network cost (interchange, which the card networks set and nobody can avoid) plus a small, visible markup. Helcim and Dharma. This is the transparent model, and it is almost always cheaper than flat-rate above a few thousand dollars a month, especially if a lot of your customers use debit. **Subscription.** A flat monthly fee, then interchange at cost with zero percentage markup. Stax. Makes sense only when your volume is high enough that killing the percentage markup saves more than the monthly fee. **Surcharging or dual pricing.** You pass the card fee to the customer (where the law allows it), so the cost comes off your books entirely. The single biggest lever, and the one with the most legal fine print. There is also a fifth thing that is not a card model at all but belongs in the conversation: **ACH and bank debit**, which is dramatically cheaper for recurring and B2B payments. More on that below. ### Helcim: the default margin pick for most growing businesses [Helcim](https://www.helcim.com/pricing/) is interchange-plus with no monthly fee, no setup fee, no PCI fee, and no cancellation fee. In-person markup starts at interchange plus 0.40% plus 8 cents; online starts at interchange plus 0.50% plus 25 cents. Helcim publishes blended effective averages of roughly 1.93% plus 8 cents in person and 2.49% plus 25 cents online. The markup shrinks automatically as your trailing volume grows, which is rare in this industry. Because there is no fixed monthly cost to amortize, the savings start from your first dollar. For a typical retail, service, or B2B seller doing a few thousand a month or more, this is the one I reach for first. The catch: fixed per-transaction cents make tiny tickets (sub-ten-dollar average sale) relatively expensive, and below roughly three to five thousand a month the simplicity of Square or Stripe often wins anyway. ### Stripe: built for developers, priced for simplicity [Stripe](https://stripe.com/pricing) is flat-rate: 2.9% plus 30 cents online, 2.7% plus 5 cents in person, no monthly fee on standard pricing. The APIs and documentation are the best in the business, the product suite (subscriptions, marketplaces, fraud tools) is deep, and the global coverage is unmatched. The margin cost of that simplicity is real. Flat 2.9% means you overpay on debit and regulated cards because Stripe does not pass the cheap interchange through by default. The 30-cent fixed piece punishes small tickets. The margin play inside Stripe is to push recurring and high-ticket invoices onto Stripe's ACH rail (0.8%, capped at $5.00) instead of cards, which I will come back to. ### Square: the benchmark you should beat [Square](https://squareup.com/us/en/payments/our-fees) is the easiest on-ramp in payments and the most expensive flat rate once you have volume. The free plan is 2.6% plus 15 cents in person and, as of January 13, 2026, 3.3% plus 30 cents online (up from 2.9% plus 30 cents, roughly a 14% increase on that lane). Paid plans at $49 and $149 a month per location shave the in-person rate but not enough to change the math for most. Square is the right call for a brand-new business, a pop-up, or anyone who values the free all-in-one POS over squeezing margin. It is the wrong call once you clear roughly ten to fifteen thousand a month. At that point staying on Square Free is pure margin leakage, and it is the benchmark every option below is built to beat. ### The less-mainstream options that move the needle This is where the user question usually lives: who is not on every billboard but actually helps margins. **Stax (formerly Fattmerchant)** is the subscription model: roughly $99 a month up to $150K a year in volume, $139 up to $250K, and $199 or more above that, with 0% percentage markup over interchange (you still pay interchange plus about 8 cents in person or 15 cents keyed). At higher volume the eliminated percentage markup dwarfs the monthly fee. Breakeven versus flat-rate usually lands around eight to ten thousand a month. Confirm the current tier thresholds directly, since they move. **Payment Depot** (now owned by Stax) shifted from its old membership tiers to interchange-plus, with a quoted markup of roughly 0.2% to 1.95% over interchange and no standing monthly subscription on the current model. The win depends entirely on negotiating toward the 0.2% floor rather than accepting a high quote. Watch the $19.99 a month PCI non-compliance fee if you skip the attestation. **Dharma Merchant Services** publishes some of the lowest interchange-plus markups in the market: interchange plus 0.15% plus 8 cents for retail, interchange plus 0.20% plus 11 cents for ecommerce, and an explicit nonprofit tier at interchange plus 0.10%. There is a small flat monthly account fee (historically around $20, more for higher-volume accounts; confirm the current number). For a steady