PayPal Introduces Open API

m2pc writes "PayPal has just announced the availability of their Open API under the 'PayPal X Program.' This enables developers to integrate PayPal payment processing services without forcing users to redirect to PayPal's website to enter payment information. This new initiative is designed to allow the company to better compete with the likes of Google and Amazon, which offer similar services. I wonder how much they paid for their domain: x.com?"

API???

[click2005]

Another Price Increase

one-letter domain?

[Tolaris]

Since when are 1-letter second-level domains allowed? I thought it was limited to two letters and up.

Re:one-letter domain?

You were wrong. http://en.wikipedia.org/wiki/Single-letter_second-level_domains

Re:one-letter domain?

[Itninja]

One-letter names are allowed. But they were all taken within a very short time. I think about 26 seconds.

Re:one-letter domain?

[onefriedrice]

Wrong. One-letter domains were never made available by ICANN except for just a few exceptions made because of trademark issues: q.com for qwest, x.org for the former Open Group and a few others, including (obviously) x.com, though I don't remember who was the original owner of that one.

Re:one-letter domain?

[sopssa]

PayPal has always owned it:

The current incarnation of PayPal is the result of a March 2000 merger between Confinity and X.com. X.com was founded by Elon Musk in March 1999, initially as an Internet financial services company. Both Confinity and X.com launched their websites in late 1999.

http://en.wikipedia.org/wiki/PayPal

Re:one-letter domain?

[greatica]

I heard it used to belong to some ridiculous group claiming ufo defense or something.

Re:one-letter domain?

x.com used to be an on-line bank. It was founded sometime around 2000. They were originally competition for PayPal: their tagline was basically, "you can e-mail money."

When they first started, if you opened an account with them, they actually gave you $20 for free and mailed you a debit card. The only problem with their system is that they didn't own any ATM's and you had to mail in deposits (or do direct deposit via ACH.) So it didn't last very long. They eventually got bought out by PayPal, and so now PayPal owns the x.com domain name and their businesses licenses, etc. I believe it was after the purchase that PP started offering debit cards, so I'm guessing they are doing so under x.com's state charter.

Re:one-letter domain?

[nacturation]

Slashdot already owns /.org but it's a real bitch to get browsers to recognize the URL.

Re:one-letter domain?

[eulernet]

Archive.org has the whole history of the site:
http://web.archive.org/web/*/http://www.x.com

Before 2000, it was owned by Rob Walker, then purchased by a company named x.com, which became Paypal:
http://web.archive.org/web/20000520015239/http://www.x.com/

Um...guys....

[Itninja]

I was doing this on an ecommerce site I administered like four years ago. It was called PayPal Payments Pro (or some such) and cost $20/month. No redirects at all. Other than the new domain, what's new? Is it free now?

Re:Um...guys....

[jjohn24680]

PayProFlow is their credit card payment gateway, and handles other kinds of related transactions (debit cards, pre-funded cards). It appears this API ties to their main payment system (transfer funds between PayPal accounts) rather than credit cards. The company I work for uses their gateways to process transactions for both credit cards and also payments between PayPal accounts. Currently, if someone wants to receive a payment from us, they have to go to the PayPal website and create an account there. Once they have an account, we can use the existing API to transfer funds. From the article, it appears that you can use this API to create a new account, which is something that I don't believe can be done at this point.

Paypal was originally x.com

[SashaMan]

Paypal has owned the x.com domain since before they were paypal (check wikipedia), so while x.com probably wasn't super cheap back in 1999, it's not like they just purchased it.

Re:Paypal was originally x.com

[loshwomp]

X.com was one of the companies that merged to form PayPal. They epitomized the bubble "land grab" mentality by giving away free money to attract customers.

I still have a check for $0.01 sent to me (for no obvious reason) by "PayPal's X.com" during the bubble days. It's such a perfect metaphor for the stupidity of that era that I just had to save it and frame it.

