PayPal CTO: Security, mobility to spur growth

Early bets on open source, encryption are paying dividends as Internet becomes a global payments platform

PayPal's Chief Technology Officer, Scott Thompson, is a prime example of what might be called the "payments geek."

It's a label that Thompson earned the hard way, with stints at Coopers and Lybrand delivering IT solutions to financial services clients, then as CIO at Barclays Global Investors, before becoming Executive Vice President of Technology Solutions at Inovant, Visa's IT subsidiary, where he was in charge of that company's global payment system.

At a company like PayPal, which prides itself on its geek culture and stringent hiring standards, being a "geek" about whatever topic you own is something that carries a lot of weight.

Thompson seems right at home. But he's the first to admit that PayPal is a unique place, and that his prior payments industry experiences only prepared him so much for his current job.

One of the first online payment vendors, PayPal today serves 143 million accounts spread across 190 countries. And, as parent company eBay expands its reach through the labors of its independent developer community, PayPal is planning to follow suit: releasing APIs this week that make its payments platform easier to integrate with Web-based and mobile applications, and launching a developer certification program to encourage more software developers to begin expanding on the company's platform.

That makes Thompson -- who oversees PayPal's IT, product development and architecture -- a busy man. When he sat down with InfoWorld at the recent eBay Developer's Conference in Boston, Thompson said that tapping the creativity of developers is nothing new in the payments industry, and that PayPal's traditional strengths in security and online transactions will soon position the company to play with the big boys in the years to come.

"Most people think Visa solved the problem of end to end payments, but it didn't. It only solved a small problem. It was others, like First Data, who arguably are the developers who extended it and added to it and make it what it is today," he said.

PayPal still only handles a fraction of the payments of companies like Visa, American Express and MasterCard, Thompson noted, but its origins in the online realm give it a competitive edge against those companies, and will become increasingly valuable as the Internet becomes the default platform for transactions of all kinds, Thompson said.

"We know where the Internet is today, but the question is where will the Internet be tomorrow and the day after that? If you believe that our payment system goes naturally where the Internet is, you have to believe there are more markets where our payments will naturally fit in," he said.

Thompson says those markets include both e-commerce, and traditional brick and mortar stores, where retail point of sale (POS) terminals could soon be connected to the Internet and use standards like TCP/IP to communicate.

Mobile payments are another area where PayPal is placing its bets. The company on Monday released new Mobile Checkout APIs that allow merchants to conduct transactions through PayPal on the "mobile Web."

PayPal plans to follow the release of APIs with news, next week, that between 10 and 12 leading online merchants will use the new APIs to allow customers to do two-click purchases from mobile devices, according to Amanda Pires, PayPal's director of corporate communications.

However, Thompson acknowledged that merchant adoption of mobile payment technology still lags. "The technology on the merchant side has not appeared in any numbers, though you have to believe that it will," he said.

Still, with the spread of the Internet and the persistent problem of online fraud, PayPal is perfectly situated to take advantage of the explosion in online and mobile transactions.

Existing magnetic stripe technology only contains a small amount of information about the card holder and his or her relationship with the card's issuing bank. However, the burgeoning world of online payments demands much more information about both buyer and seller to make sure that transactions are legitimate, Thompson notes.

"You want to know who the person is on the other side of the transaction and how good the business is, and should we be extending this exchange of value to the person," he said.

PayPal, more than other payments vendors, is prepared to wade into that world. The company experience in online payments and sophisticated fraud detection capabilities that rival those of companies like Visa and MasterCard.

"Our system is a closed loop. We have deep information about parties on both sides -- the merchant and the buyer," he said.

PayPal's flexible payments infrastructure also helps. The company built its systems from the ground up using low cost hardware and open source software. PayPal also bakes in security, with a blanket data encryption policy that covers customer information from one edge of its network to the other.

Thompson credits PayPal's early founders with making the decision to go with open source and robust data encryption, and says that, almost a decade after the company was founded; those investments are paying off in a big way.

For example, the company was recently able to expand operations from 103 to 190 countries without significant investments in hardware and software. The company's core systems, which run Red Hat Enterprise Linux on commodity hardware, were able to handle the change without a hiccup.

"(Open source) gives us a strategic advantage in the cost of global infrastructure compared with other payments companies. It's just phenomenal," Thompson said.

At the same time, PayPal's blanket customer data encryption policy has simplified security planning compared with legacy payments firms, which came of age before online payments and have had to retrofit security onto aging applications and infrastructure, Thompson said.

"One thing I don't think the guys who started this really fully contemplated is that when have that type of (security) posture, it's easier to do what we do, because there are no exceptions. If it's customer data, it's fully encrypted. If it's an application that needs to access that data, then the application has to be fully secured and have its privileges monitored," he said.

Still, Thompson admits that there's still much work to be done. Despite advancements in technology that can detect fraud and phishing attacks, PayPal still hasn't "turned the corner" in its fight against online crime, he admitted. While eBay and PayPal now digitally signs each of the six billion e-mails they send out each year, Thompson said he couldn't point to evidence of a slowdown in phishing attacks.

PayPal customers have shown an interest in so-called "second factor" authentication devices, such as VeriSign one-time password generators, part of a deal with VeriSign in October, 2005.

After a beta test and initial marketing in Germany, PayPal has issued thousands of the secure token devices and has had to increase orders to VeriSign to keep up with demand, Thompson said. "The uptake was really surprising," he said.

Thompson was less sanguine about the effects of e-mail authentication regimes like Microsoft's Sender ID. eBay and PayPal are testing e-mail blocking based on signatures with two ISPs and, in the coming months, plan to talk with more ISPs about their findings, and suggest that they also look at implementing blocking of non-signed messages from eBay and PayPal.

The company is planning an announcement with large ISPs in the coming months that will "get them on board" with e-mail authentication and make the use of authentication and e-mail blocking for non-authenticated messages a priority, said Pires.

But most of the real innovation will come from outside PayPal, Thompson admits, thanks to the efforts of the thousands of developers and entrepreneurs who jammed Boston's Convention Center this week for eBay's Developer Conference.

"I don't want them thinking in a confined way about what developer can do …You can take the payments system we have and the other properties of eBay that we have and do some next-generation thinking," he said.

"There's no shortage of innovation and creativity and flat-out great ideas that this group of people has," Thompson said. "It just expands your mind to hear what these guys think about and what they're working on -- not just in the U.S. but all kinds of places. It's just fantastic."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform