PayPal Introduces Open API

m2pc writes "PayPal has just announced the availability of their Open API under the 'PayPal X Program.' This enables developers to integrate PayPal payment processing services without forcing users to redirect to PayPal's website to enter payment information. This new initiative is designed to allow the company to better compete with the likes of Google and Amazon, which offer similar services. I wonder how much they paid for their domain: x.com?"

As a Developer

[FredFredrickson]

As a developer, I'm freakin excited. I hope it doesn't cost too much money.. or any at all. That's the reason I prefer Paypal for smaller projects over authorize.net.. save the monthly bills.

Re:As a Developer

[raehl]

As a developer, I'll be avoiding this like the plague.

Why on earth would I want to add the burden of handling and protecting sensitive financial information when I can just send the user to a website they are familiar with to complete the transaction? No credit card numbers in my DB to steal, added trust for the user - this API seems like fail-fail.

Re:As a Developer

[kestasjk]

It does seem to require you have a registered business name though, I like the micropayment potential and all but it looks like government is still getting in the way of truly seamless, open payments out of fear of money laundering etc. "As a developer" I think this goes a bit OTT, and they could probably afford to take the time to see where money is coming from and going to if/when a significant amount gets made rather than require you prove that you're not a criminal via a huge number of checks and then find out if it's worth it etc.

Re:As a Developer

The info isn't saved in your database. Have you ever even used a payment gateway?

Re:As a Developer

[nacturation]

Why on earth would I want to add the burden of handling and protecting sensitive financial information when I can just send the user to a website they are familiar with to complete the transaction? No credit card numbers in my DB to steal, added trust for the user - this API seems like fail-fail.

If you're storing credit card numbers, you're doing it wrong. Here's how it should happen:

• Your payment page is SSL secured and people enter their CC details
• Your web server sends it through an SSL-secured API to PayPal
• PayPal responds with the result
• Your web server does or doesn't approve the order as appropriate (this is the ??? step)
• Profit!

The only storage of sensitive information that goes on is inside the server's RAM and it gets discarded from RAM once the transaction concludes.

Re:As a Developer

[Jherico]

The problem here is if I'm not redirected to PayPal, I'm offering up my palpal authentication information to a third party in the hope that they're going to use it for the transaction I've authorized and nothing else.

Re:As a Developer

[Dog-Cow]

It also looks like you're an idiot. The difference is, of course, that you actually are.

Re:As a Developer

[nacturation]

The problem here is if I'm not redirected to PayPal, I'm offering up my palpal authentication information to a third party in the hope that they're going to use it for the transaction I've authorized and nothing else.

If you give your PayPal credentials to a third party and not to a PayPal URL, then yeah... you'll get hacked. No different than a site claiming to support Facebook Connect but showing its own login window instead of Facebook's login window. Or like any OpenID-enabled website. If it doesn't redirect you to the authoritative site you claim to be using, you're screwed.

Re:As a Developer

[DaVince21]

If the API is done well, it shouldn't expose sensitive information like that at all and handle it through the actual PayPal service anyway, leaving just the way users see the actual payment page to customize to your needs.

Re:As a Developer

[kestasjk]

".. , of course, .."

API???

[click2005]

Another Price Increase

Re:API???

[interval1066]

@click2005: "Another Price Increase"
Yep. A pack of gangsters just created some technology. Great.

Re:API???

x.com was a company that was acquired by paypal in the early days (elon musck's company)

one-letter domain?

[Tolaris]

Since when are 1-letter second-level domains allowed? I thought it was limited to two letters and up.

Re:one-letter domain?

You were wrong. http://en.wikipedia.org/wiki/Single-letter_second-level_domains

Re:one-letter domain?

[Itninja]

One-letter names are allowed. But they were all taken within a very short time. I think about 26 seconds.

Re:one-letter domain?

[Mad+Merlin]

Since ever? X.org for example has been around quite awhile.

Re:one-letter domain?

You're on Slashdot and you've never been to x.org?

Re:one-letter domain?

[onefriedrice]

Wrong. One-letter domains were never made available by ICANN except for just a few exceptions made because of trademark issues: q.com for qwest, x.org for the former Open Group and a few others, including (obviously) x.com, though I don't remember who was the original owner of that one.

Re:one-letter domain?

[sopssa]

PayPal has always owned it:

The current incarnation of PayPal is the result of a March 2000 merger between Confinity and X.com. X.com was founded by Elon Musk in March 1999, initially as an Internet financial services company. Both Confinity and X.com launched their websites in late 1999.

http://en.wikipedia.org/wiki/PayPal

Re:one-letter domain?

[lannocc]

As another commenter mentioned, it may have been PayPal. It was certainly some sort of financial institution. I still have an old X.com-branded credit card.

Re:one-letter domain?

[noundi]

PayPal has always owned it:

The current incarnation of PayPal is the result of a March 2000 merger between Confinity and X.com. X.com was founded by Elon Musk in March 1999, initially as an Internet financial services company. Both Confinity and X.com launched their websites in late 1999.

http://en.wikipedia.org/wiki/PayPal

That doesn't add up. According to this article the existing single-letter second-level domains were all registered before 1993, as in 1993 IANA reserved the remaining domains. Originally x.com was owned by Weinstein & DePaolis. Some half assed googling led me to this, which isn't much. And a quick whois showed that they also own x.cx, judging by the email used.

Re:one-letter domain?

Yah... PayPal has owned x.com for as long as I've been using it (circa 2000).

Although, the whois record for it indicates that it was created in 1993, which certainly predates PayPal.

Re:one-letter domain?

[greatica]

I heard it used to belong to some ridiculous group claiming ufo defense or something.

Re:one-letter domain?

It used to be owned by this online bank. The bank was bought by paypal within a year or so, and the x.com name was phased out.

Re:one-letter domain?

x.com used to be an on-line bank. It was founded sometime around 2000. They were originally competition for PayPal: their tagline was basically, "you can e-mail money."

When they first started, if you opened an account with them, they actually gave you $20 for free and mailed you a debit card. The only problem with their system is that they didn't own any ATM's and you had to mail in deposits (or do direct deposit via ACH.) So it didn't last very long. They eventually got bought out by PayPal, and so now PayPal owns the x.com domain name and their businesses licenses, etc. I believe it was after the purchase that PP started offering debit cards, so I'm guessing they are doing so under x.com's state charter.

Re:one-letter domain?

[nacturation]

Slashdot already owns /.org but it's a real bitch to get browsers to recognize the URL.

Re:one-letter domain?

[eulernet]

Archive.org has the whole history of the site:
http://web.archive.org/web/*/http://www.x.com

Before 2000, it was owned by Rob Walker, then purchased by a company named x.com, which became Paypal:
http://web.archive.org/web/20000520015239/http://www.x.com/

Re:one-letter domain?

[leamanc]

Rare, but ICANN has allowed them from time to time. Never visisted x.org? Turn in your geek card for unfamiliarity with the X11 protocol. :-)

Re:one-letter domain?

[Itninja]

So they were never allowed. Except for the 26 corporations that asked for them. Gotcha.

Re:one-letter domain?

[kimba]

The single letter .COM/.ORG/.NET domain prohibition was enacted prior to the existence of ICANN, however, existing single letter registrations were grandfathered in and were able to be kept. No exceptions have been granted after the prohibition started.

Re:one-letter domain?

[leamanc]

Right you are, I stand corrected.

On December 1, 1993, the Internet Assigned Numbers Authority (IANA) explicitly reserved the remaining single-letter and single-digit domain names. The few domains that were already assigned were grandfathered in and continued to exist.

Among the list of grandfathered-in domains was x.org.

Re:one-letter domain?

[MichaelSmith]

I heard it used to belong to some ridiculous group claiming ufo defense or something.

SpaceX?

Re:one-letter domain?

Slashdot already owns /..org but it's a real bitch to get browsers and DNS servers to recognize the URL.

That's more like it ...

Re:one-letter domain?

Don't post links to wikipedia. It is not an authoritative resource.

Re:one-letter domain?

Actually, typing "/." into Opera's location bar takes you to slashdot.org.

Re:one-letter domain?

[LarrySDonald]

I remember the launch, at the later time when they actually became useful I thought they'd simply changed their name to paypal or were named paypal but also linked x.com. The domain was touted for easy use on mobiles (a little doubtful since it's not significantly easier then any other domain and by the time mobiles with web made sense they were good enough to handle bookmarks). At the time only a little over half of the two-letter domains were taken and while 100% of singles were taken not all were registered that long ago.

Re:one-letter domain?

[j00r0m4nc3r]

x.com used to be an on-line bank. It was founded sometime around 2000. They were originally competition for PayPal: their tagline was basically, "you can e-mail money."

That's the Nigerians' tagline too.

Re:one-letter domain?

[PaganRitual]

Weren't those the crazies that, when faced with increasing ridicule, changed their story to be something about some unamed terror, from the deep or something?

Last I heard they were just outright babbling about the apocalypse. Haven't heard anything in years though. I kinda miss them, in a go-crazy-and-shoot-all-my-friends-with-a-guided-rocket-launcher kinda way.

Um...guys....

[Itninja]

I was doing this on an ecommerce site I administered like four years ago. It was called PayPal Payments Pro (or some such) and cost $20/month. No redirects at all. Other than the new domain, what's new? Is it free now?

Re:Um...guys....

[smclean]

Ditto, I also have integrated with that service, so this seems like a non-story, maybe a different rate schedule if anything.