ten-thousand-a-month merchant who values transparency, the tiny markup beats almost everything. **CardX (by Stax)** automates compliant surcharging. A 3% surcharge is applied to credit transactions and paid by the customer, so a $100 sale nets you about $100. Debit is never surcharged (that is federal law), so debit customers keep a fee-free path. The value here is the compliance automation, because surcharging is where small businesses get fined for getting the signage, receipts, and state caps wrong. More on the rules in the strategy section. **GoCardless** and **Stripe ACH** are the bank-debit play. GoCardless is 0.5% plus 5 cents capped at $5 on its standard plan with no monthly fee; Stripe ACH is 0.8% capped at $5. On a $2,000 invoice, ACH costs about $5 versus roughly $58 on a 2.9% card. For subscriptions, retainers, rent, tuition, and large B2B invoices, this is an 80%-plus cut, at the cost of three to four business days of settlement. **National Processing** is worth a quote as a low-markup interchange-plus alternative (it advertises around interchange plus 0.3% plus 30 cents and underwrites some higher-risk verticals Dharma and Helcim will not). Pricing is quote-based, so get the monthly fee and per-transaction cents in writing before you switch. ### The comparison, at a glance | Processor | Model | Headline rate | Monthly | Best for | |---|---|---|---|---| | Helcim | Interchange-plus | IC + 0.40% + 8c in person / IC + 0.50% + 25c online | $0 | Most growing SMBs wanting transparency with no fixed cost | | Stripe | Flat-rate | 2.9% + 30c online, 2.7% + 5c in person | $0 | Online and developer-led businesses needing strong APIs | | Square | Flat-rate | 2.6% + 15c in person, 3.3% + 30c online (Free) | $0 / $49 / $149 per location | Brand-new, low-volume, pop-up sellers | | Stax | Subscription | 0% markup + interchange + ~8c/15c | $99 to $199+ | Established merchants above ~$10K/month | | Payment Depot | Interchange-plus | IC + 0.2% to 1.95% (quoted) | $0 (current model) | SMBs who will negotiate toward the floor | | Dharma | Interchange-plus | IC + 0.15% + 8c retail / IC + 0.20% + 11c online | ~$20 | Values-driven SMBs and nonprofits at ~$10K+/month | | CardX (Stax) | Surcharge | 3% credit surcharge paid by the customer | Quote | Surcharge-legal states, higher-ticket sellers | | GoCardless | ACH | 0.5% + 5c, capped at $5 | $0 (Standard) | Recurring and B2B billing via bank debit | | Stripe ACH | ACH | 0.8%, capped at $5 | $0 | Stripe users moving invoices off cards | Rates verified against the providers' own pricing pages in June 2026. The quote-based ones (Payment Depot, CardX, National Processing, and Dharma's monthly fee) should be confirmed in writing before you commit. ### The margin strategies that survive a re-quote - **Know your real effective rate.** Pull your last statement, divide total fees by total volume. That single number tells you whether you are overpaying. Most owners have never calculated it. - **Cross the line from flat to interchange-plus.** Flat-rate is fine at very low volume. Above roughly eight to fifteen thousand a month, interchange-plus or a subscription almost always wins, and the win is biggest for debit-heavy businesses because flat-rate pockets the cheap debit interchange that interchange-plus passes through. - **Move recurring and B2B onto ACH.** A $2,000 charge that costs about $58 on a card costs about $5 on ACH. Default your invoices and subscriptions to bank debit and reserve cards for small or one-off sales. - **Surcharge where it is legal, carefully.** This removes about 2.5% to 3% of card cost from your books. The card-brand caps are 3% for Visa and 4% for Mastercard, and the surcharge can never exceed your actual cost. Debit can never be surcharged, in any state. Surcharging is banned in Connecticut, Massachusetts, Maine, and Puerto Rico; capped at 2% in Colorado and 1% in Illinois; New York requires the fee to equal your actual cost; and statutory bans in California and Texas have been ruled unconstitutional but are still worth running past counsel. You must register with the card brands about 30 days ahead and post compliant signage and receipt disclosures. Dual pricing (two posted prices, the customer chooses) is the safer, generally all-fifty-states cousin when it is structured correctly. Use a platform that automates the compliance, because the fines for getting it wrong are not small. - **Submit Level 3 data for B2B.** If you take commercial or purchasing cards, enhanced line-item data qualifies transactions for lower commercial interchange. One 2026 change to know: Visa retired its Level 2 commercial program around January 2026, and from roughly April 2026 only full Level 3 data qualifies for the reduced Visa commercial rate. Make sure your gateway supports Level 3 submission. - **Refuse tiered pricing.