For first-time EU e-commerce founders
Describe your store in one sentence. Get the EU regulation, payment, and fraud risks you're walking into, ranked by severity, each with the rule behind it. Plain language, not legalese.
Grounded in the rules that actually apply
Imagine a gift-card store in Spain, mapped. The exact setup that ended Sharkiez, with every risk surfaced before a single order ships.
Your business, as we read it
You sell gift cards and digital codes to EU consumers from Spain on Shopify, paid by card and delivered instantly, with no company set up yet.
What we assumed about your business
These risks depend on the reading below. If any of it is wrong, edit your description and map again.
Most EU online card payments must use two-factor authentication, usually 3D Secure. Skipping it where it is required lets the bank decline the payment and shifts fraud liability to you.
Why this applies to you
You take card payments from EU shoppers, so SCA applies to your checkout.
Evidence
Instantly-delivered codes can't be recalled, and you rarely win a fraud dispute because there is no proof the real cardholder received them. You lose the order value and a dispute fee every time.
Why this applies to you
Gift cards delivered by email are exactly what fraud rings buy with stolen cards and resell.
Evidence
Visa and Mastercard run dispute-monitoring programs. If your dispute ratio passes their thresholds, your processor can fine you and shut down your ability to accept cards.
Why this applies to you
A wave of stolen-card chargebacks on gift cards can push you past those thresholds fast.
Evidence
Trading from Spain normally means registering as autónomo or forming an SL. Without a company, chargebacks and debts can fall on you personally rather than on the business.
Why this applies to you
You are taking real money from Spain with no company set up yet.
Evidence
Set these up first.
Turn on 3D Secure and a manual-review rule for high-value orders
Stops amber-flagged stolen-card orders before they ship.
Capture explicit consent before delivering codes instantly
Sets the terms for the 14-day withdrawal right on digital goods.
Register with Hacienda and choose autónomo or an SL
Decides whether liability stops at the business or reaches you personally.
Red flags worth catching early.
Amber or review-flagged high-value gift-card orders from new accounts
Your dispute ratio creeping toward the card networks' monitoring thresholds
Repeat orders on different cards tied to the same email, device, or IP
Every risk is grounded in an official source you can open, and a second model double-checks each claim against that source. This is still guidance for clarity, not legal advice, and reading it does not create a lawyer-client relationship. For anything that carries real money or liability, validate it with a qualified professional before you act.
Why this exists
Two high-schoolers built Sharkiez, a shark-shaped footwear brand. A wave of high-value gift-card orders came from Mexico and felt like a breakthrough after slow months.
Shopify marked the orders amber, possible fraud, not a hard block. Amber felt safe enough. We shipped.
A customer sent us a screenshot. Buyers were using stolen credit cards to buy gift cards in our own store, then reselling the codes at a discount on Telegram within minutes. Digital goods can't be recalled. The money was already gone.
Months later the banks clawed the money back one by one, a fee on every order. We blew past the card-network dispute threshold.
We lost our payment account. To get it back they demanded we cover every chargeback and warned us we had unlimited liability, with the named account holder on the hook personally. No company structure, no advisor, no idea what unlimited liability meant.
Every step had a name and a rule.
PSD2, the Visa dispute-monitoring threshold, irrecoverable digital goods, autónomo vs SL liability. We never saw them coming.
Run our exact old setup through BSTS and it surfaces every one of these, before a single order ships.
No page on the internet cross-references your exact product, country, audience, platform, and payment method, then writes the risks back to you in plain language. A search engine returns pages about chargebacks in general. It can't reason that gift cards + Spain + Shopify + card payments.That's the specific combination that ended Sharkiez, and we told you so before you launch. That intersection is the entire job, and it's a reasoning task, not a lookup.
A few plain sentences: what you sell, where, to whom, on what platform, and how you take payment.
The AI reasons across the EU regulation, payment rules, and fraud patterns for your specific combination, not a generic checklist.
Severity-ranked risks with the source behind each one, a pre-launch checklist, and the fraud red flags to watch.
The dangerous failure mode isn't a wrong answer. It's a confident wrong answer that a founder treats as legal clearance, ships on, and gets sued over. The person harmed is the user we built this for: a first-time founder with no lawyer to sanity-check the output. So we designed against our own certainty:
It names the framework behind it: PSD2, GDPR, the card-network rules. No source, no claim.
We surface risks and questions, never legal requirements, and we flag when a professional is needed.
Low-confidence points are marked as such, not smoothed into false certainty.
We map the risk. You make the call.
When a case falls outside the scope of AI assistance, we'll recommend a legal professional who can provide personalized advice.