"Website Payments Pro" https://www.paypal.com/uk/cgi-bin/webscr?cmd=_dcc_hub-outside

Re:Um...guys....

[webheaded]

Payflow Pro. I'm thinking the same thing. Maybe they're actually pointing more towards using a Paypal ID without leaving the site or something...I dunno, but I do know my company is one of the processors for Paypal and that they've had functionality like that for quite some time.

Re:Um...guys....

[jjohn24680]

PayProFlow is their credit card payment gateway, and handles other kinds of related transactions (debit cards, pre-funded cards). It appears this API ties to their main payment system (transfer funds between PayPal accounts) rather than credit cards. The company I work for uses their gateways to process transactions for both credit cards and also payments between PayPal accounts. Currently, if someone wants to receive a payment from us, they have to go to the PayPal website and create an account there. Once they have an account, we can use the existing API to transfer funds. From the article, it appears that you can use this API to create a new account, which is something that I don't believe can be done at this point.

Re:Um...guys....

[popeyethesailorman]

It was (and still is) called PayFlow Pro. PayPal got it when then bought VeriSign's payment unit in late 2005. I think VeriSign have have obtained it PayFlow Pro from CyberCash even longer ago.

Re:Um...guys....

[digitalaudiorock]

I had to use PayFloPro in a php application at a previous job. I never understood why they used a proprietary binary API rather than just communicating via https. It's not like it could be used without knowing the login information, and access to a given account could be restricted to specific ips etc. Under php that required compiling an extension into php.

A friend of mine did some contract work using the non-pro version of that and ran into a huge bind with it. This was for use on a Windows server and their binary API had been unnecessarily compiled with Windows security settings that could not be used on the shared server this was supposed to run on. He and a whole slew of others were screaming at Paypal to simply recompile a version they could use with no luck at all...quite a mess.

Maybe there's a reason for that approach...but it's a pain in the ass. I wonder if the new Paypal API will do the same.

Re:Um...guys....

[patniemeyer]

The existing Paypal Payments Pro API is as you describe (though it's $30/mo now) and it does let you accept credit cards on your site directly. The new API lets you do some more sophisticated things on the back end (like Amazon FPS currently does) including splitting payments among multiple receivers or making payments to many receivers at the same time. There is also micropayment support.

The limitation that I see at the moment is that the new API only lets you make payments with a paypal account - you can't (yet, they say they are looking into it) do these fancier things with a raw credit card payment. This is also a limitation of Amazon FPS as far as I know - you can only make payments with an amazon account, not a raw credit card... which seriously limits the usefulness of these systems for consumer applications right now, as far as I can see.

I recently did some integration with the other Paypal API (website payments "standard) - the one which requires that you shuffle the user off to their pages and then get them back at the end. It worked fairly well, though I have to say that their documentation and examples are terrible... Hopefully their new API will come with some better developer docs.

Pat

Paypal has owned X.com for YEARS

Paypal bought x.com a number of years ago. 8 years? Something like that. I think it happened when they were still giving you $5 for every new referral you brought in (I made some $$$$ off of Paypal, now it's the other way around. :( ).

Paypal was originally x.com

[SashaMan]

Paypal has owned the x.com domain since before they were paypal (check wikipedia), so while x.com probably wasn't super cheap back in 1999, it's not like they just purchased it.

Re:Paypal was originally x.com

[uvajed_ekil]

Yeah, the offered online checking accounts. I signed up for X.com and Paypal accounts initially because they were giving away free money, no deposit required. I didn't think either one would last (I was half right), but hey, free money.

Re:Paypal was originally x.com

[White+Flame]

I still have my old x.com credit card. It's a great geeky X-Com commemorative, even though it has nothing to do with the game. :-D

Re:Paypal was originally x.com

[kalislashdot]

Years ago, I used to go to paypal by going to x.com. It was so much shorted to type and it just redirected for me to paypal.com Then they made it the "labs" site and my shortcut was ruined.

Re:Paypal was originally x.com

[loshwomp]

X.com was one of the companies that merged to form PayPal. They epitomized the bubble "land grab" mentality by giving away free money to attract customers.

I still have a check for $0.01 sent to me (for no obvious reason) by "PayPal's X.com" during the bubble days. It's such a perfect metaphor for the stupidity of that era that I just had to save it and frame it.

I wonder what PCI implications this will have.

[marbike]

A lot of companies expend a great deal of resources in order to conform to PCI-DSS. The need for extensive testing, Web App Firewalls and the like is a pricey and time consuming activities for merchants dealing with PCI. When seasoned developers often forget to mask PANs, I wonder what the novice developer will do. I hope that this service will include some PCI guidelines so small merchants won't get bit in the ass by the certification bug.

redirect is better

[bolthole]

I personally LIKE the redirect. I LIKE only inputting my credit card/whatnot information to paypal.com directly, instead of some random site that I'm doing a one-time transaction with and will probably never see again.