I wonder what PCI implications this will have.

[marbike]

A lot of companies expend a great deal of resources in order to conform to PCI-DSS. The need for extensive testing, Web App Firewalls and the like is a pricey and time consuming activities for merchants dealing with PCI. When seasoned developers often forget to mask PANs, I wonder what the novice developer will do. I hope that this service will include some PCI guidelines so small merchants won't get bit in the ass by the certification bug.

redirect is better

[bolthole]

I personally LIKE the redirect. I LIKE only inputting my credit card/whatnot information to paypal.com directly, instead of some random site that I'm doing a one-time transaction with and will probably never see again.

Re:redirect is better

[webheaded]

Yeah, I'd have to agree. I generally shy away from websites that directly ask me for a username and password for another site. I don't care who you are, but after all the phishing emails and such we've seen over the years, you'd have to be pretty dense to not feel at least a little uncomfortable with something like this.

Re:redirect is better

Sort of off topic, but something that might interest you if you haven't seen it before is a feature Citi offers with their credit cards called virtual account numbers. Basically, it allows you to generate different numbers that point back to your real account and are only good for one use. You can also limit the amount of time they're active as well as put a cap on how much money can be drawn from it. Pretty cool.

Re:redirect is better

[amasiancrasian]

+1 post; allowing website owners to directly process user/pass info for PayPal is potentially a dangerous move if all sorts of security audits/nefarious site owners are processing login info. There's definitely potential for abuse because the redirect kept the user/pass separate from the app processing. We implemented SSO handling via CAS because we could train users never to type in their user/pass on any site except for sso.bigcompany.com.

Further, even banks require all sorts of audits if a website is handling credit card info directly. We have to undergo all sorts of security audits (e.g are you storing cc numbers? who has access to your code? who has access to your database?) before we were even allowed to touch a cc gateway.

Re:redirect is better

[DigitalCrackPipe]

I hope they continue to allow the explicit paypal.com visit. Otherwise I forsee bailing out of a number of transactions due to the sketchiness of giving free access to your bank account to some random site.

Re:redirect is better

[tlhIngan]

Not to mention, there'll be a whole host of XSS crap going on so that sites can grab your login information to Paypal from their website. After all, their site has to include the paypal stuff in it, who's to say that "submit" button isn't "send us and paypal your login"?

If using Paypal, I expect to visit Paypal's site to log in. (There were some XSS used to get the site's inventory into Paypal, but that's a different issue, and it happens before login).

My Paypal information is valuable - I don't want to trust some oddball website with it. I hope there's a "Redirect to Paypal" link I can use instead of this stuff...

Bummer!

[timeOday]

As an end user, to me the value in going through a centralized payment service is the security of having only one reputable company (PayPal) handling my personal information, instead of having every vendor out there from whom I've ever bought anything potentially putting my CC# into their database. Forget disintermediation via this API, I'd rather go the other way and have assurance from the middleman that the vendor will never get anything they don't need for order fullfillment - that is, just my name and mailing address.

Re:Bummer!

[nametaken]

You're kidding, right? Did you just call PayPal a reputable company? You clearly haven't had an account seized for no particular reason... or the various other nefarious shit they're known for.

Re:Bummer!

[Phroggy]

They are a reputable company, in that they have a reputation.

x.com

[JoeF]

They didn't pay anything for x.com. They were x.com originally.

Security?

[Manip]

This is sad news for me personally.

I always liked that I got redirected to PayPal.com to enter my PayPal details. Allowing me to check the SSL certificate and avoiding certain kinds of phishing fraud. Plus keeping my login details out of the hands of third parties who might enjoy looking at my payment history (which I agreed to in line 9999 subsection 5, amendment 3 of the T&C).

Ironically while PayPal moves away from a redirection systems the big credit card companies (VISA, Mastercard, etc) are moving into one. Now often bringing up a password page operated by your CC company in order to verify that you haven't stolen card details.

