Digital Cash Payoff
PayPal’s fraud-busting technology makes it easy for people to pay one another over the Internet–and may give credit card companies a run for their money.
Around the time he immigrated to Chicago from Ukraine as a teenager in 1991, Max Levchin became obsessed with cryptography. Living under the old Soviet regime convinced him of the need to carry out communications undetectable by authorities. As a computer science student at the University of Illinois, he immersed himself in the mathematics of creating and breaking codes, not only making it the focus of his studies but also, he says, turning his pursuit into a “huge hobby” that consumed countless days and nights at the supercomputer center on the Urbana-Champaign campus. Dreaming that he would one day profit from his passion, Levchin aimed to start a company that would process financial transactions over the Internet, devising codes so secure that hackers wouldn’t be able to read the data even if they intercepted them. He moved to Silicon Valley after graduation in 1998 to make good on his goal.
It didn’t quite go as planned-but close. Now a worldly 26 years old, Levchin is the cofounder and chief technology officer of PayPal, the Palo Alto, CA, company that has suddenly become the leading processor of person-to-person, or P2P, payments over the Internet. Just as Napster allowed people to directly share music online, PayPal enables people to exchange money instantly without having to open expensive merchant accounts to accept credit cards. Yet to Levchin’s surprise, advanced cryptography has had little to do with PayPal’s success. Rather, the company’s rapid adoption by millions of small businesses and individuals operating chiefly on Internet auction site eBay is largely credited to Levchin’s more recent obsession: developing financial surveillance software that closely monitors PayPal’s customers and almost instantly alerts both the company and law enforcement officials to any suspicious account activity. “We mine millions and millions of transactions in real time,” Levchin says.
Limiting illegal transactions is crucial to the long-term survival of Internet commerce. Since consumers aren’t typically liable for fraudulent use of their credit card numbers, they usually don’t worry much about these numbers, or even their very identities, being stolen. Merchants, however, are keenly interested in stopping such swindles, because they are the ones who have to eat what is estimated to be $2 billion in annual credit card fraud losses, with a disproportionate share of those losses occurring online. Whereas Visa reports an overall fraud rate of .07 percent, a Gartner study of Web merchants indicates the figure soars to 1.13 percent for online transactions. In other words, buyers and sellers online face a 16 times greater risk of not being able to recover the money or merchandise due to them.
PayPal claims it has found a way to bring the online fraud rate down to less than .5 percent, thus eliminating 60 percent of the risk of taking credit cards online. It is this ability to combat criminal behavior that has enabled the privately held company to raise a whopping $211 million in equity financing, with more than 40 percent of that coming after the great Internet implosion that abruptly ended so many getrichquick.com schemes. And in September, PayPal announced plans to complete an IPO worth up to $80.5 million.
At a time when few startups can exhibit a clear competitive edge, Levchin’s fraud-monitoring software-dubbed Igor, after a Russian hacker it helped detect-may very well be a technological silver bullet that largely eliminates one of the chief obstacles to conducting commerce with strangers around the planet. But PayPal’s potential for widespread growth has been a cause for alarm in the $2.7 trillion credit card industry, which seems fearful that the company could displace Visa and MasterCard, first on the Internet and then offline. PayPal could “cut the legs off of banks and credit card companies,” says Kjell Hegstad, senior vice president of business development at ING Direct, a U.S. arm of Dutch banking giant ING Group, which has taken a “know-thy-enemy” approach to matters by investing in the upstart.
T he backbone of PayPal’s success is its fraud squad. Levchin heads a team of 100 employees, about one-sixth of the company’s personnel, who work full time fighting fraud and fine-tuning Igor’s ability to ferret out scams. By watching Igor’s constantly changing graphics for red flags, alerts and statistical anomalies, the fraud fighters can pinpoint accounts exhibiting unusual patterns of activity that signal certain transactions may be fraudulent-things like one user attempting several transactions at once, high dollar amount transfers, or payments being sent to notorious locations or unverified addresses. “The system is conducive to rapid investigations,” Levchin says. When Igor detects dubious activity, humans review the evidence and decide whether to freeze the corresponding accounts.
Igor has to not only move quickly but also be right. As it tested early versions of the software, PayPal was hit with a customer backlash when Igor got overzealous and prompted employees to inactivate many legitimate users, who were suddenly unable to send and receive money. When those users couldn’t get through to PayPal’s flooded customer service department, a spate of complaints to the San Jose, CA, Better Business Bureau followed, leading to a public-relations disaster. The company has since refined Igor to hone in on only the most suspicious behavior patterns, and it has staffed an Omaha, NE, call center with more than 400 customer service specialists and operations staff to handle inquiries and quickly unfreeze accounts when appropriate.