Re:redirect is better

[webheaded]

Yeah, I'd have to agree. I generally shy away from websites that directly ask me for a username and password for another site. I don't care who you are, but after all the phishing emails and such we've seen over the years, you'd have to be pretty dense to not feel at least a little uncomfortable with something like this.

Re:redirect is better

Sort of off topic, but something that might interest you if you haven't seen it before is a feature Citi offers with their credit cards called virtual account numbers. Basically, it allows you to generate different numbers that point back to your real account and are only good for one use. You can also limit the amount of time they're active as well as put a cap on how much money can be drawn from it. Pretty cool.

Re:redirect is better

[amasiancrasian]

+1 post; allowing website owners to directly process user/pass info for PayPal is potentially a dangerous move if all sorts of security audits/nefarious site owners are processing login info. There's definitely potential for abuse because the redirect kept the user/pass separate from the app processing. We implemented SSO handling via CAS because we could train users never to type in their user/pass on any site except for sso.bigcompany.com.

Further, even banks require all sorts of audits if a website is handling credit card info directly. We have to undergo all sorts of security audits (e.g are you storing cc numbers? who has access to your code? who has access to your database?) before we were even allowed to touch a cc gateway.

Re:redirect is better

[BikeHelmet]

Totally agree with you here. It felt weirder ordering off Dell.com than it did DealExtreme.com. I was expecting redirects to a secure site for payment.

Re:redirect is better

[DigitalCrackPipe]

I hope they continue to allow the explicit paypal.com visit. Otherwise I forsee bailing out of a number of transactions due to the sketchiness of giving free access to your bank account to some random site.

Re:redirect is better

[tlhIngan]

Not to mention, there'll be a whole host of XSS crap going on so that sites can grab your login information to Paypal from their website. After all, their site has to include the paypal stuff in it, who's to say that "submit" button isn't "send us and paypal your login"?

If using Paypal, I expect to visit Paypal's site to log in. (There were some XSS used to get the site's inventory into Paypal, but that's a different issue, and it happens before login).

My Paypal information is valuable - I don't want to trust some oddball website with it. I hope there's a "Redirect to Paypal" link I can use instead of this stuff...

Re:redirect is better

[stephanruby]

There is no reason you can't have both, and just let the consumer decide. Believe it or not, there are cases where the consumer would rather not leave the site.

For instance, when our customers wanted a refund from us, we had to tell them to make the request through Pay Pal first (at least, at the time that was the case, I don't know if it still is the case now), and then we would issue the refund as soon as we saw the request come in. We couldn't initiate that request ourselves.

This really didn't sit well with our customers. Also the Pay Pal process for requesting a refund made the process unnecessarily adversarial and completely user-unfriendly. As a company in a very competitive area, we didn't want our customers (who for some reason were not satisfied with our services/products) to feel we were dragging our feet, or to feel that we were pawning them off to some giant faceless corporation who didn't know the first thing about what went wrong in the first place. Unsatisfied customers who feel that way are much more likely to write very negative reviews.

Re:redirect is better

[NoYob]

yeah, but that means doing business with Citi. No thanks.

Re:redirect is better

[Alok]

The same feature was offered on MBNA cards as well, and afaik is still there post-acquisition (by BoA). I think Discover has virtual numbers too, and probably AmEx should also be having something similar.

The unfortunate part is that there are some caveats to the 'one time use only', or atleast in MBNA's case there were stories of people who got charged on the number months after their initial purchase - unfortunately I don't really remember much about that, never used them much myself anyway.

Re:redirect is better

[vanyel]

As a paypal user from the other side, I like the redirect because it means I never see customer credit cards, so I don't have to deal with that level of security concerns...

Re:redirect is better

[daid303]

Indeed. The dutch payment system "iDeal" works like this, you are redirected to your own bank site. And make a payment from there. I know that under the hood there are XML files exchanged with no sensitive information, and I enjoy the protection of my own bank. I don't even need to have an account at a 3th party (like paypal)

It works great, many sites support the payment option (webshops, WoW, ...) and it feels really secure. Just a shame steam doesn't support it yet.

Bummer!

[timeOday]

As an end user, to me the value in going through a centralized payment service is the security of having only one reputable company (PayPal) handling my personal information, instead of having every vendor out there from whom I've ever bought anything potentially putting my CC# into their database. Forget disintermediation via this API, I'd rather go the other way and have assurance from the middleman that the vendor will never get anything they don't need for order fullfillment - that is, just my name and mailing address.

Re:Bummer!

Looks like you missed www.paypalsucks.com

Re:Bummer!

[nametaken]

You're kidding, right? Did you just call PayPal a reputable company? You clearly haven't had an account seized for no particular reason... or the various other nefarious shit they're known for.

Re:Bummer!