** Tiered or "qualified / mid / non-qualified" bucket pricing is where merchants overpay the most, because the processor downgrades your transactions into expensive buckets you cannot see. Insist on interchange-plus or a flat subscription where the markup is one visible number. Read the schedule of fees, not the headline rate, and watch for PCI non-compliance fees, statement fees, batch fees, and monthly minimums. - **Re-quote every year.** Pricing drifts upward (see Square's January 2026 hike) and reseller markups creep. Month-to-month, no-contract processors make switching free, so there is no reason to tolerate rate creep. Use a competing interchange-plus quote as leverage. The short version: for most growing businesses, Helcim is the best general-purpose margin pick, Dharma has the lowest published markup, Stax wins at high volume, surcharging is the biggest single lever where it is legal, and ACH is the answer for anything recurring. Square is the rate you should be beating. ## Part two: the leak that takes everything Saving two percent on processing does not matter if someone can drain the account. And the way that happens is almost never an exotic zero-day. It is ordinary mistakes in the code that sits between your customer's card and your processor. The clearest illustration I have read recently is a piece by Ramesh Kannan, **"I Hired a Penetration Tester to Attack My FastAPI App. He Owned Everything in 45 Minutes."** A solo developer paid a freelance tester to attack a staging clone of his production app: a few thousand users, real money through Stripe, customer PII in PostgreSQL. The tester was handed an ordinary low-privilege account and the URL, and he took the whole thing apart in forty-five minutes using techniques out of any security textbook. It is worth reading in full. Here is the chain, and what each step means for anyone who takes payments, on any framework. 1. **The docs handed over the map (minute 8).** The framework's auto-generated API docs were left enabled in production. Before sending a single attack, the tester read the entire database schema, learned which endpoints were admin-only, and found a forgotten admin route still listed. Lesson: do not publish your attack surface. Disable interactive API docs in production and keep internal fields out of your response models. 2. **Any token could read any record (minute 14).** A deprecated "get user by ID" endpoint had silently lost its admin check during a refactor. Any logged-in user could read any other user's record by changing the number in the URL. He walked from his own ID to the admin's and pulled the admin's email, password hash, phone, and API keys. This is the single most common serious API flaw, and it has a name: broken object-level authorization, or IDOR. A valid login proves who is calling, never what they are allowed to touch. 3. **A leaked secret forged an admin (minute 22).** Tokens were signed with a single shared secret that had been hardcoded in a config file and pasted into a public repo's issue tracker months earlier. The issue was deleted, but it lived on in Google's cache, because anything you paste into an issue or a chat is effectively permanent. With the secret, he forged a valid admin token outright. No theft required. 4. **One string-built query dumped the database (minute 31).** A "custom report" endpoint, assumed safe because it was admin-only, built a SQL query by gluing user input into a string. Reached through the forged admin token, a textbook injection payload dumped every user's email, password hash, and Stripe customer ID in under a second. The developer assumed his ORM protected everything; this one endpoint bypassed it. 5. **The payment webhook had no working lock (minute 38).** The Stripe webhook handler called the signature-verification function, but a leftover debug try/except swallowed the failure and processed the event anyway. He forged a "payment completed" event to grant himself a paid account for free, then used his admin access to repoint the webhook to his own server, a quiet man-in-the-middle on every future payment. Nobody would notice until the chargebacks arrived. Two more findings rounded it out: error messages that revealed whether an email existed (letting an attacker enumerate accounts), and a staging environment that was a straight copy of production, so every Stripe and email key in the test system was live. In the author's own words: "The vulnerabilities weren't in FastAPI. FastAPI is a fantastic framework. The vulnerabilities were in me. In my assumptions. In my shortcuts. In the endpoints I forgot about and the debug code I left in place." That is the whole point. None of this required a genius attacker. It required a developer who was tired, shipping fast, and reasonably trusting of code that an AI assistant probably helped write. Which is most of us now. ## What to prompt