No parking.

[Snufu]

I wonder how much they paid for their domain: x.com?

It's variable.

This is a bad idea because...

[phiz187]

This is going to make users accustomed to entering their paypal credentials into all sorts of unique interfaces, on a variety of websites. It is going to condition users to be less guarded about their paypal credentials. As it stands now, you basically only enter your PayPal credentials into either the PayPal.com or Ebay.com domains. Users know that if anywhere else asks for their credentials, that it is a phishing site. I think this is going to be a minor disaster for PayPal. But hey, maybe they're cash-flush enough to eat the cost of all the new fraud claims that are going to result.

Re:This is a bad idea because...

[gravyface]

I have a newsflash for you Walter Cronkite: users wouldn't know the difference between ebay.com and ebay.ha.ha.pwned.com if it had an eBay logo on it.

Poor choice of words...

[raehl]

He meant greedy business entity strongly financially motivated to avoid any uncontrolled release of your information.

PayPal very diligently acts to protect their bottom line. You may not like their policies on withholding balances, but that same financial diligence also goes in to maintaining security to prevent the huge financial losses that would occur should the public no longer perceive paypal as secure.

Re:As a representative of one burned by PayPal

[Have+Brain+Will+Rent]

In Canada there is Interac where you can send money by email - I assume there is something similar in the US. An Interac transfer is as good as a wire transfer - i.e. when the money gets to your account it is yours period. There is also HyperWallet which is popular with the credit unions and some other institutions.

There goes all the conditioning...

[foxtyke]

I have spent the better part of my digital life convincing people that Paypal credentials should ONLY be provided when on Paypal.com, when you have a nice SSL certificate showing Paypal, Inc. and the like.

Granted you could place your credentials on retailer sites through existing APIs but most retailers recognized the need for consistency and helped condition Paypal users to expect to be taken to Paypal.com to complete the transaction and then back to the retailer site.

I agree, the chances of phishing success just went up considerably with this decision and more likely than not, it will be affected normal everyday users of Paypal more than the new users.

thanks sirs - exciting news

[postmortem]

Dear Sirs,

These are great news that promise increased effectiveness and efficiency in money transfers for humble users from Nigeria.

Additionally, if you could assist me in transferring some funds from our deceased noblemen, you will truly be awarded.

Yours Faithfully,

Dr. Akeem Biobaku

Re:As a Developer

[nacturation]

Why on earth would I want to add the burden of handling and protecting sensitive financial information when I can just send the user to a website they are familiar with to complete the transaction? No credit card numbers in my DB to steal, added trust for the user - this API seems like fail-fail.

If you're storing credit card numbers, you're doing it wrong. Here's how it should happen:

• Your payment page is SSL secured and people enter their CC details
• Your web server sends it through an SSL-secured API to PayPal
• PayPal responds with the result
• Your web server does or doesn't approve the order as appropriate (this is the ??? step)
• Profit!

The only storage of sensitive information that goes on is inside the server's RAM and it gets discarded from RAM once the transaction concludes.

Security risk?

[mysidia]

The new PayPal APIs allow developers to engage customers directly within their own applications rather than forcing them to port users off to the actual PayPal site. Users who don't even use PayPal can actually sign up for PayPal within the third-party application and begin making PayPal payments seamlessly from within the third-party application.

So now you're relying on a third party application running on your vendor's website to not secretly cubbyhole a copy of your PayPal password as you use the third-party site to login or register for PP ?

there is a solution

[commodoresloat]

We have a site that can ease your mind about such transactions, and we can even alert you to suspicious activity! Kindly provide the following information and our salespeople will get you set up:

Name:
Paypal Username:
Paypal Password:
Social Security Number:

Re:As a Developer

[Jherico]

The problem here is if I'm not redirected to PayPal, I'm offering up my palpal authentication information to a third party in the hope that they're going to use it for the transaction I've authorized and nothing else.