[BikeHelmet]

Right - but it's better Paypal than an eBay seller, or Paypal plus a random site, right?

Re:Bummer!

Better the evil you know than the evil you don't and the evil you know, mate. Think about it for a moment.

Re:Bummer!

[NoYob]

Better the evil you know than the evil you don't and the evil you know, mate. Think about it for a moment.

But, if it's an evil I do know that decides to change into an evil that I don't know, then I would be dealing with an evil that I know but really don't know - think about that for a moment.

Re:Bummer!

That's right, paypal has a terrible habit of taking clean owned money out of good peoples accounts and delving them into faceless labrynthian bureaucracy which has no known end. Paypal is more reputable than mailorder bride dot ru or something; but paypal does not have a good reputation.

Re:Bummer!

[Phroggy]

They are a reputable company, in that they have a reputation.

Re:Bummer!

[MrPerfekt]

You clearly haven't tried to manage fraud on more than 70 million active accounts. Anybody that's had a high school statistics class will tell you that some innocent people are going to get caught in the net. Of course, it's not perfect. It never will be. Neither is the Visa fraud system that denies charges that it deems to be "out of character" for your habits. But I don't see you bitching that Visa won't let you buy a lifetime subscription to your favorite monkeyporn site.

My point is that, PayPal gets a bad rap because of a small minority of people that have had a bad experience because they met the fraud models that were put in place to protect the other millions and millions of customers. Sorry to hear about the misfortune. Life goes on.

x.com

[JoeF]

They didn't pay anything for x.com. They were x.com originally.

Re:x.com

[Locke2005]

They paid in opportunity cost. Imagine how much they could have made by selling x.com!

Re:x.com

about 1/3 as much as if they had xxx.com

Re:x.com

[TomXP411]

Not true. x.com and PayPal were two different companies with two different products back in 2000. x was a bank, PP was an on-line payment service. By buying x.com, PayPal was able to offer debit cards and some other fun stuff they couldn't before (at least not without getting a charter as a bank, which is probably more expensive than simply buying a bank...) I remember it well; I had an x.com debit card at the time, and I used to use both services.

Re:x.com

[strstr]

http://web.archive.org/web/*/paypal.x.com/*

I knew it was familar, being a PayPal member since 2000.

Security?

[Manip]

This is sad news for me personally.

I always liked that I got redirected to PayPal.com to enter my PayPal details. Allowing me to check the SSL certificate and avoiding certain kinds of phishing fraud. Plus keeping my login details out of the hands of third parties who might enjoy looking at my payment history (which I agreed to in line 9999 subsection 5, amendment 3 of the T&C).

Ironically while PayPal moves away from a redirection systems the big credit card companies (VISA, Mastercard, etc) are moving into one. Now often bringing up a password page operated by your CC company in order to verify that you haven't stolen card details.

Re:Security?

[Kenja]

If it ties in to the rotating cipher device PayPal offers its all the same to me. Its a DigiPass Go 3 FYI, similar to what Blizzard uses for WoW.

Re:Security?

Now often bringing up a password page operated by your CC company in order to verify that you haven't stolen card details.

Yeah and what a freaking scam that is. While in theory things like "Verified By Visa" seem like a good idea, it is extra security after all, all it's really doing is making you liable if someone happens to hack your Verified By Visa account. It is probably easy to do considering it seems to use some funky redirecting XSS type crap (ie. it won't work if you have javascript off and it can probably be easily intercepted/man-in-the-middled by 3rd parties). If that happens you might no longer be as well protected by the fraud laws that limit your liability (which is $50 in the US). Search around and you can find more information (see here for starters).

As a representative of one burned by PayPal

[Chas]

It'll be a cold day in hell before they see any utilization by any of the companies I work for or service.

They could be the last financial institution on the planet. I and some of the people I work for would revert to a barter economy first.

Re:As a representative of one burned by PayPal

[Nithendil]

It still amazes me that there isn't a legit popular alternative to paypal for online shopping (other than huge sites like amazon). I refuse to have anything to do with them anymore. At least it taught me a lesson in scams and how to deal with companies who care very little for their customers.

Re:As a representative of one burned by PayPal

[Have+Brain+Will+Rent]

In Canada there is Interac where you can send money by email - I assume there is something similar in the US. An Interac transfer is as good as a wire transfer - i.e. when the money gets to your account it is yours period. There is also HyperWallet which is popular with the credit unions and some other institutions.

Re:As a representative of one burned by PayPal

[am+2k]

Well, if you're looking for a way to receive money from your customers, there's always esellerate.

(I'm not affiliated with them, just a happy customer.)

Re:As a representative of one burned by PayPal

[Nithendil]

What I have seen in the US is either the website has their own shop with credit processing, or they are affiliated with someone (amazon, google) or they take paypal; I'm sure there are other options but they are outliers.