your AI, and what to validate yourself If you are building anything that touches payments or customer data with an AI coding assistant, the assistant will happily write the convenient version of every one of the mistakes above. It is on you to ask for the safe version and then to verify it. Prompting is not the same as validating. Ask for the fix, then prove the hole is closed. ### Prompts to paste before you ship Here is a master review prompt I use against any payment or internet-exposed endpoint. Point your assistant at the actual route handlers, not a summary. ``` Review this API for the OWASP API Security Top 10, assuming the attacker already has a valid low-privilege account and can read all of my auto-generated API docs. For every endpoint that takes an ID, confirm it checks that THIS caller may access THIS object, not just that the caller is logged in. List every endpoint that lacks an object-level authorization check. Flag any database query built with string concatenation, f-strings, .format(), or "+" on user input. Flag any secret, key, or token read from a committed file instead of a secrets manager. Show me which responses differ for an existing vs a non-existent account. Do not rewrite anything yet; give me the list first. ``` Then the targeted ones: ``` Audit every payment webhook handler. Confirm the provider signature is verified on every event, that a missing or invalid signature returns 400 and changes nothing, and that there is no try/except or fallback that processes an unverified payload. Add timestamp/replay tolerance. Show me the exact code path that runs when verification fails. ``` ``` Find every place a JWT or session token is signed. Tell me the algorithm and where the signing key lives. If it is a shared symmetric secret (HS256), propose moving to asymmetric signing (RS256) so a leaked verification key cannot forge tokens. Confirm the server rejects "alg: none" and tokens signed with any other algorithm. ``` ``` Scan the entire git history, not just the current files, plus any committed .env or docker-compose files, for hardcoded secrets, API keys, and high-entropy strings. Then check that staging and production use different keys and that no production key (Stripe live key, cloud key) appears in any non-production config. ``` ``` List every endpoint exposed in production that should not be public: interactive API docs, the OpenAPI/schema JSON, debug endpoints, deprecated routes still registered. For each, show me how to disable or gate it in production only. ``` ### Then validate, because a prompt is not proof The assistant will tell you it fixed everything. Confirm it the way the pentester would. - **Object-level authorization.** Log in as a normal user, then call every ID-taking endpoint with another user's IDs. You should get a 404 or empty result every time, never someone else's data. Note: return 404, not 403, so an attacker cannot tell which IDs exist. - **Docs and schema exposure.** From a private browser with no login, request your docs URL, your schema JSON, and any debug route in production. All should return 404, not 200. - **SQL injection.** For every query parameter, send classic payloads (a quote, OR 1=1, UNION SELECT, a time-delay) and confirm they are treated as literal text: no error, no extra rows, no delay. - **Webhook verification.** Send a payment webhook with a missing or wrong signature and confirm it returns 400 and changes nothing. Replay an old valid event and confirm it is rejected. - **User enumeration.** Submit a login and a password reset with a known email and an unknown one. The responses should be identical in body, status, and timing. - **Secrets.** Run a history scanner (gitleaks or trufflehog) over the full repo history, not just the latest commit. Confirm staging uses test-mode keys only. - **Headers and transport.** Run your live site through my [Mega Security Analyzer](/tools/mega-security-analyzer/), which checks TLS, HTTP security headers, email authentication, content-security-policy strictness, and known CWE and OWASP patterns with a three-probe consensus to suppress false positives. The [Security Headers](/tools/security-headers-audit/) tool is the focused version when you just want the headers and a paste-ready fix block. If you run on WordPress and WooCommerce, the [WordPress Security and Stability](/tools/wordpress-security-audit/) audit covers the WordPress-specific exposure (XML-RPC, user enumeration, admin reachability) with PCI-scope notes. Budget a real pentest the way you budget hosting. The author of that FastAPI piece now runs one every six months, and the attacks that owned his payment system were textbook, not zero-days. The gap was discipline, not the framework. ## Where this fits in the jwatte.com toolchain The free tools on this site cover the validation half of this post. The [Mega Security