Re:As a representative of one burned by PayPal

[Archon-X]

2co.com ?

Re:As a representative of one burned by PayPal

[Firehed]

Speaking as someone in the industry... there's a lot of reasons. The barriers to entry are extremely high (and that's before you realize that your competition is a multi billion dollar giant with massive market and mindshare), there's a huge amount of legal BS that you have to deal with, and the banking industry is painfully slow and outdated to work with.

I AM surprised that other payment gateways don't do more in consumer-facing work, but there's plenty of very good reasons that they'll be staying strictly B2B for the foreseeable future

Re:As a representative of one burned by PayPal

[TheRaven64]

The thing that surprises me is that banks allow them to exist. I can send money to a private individual easily; just enter their account number and sort code (or IBAN code for international transfers) and the amount of money to send into my online banking page. It wouldn't be too hard for the banks to define a standard API for providing this information, so you just enter your bank's URL and press 'pay' and it then redirects to your bank's log in site and, once you're logged in, creates a new transaction.

Or just reduce the cost of accepting and processing credit card payments so that PayPal can't compete. Their entire market seems to exist because dealing with merchant banks is too complicated. It can't be too expensive, because PayPal takes their cut on top of what merchant banks charge.

Re:As a representative of one burned by PayPal

[Civil_Disobedient]

I can send money to a private individual easily

Sure, and the bank charges you out the ass for the convenience. Kinda like ATMs... there's no excuse for $3.00 "convenience" fees when they used to be free! Except for the fact that, well, they can.

Re:As a representative of one burned by PayPal

[TheRaven64]

I never understood why people in the USA put up with this crap from their banks. My bank (in the UK) doesn't charge me for using ATMs owned by them or any other UK bank. A few ATMs in shops and pubs charge everyone that uses them, but there are enough free ones around that you rarely need to use these. My bank doesn't charge me for sending money to someone else online either. This is pretty much standard across Europe.

Re:As a representative of one burned by PayPal

[Civil_Disobedient]

In the States we have Credit Unions (not sure if you have them in the UK) that operate in a similar fashion. It's the larger commercial banks that are by far the worst practitioners of fees-as-revenue-model. Which naturally makes no sense, since the larger banks presumably have more ATMs (so less out-of-network transactions) and a larger capital base to fill their coffers.

We only put up with it because they put chemicals in our water that make us lazy.

No parking.

[Snufu]

I wonder how much they paid for their domain: x.com?

It's variable.

This is a bad idea because...

[phiz187]

This is going to make users accustomed to entering their paypal credentials into all sorts of unique interfaces, on a variety of websites. It is going to condition users to be less guarded about their paypal credentials. As it stands now, you basically only enter your PayPal credentials into either the PayPal.com or Ebay.com domains. Users know that if anywhere else asks for their credentials, that it is a phishing site. I think this is going to be a minor disaster for PayPal. But hey, maybe they're cash-flush enough to eat the cost of all the new fraud claims that are going to result.

Re:This is a bad idea because...

[gravyface]

I have a newsflash for you Walter Cronkite: users wouldn't know the difference between ebay.com and ebay.ha.ha.pwned.com if it had an eBay logo on it.

Re:This is a bad idea because...

[maxume]

Well, that sucks for people that trusted Paypal to begin with.

Re:This is a bad idea because...

newsflash for you: this is not true for people internetknowledgeable enough to actually register on paypal.

Re:This is a bad idea because...

[TheRaven64]

If PayPal only has your credit card details, not your debit card, and you don't store money in your PayPal account, there's not much they can do. They can't confiscate the money you have with them (there isn't any) and if they try to take money without authorisation then you can issue a chargeback (at their expense) on the credit card. I don't understand people who use it to accept payment though. The only thing banks sell of value is their reputation, and PayPal's is worth a negative amount. I'd be more inclined to trust Lehman Brothers with my money...

x.com? duh.

I wonder how much they paid for their domain: x.com?"

Well, if the submitter did any background work before furiously cutting and pasting from someone's blog to get this submission, they'd realize that x.com is actually paypal's ORIGINAL domain name before they got bought and turned into paypal. But hey, who expects facts in a slashdot submission?

Critical missing piece

[RyoShin]

Nifty, but I'm waiting for the day that they announce good customer service.

(Although I believe they're lifting the ban on adult content sites, so that's good.)

I wonder...

I wonder how much they paid for their domain: x.com?"

.

I wonder if PayPal is ever going to provide anything better than barely mediocre customer service?

Poor choice of words...

[raehl]

He meant greedy business entity strongly financially motivated to avoid any uncontrolled release of your information.

PayPal very diligently acts to protect their bottom line. You may not like their policies on withholding balances, but that same financial diligence also goes in to maintaining security to prevent the huge financial losses that would occur should the public no longer perceive paypal as secure.

Re:Poor choice of words...

Wait so you're calling larceny "financial diligence"?

I better become "financially diligent" when I got to the local 7/11 and chew on some snacks without paying for them. I'll leave behind 99% of the snack later, so no real loss for them. In fact, I'll go around every place in town, eat 99% of the snack. After I do this a hundred times, I've chewed enough to have a whole snack.

In fact, I'll just send out a robot to do this for me. Every day I'll have piles of snacks for free, because I'm financially diligent and no one loses out.

That's basically what Paypal do when they withhold accounts. Those accounts are not earning any interest you see. Paypal does however, earn interest on its the robbed values. Paypal is a scam and the people behind it are slimey and known to lock accounts under political motivation.

Re:Poor choice of words...

[timeOday]

Besides, I have had payments frozen and while irritating, you have to remember that without that option, fewer customers would dare to send you money in the first place. It's a cost of doing business, like accepting returns.

You have a short memory...

[larwe]

Don't you remember that X.com *WAS* PayPal until about 2000? I would be surprised if they paid more than a four-figure sum for the domain; real estate wasn't as valuable back then. X.com was originally an online bank of sorts.

Re:You have a short memory...

He also has a short penis.

Re:You have a short memory...

[bipbop]

You'd be surprised if they paid more than a four-figure sum for the domain? Valuable domains sold in the millions in the late 90s, and that was oct 1999, only a few months away from the peak of the dot-com bubble. I can't find data on how much x.com was sold for, but for some examples selling in the millions in '99, look at altavista.com, autos.com, business.com--and I'm only at the start of the alphabet there.

Anyway, this is kind of an unimportant point to make, but the irony of saying someone else has a short memory while completely forgetting how crazy things were in '99 amused me enough to respond ;-)

where is

[zero.kalvin]

Where is the whatcouldpossiblygoeswrong tag ?

There goes all the conditioning...

[foxtyke]

I have spent the better part of my digital life convincing people that Paypal credentials should ONLY be provided when on Paypal.com, when you have a nice SSL certificate showing Paypal, Inc. and the like.

Granted you could place your credentials on retailer sites through existing APIs but most retailers recognized the need for consistency and helped condition Paypal users to expect to be taken to Paypal.com to complete the transaction and then back to the retailer site.

I agree, the chances of phishing success just went up considerably with this decision and more likely than not, it will be affected normal everyday users of Paypal more than the new users.

thanks sirs - exciting news

[postmortem]

Dear Sirs,

These are great news that promise increased effectiveness and efficiency in money transfers for humble users from Nigeria.

Additionally, if you could assist me in transferring some funds from our deceased noblemen, you will truly be awarded.

Yours Faithfully,

Dr. Akeem Biobaku

Security risk?

[mysidia]

The new PayPal APIs allow developers to engage customers directly within their own applications rather than forcing them to port users off to the actual PayPal site. Users who don't even use PayPal can actually sign up for PayPal within the third-party application and begin making PayPal payments seamlessly from within the third-party application.

So now you're relying on a third party application running on your vendor's website to not secretly cubbyhole a copy of your PayPal password as you use the third-party site to login or register for PP ?

there is a solution

[commodoresloat]

We have a site that can ease your mind about such transactions, and we can even alert you to suspicious activity! Kindly provide the following information and our salespeople will get you set up:

Name:
Paypal Username:
Paypal Password:
Social Security Number:

x.com?

[MostAwesomeDude]

Hey, whatever gets us more page views.

(If you haven't been to http://x.org/ , you might not get the joke.)

Re:x.com?

[TheRaven64]

Before X development moved back to x.org, it was hosted on XFree86.{org/com}. For a lot of this time, XFree.com was a porn site. You can find a reference to this in an old interview with some of the X developers when they were asked why, now that many architectures other than x86 were supported, they didn't drop the 86 from the name and go with XFree.

x.com

[strstr]

Hasn't PayPal always owned x.com? if I recall, you used to access the website at paypal.x.com and it wasn't until a few years ago that they started using paypal.com.

It's like banking, without consumer protections.

[Animats]

PayPal calls this WebSite Payments Pro. They don't use the world "Open", at least not to developers.

What they are offering is essentially the same thing banks offer as "merchant accounts" that connect to "shopping cart" programs. But, this being PayPal, without all the consumer protections that banks are required to provide. I've been reading through the documentation, and there's no sign of all the security requirements Visa imposes on merchants.

(Well, actually there is - under "Legal Agreements, Exhibit A". But there's no sign of technical requirements to back them up.)

Actually...

[mister_playboy]

Opera brings you to Slashdot if you simply type /. in the address window.

Try it!

Re:Actually...

[nacturation]

I did not know that! Thanks for the tip.

Other payment services years ahead of pp

[SgtChaireBourne]

Other services, like moneybookers, have had public APIs for years. IIRC the moneybooker's one has been around since 2004. There are even development accounts that can be set up for testing and several levels of detail or complexity.