Analyzer](/tools/mega-security-analyzer/) is the broad sweep across transport, headers, email auth, and vulnerability patterns. The [DNS and Email Auth Audit](/tools/dns-email-audit/) confirms the SPF, DKIM, and DMARC records that keep your payment receipts and password resets out of spam. The [AI Posture Audit](/tools/ai-posture-audit/) and the [AI fix-prompt tooling](/blog/blog-ai-fix-prompt-tool/) help you turn any finding into a prompt your assistant can act on. None of them ask for a signup or set a tracking cookie. The pattern across all of it: pick the cheapest processor that fits your volume so you keep more of every sale, and lock the plumbing so you keep the sale at all. If you are building the lean side of a business and want the playbook for doing it without a budget, that is the whole subject of [The $20 Dollar Agency](https://the20dollaragency.com/). Keeping your costs (and your fees) low is exactly how a small operation competes. --- ## Fact-check notes and sources Every rate and rule above is verifiable. Where a reader might reasonably ask "where did that come from," here is the source. Processing prices move, so confirm against the link before you sign. - **Helcim interchange-plus markup, zero fees, and volume discounts**: [Helcim pricing](https://www.helcim.com/pricing/). In-person interchange plus 0.40% plus 8 cents, online interchange plus 0.50% plus 25 cents, no monthly, PCI, or cancellation fees, confirmed June 2026. - **Stripe 2.9% + 30c online, 2.7% + 5c in person, ACH 0.8% capped at $5**: [Stripe pricing](https://stripe.com/pricing). - **Square Free plan 2.6% + 15c in person and 3.3% + 30c online, effective January 13, 2026**: [Square fees](https://squareup.com/us/en/payments/our-fees). The online rate rose from 2.9% + 30c. - **Stax subscription tiers and 0% markup**: [Stax pricing](https://staxpayments.com/pricing/). Tier thresholds and per-transaction cents should be confirmed by quote. - **Payment Depot interchange-plus shift**: [Payment Depot pricing](https://paymentdepot.com/pricing/). Now interchange-plus rather than the legacy membership tiers, following the Stax acquisition. - **Dharma interchange-plus and nonprofit rates**: [Dharma interchange-plus pricing](https://dharmamerchantservices.com/pricing/interchange-plus-pricing/). The monthly account fee should be confirmed first-party. - **GoCardless ACH 0.5% + 5c capped at $5**: [GoCardless pricing](https://gocardless.com/en-us/pricing). - **Surcharging caps and state law (Visa 3%, Mastercard 4%, never above cost, debit never surchargeable, banned in CT/MA/ME/PR, 2% CO, 1% IL, actual-cost NY)**: Visa reduced its surcharge cap to 3% effective April 15, 2023; the Durbin Amendment prohibits debit surcharging. State law changes; confirm current rules for your state with counsel. - **Visa Level 2 commercial program retirement (around January 2026; Level 3 only for the reduced Visa commercial rate from around April 2026)**: Visa commercial card program updates, 2025 to 2026. - **The 45-minute pentest case study**: Ramesh Kannan, "I Hired a Penetration Tester to Attack My FastAPI App. He Owned Everything in 45 Minutes," Medium, June 2026. All quotes are from that article. - **The API failure classes** map to the [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0x11-t10/), in particular API1 Broken Object-Level Authorization and the injection and security-misconfiguration categories. --- ## Related reading - **[How to Send Email That Actually Gets Delivered](/blog/blog-email-infrastructure-small-business/)**: the small-business infrastructure companion: SPF, DKIM, DMARC, and the lanes your receipts and resets travel in. - **[The Security Headers Trust Bundle](/blog/blog-security-headers-trust-bundle/)**: the headers that turn a "trust me" site into one a browser and a payment partner actually trust. - **[Nation-State Malware, Protestware, and the Packages Your AI Pulls In](/blog/blog-supply-chain-malware-ai-dependencies/)**: the other half of "do not get owned": the dependencies underneath your payment code. - **[The AI Posture Audit Master Prompt](/blog/blog-ai-posture-audit-master-prompt/)**: how to ask an AI to grade your own security posture honestly. --- *This post is informational, not legal, financial, or security-consulting advice. Surcharging, payment compliance, and PCI obligations are regulated and vary by state and card network; consult qualified counsel and your processor before acting. Mentions of Helcim, Stripe, Square, Stax, Payment Depot, Dharma Merchant Services, CardX, GoCardless, National Processing, Visa, Mastercard, and other third parties are nominative fair use. No affiliation or sponsorship is implied.* --- Canonical HTML: https://jwatte.com/blog/blog-merchant-processors-small-business/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-merchant-processors-small-business.webp