I'm not sure what the slashdot editors' fascination with paypal is about. A quota to peddle 'news' about M$ partners?

I really hope they thought about it, a long time

[Ilgaz]

I hate posting 2 line messages but if you look at http://www.phishtank.com/ which the data is community provided/validated and open, I have real bad feelings about the upcoming API. Hopefully they don't trust the general public to know what an API is while they keep clicking the links on spam mails they get.

Re:It's like banking, without consumer protections

[JesseMcDonald]

There seems to be a contradiction in PayPal's descriptions of the program. On the main summary page they say of Express Checkout, "Your customer chooses to pay with PayPal by entering their email address and PayPal password, without leaving your website." However, in the section on Express Checkout all the flow diagrams show the customer clicking on a button which redirects them to the PayPal website, where they enter their login and password, as is currently the case.

I'm inclined to believe that the current situation, with PayPal handling the authentication, is what they intended, and that the sentence on their summary page was a mistake. I'm certainly not going to enter my PayPal password on some random third-party website.

Their "Direct Payment" API, on the other hand, is completely transparent; the customer enters their CC data into the seller's website and never sees PayPal.

x.com used to be a Bank run by PayPal circa 2001

[idioto]

x.com was a crazy bank in 2001, I used it a lot, and yes it was run by PayPal. Why was it crazy? Because it allowed me to take money from my credit cards and deposit them to a bank account using the web. I could then pull cash out at an ATM, write a check to another credit card company. It really saved me a few times, but in the end it only lasted about 6 months before PayPal really took off and they cut back the wacky services eventually the service altogether. Yeah, I had an x.com ATM card.

Uh...this isn't new...

[k0vert]

I always thought that you could accept credit cards on your own website without redirecting to PayPal. I believe it is called Website Payments Pro. "Process credit cards directly on your website with Website Payments Pro, our merchant account and gateway in one." What is exactly more integrated? Has anyone bothered to look at the "How It Works" link on the PayPal website? It doesn't show any redirection to PayPal.

x.com is created in 1993

[mahadiga]

Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net/ for detailed information. Domain Name: X.COM Registrar: MARKMONITOR INC. Whois Server: whois.markmonitor.com Referral URL: http://www.markmonitor.com/ Name Server: PPNS1.DEN.PAYPAL.COM Name Server: PPNS1.PHX.PAYPAL.COM Name Server: PPNS2.DEN.PAYPAL.COM Name Server: PPNS2.PHX.PAYPAL.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 01-sep-2008 Creation Date: 02-apr-1993 Expiration Date: 20-oct-2011 >>> Last update of whois database: Fri, 06 Nov 2009 02:03:44 UTC http://www.markmonitor.com/ Administrative Contact: Domain Administrator eBay Inc. 2145 Hamilton Avenue San Jose CA 95125 US hostmaster@ebay.com +1.4083767400 Fax: +1.4083767514 Technical Contact, Zone Contact: Domain Administrator eBay Inc. 2145 Hamilton Avenue San Jose CA 95125 US hostmaster@ebay.com +1.4083767400 Fax: +1.4083767514 Created on..............: 1993-04-01. Expires on..............: 2011-10-20. Record last updated on..: 2009-07-25. Domain servers in listed order: ppns1.phx.paypal.com ppns2.den.paypal.com ppns2.phx.paypal.com ppns1.den.paypal.com

I would not use this method of payment either

[bruceslog]

As mentioned in several posts before this one, I prefer to be redirected to PayPal's own website, and being asked to confirm my UID and password there. The whole idea behind PayPal was always anonymity when making payments online. The website you were purchasing from never had a chance to get your payment information. Being redirected to PayPal to make such an 'anonymous' payment to any website, made transactions safe and secure ( with any legitimate website, anyway ), and it also let me double check that I was indeed being redirected to PayPal, and not to some web page in Nigeria. . With this API, I don't think that I can never be sure of that. Too much is happening behind the scene. I would be entering my payment info into the web server of company xyz. In fact, alot of different company xyz's, throughout the year. Are each of these companies promising me that they aren't keeping my payment info ? Is my payment info being automatically and silently backed up into a dozen places on the operating system ? Histories ? Web Logs ? Is company xyz promising me that their system is well maintained, locked down, and they can safeguard the information that I have entered into their web page ? Will there never be any scripts on their web server that can capture my information and send it to Nigeria ? I don't think so. I don't see why PayPal is moving away from the security model that sold so many of us into using their service to begin with. And, just for PayPal's information, I don't like the new idea. I guess that all I can hope for is that PayPal insists that all of their clients include a link for me to go to the PayPal webpage to complete a transaction, just the way it has been for years now. And put that link somewhere close by this new API gizmo of theirs..