PayPal also has several patent-pending techniques for verifying its customers’ identities. For example, when a member signs up to allow the company to directly debit and credit her checking account for PayPal transactions, the company makes two tiny deposits into that account-say 14 cents and eight cents. Once the member learns the amounts (from an online, phone or paper bank statement), she must enter the correct figures on PayPal’s Web site to activate the link. “This verifies their identity and tells us that this person has control over that account,” says Levchin.
Once the user’s account is active, Igor’s pattern detection algorithms start monitoring it. While Levchin won’t reveal much about what Igor looks for, this much is clear: Igor incorporates some of the oldest and newest techniques from the field of artificial intelligence. It is an expert system that knows a series of rules (for example, if money is being transferred from a U.S. user to a foreign one, then check whether the foreign user is in a country approved for PayPal usage). Igor also incorporates a neural network that “learns” new types of fraud over time. If a certain user keeps linking new credit cards to his PayPal account, then opens another account under a different e-mail address and attempts to link some of the same cards, Igor will learn the intricacies of that scam and watch more carefully next time.
Policing electronic payment activities is becoming more and more challenging. Last May, officials from the Federal Bureau of Investigation revealed the results of Operation Cyber Loss, a sweep of stings that led to the arrests of 90 hackers charged with defrauding 56,000 citizens of $117 million, mainly through online auction fraud, stolen credit card numbers traded and used over the Internet, and wholesale identity theft. Months before those arrests, PayPal and the FBI first began sharing data and evidence with each other. Levchin says that FBI agents have been dropping by PayPal’s offices on a regular basis, comparing Igor’s red flags with tips that the FBI collects through its Internet Fraud Complaint Center Web site.
Both senders and receivers of cash have primarily been drawn to PayPal not for its safety but for its speed and simplicity, especially when it comes to completing messy eBay transactions. In the past, the seller of a vintage guitar, a rare book or any other eBay item had two ways to receive payments-either via a check sent through the mail or by accepting credit cards. Before PayPal arrived in October 1999, 90 percent of eBay transactions were completed by check, a process that typically takes five to 10 business days, as sellers generally wait for the check to arrive and clear before they ship their merchandise. Credit cards, although timely, are impractical and too expensive for part-time merchants and individual sellers, as account charges and transaction fees can consume upwards of six percent of each payment.
PayPal promised a way to solve this conundrum by making it possible to instantly complete transactions, a feat that prompted thousands of eBay sellers to begin offering it as a payment option. When the first million buyers responded to PayPal’s offer of a $10 incentive (since cut to $5) just to sign up, the service quickly achieved critical mass.
A user enrolls at the company’s Web site by linking an existing credit card or checking account to a new PayPal account. A valid e-mail address for the recipient is all one needs to send someone else money; her name and physical location aren’t required. The recipient receives a message letting her know that her money has arrived. If she is not already a PayPal member, she must sign up to claim her funds, which can be transferred to an existing checking account (or sent by check). PayPal’s process has made sending money as instantaneous and convenient as e-mail itself. Since anyone can pay anyone else this way, PayPal’s service has rapidly transcended eBay and is now accepted at more than 20,000 Web sites-and can even be used to pay debts incurred offline. If you owe a friend $6.50 for lunch, you can use PayPal to e-mail him the cash using any Internet-enabled device, from a cell phone to a palmtop gadget.
So far, the best proof of PayPal’s success is its viral rate of growth, from virtually nothing two years ago to more than 200,000 transactions completed each day. That’s still a far cry from Visa’s aggregate volume of over 200,000 transactions every minute, and it represents less than five percent of all e-commerce. But PayPal, in short order, has become the most visited Web site for personal finance, and it processes payments for one out of every four eBay auctions.
Unlike many popular dot coms, PayPal is supported by a business model that Peter Thiel, PayPal’s 34-year-old CEO, says will bring in nearly $100 million in revenue in 2001, making the company profitable. While PayPal was free for both buyers and sellers during its first year in business, sellers who accept credit card payments now must pay a 2.9 percent fee, plus a flat 30-cent-per-transaction surcharge, which adds about another half a percent to the tab for the average PayPal transaction of $50. Volume continued to explode even after PayPal imposed these fees. That’s because traditional credit card companies charge online merchants even more-as much as six percent. Thiel claims that PayPal can turn a profit on such low transaction fees because of its success minimizing fraud.
All this growth hasn’t gone unnoticed by the giants of the credit card industry, which have been scrambling to catch up. Bank One, one of the nation’s five largest bank holding companies and parent of credit card company First USA, launched eMoneyMail in March 2000. Within six months, however, the online payment service shut down after experiencing a fraud rate reported to be as high as 25 percent. Bank One spokesperson Tom Kelly confirmed an unacceptably high fraud rate but said, “I don’t think we have a lot of interest in talking about it.”
In the fall of 2000, Citibank, the nation’s largest bank and credit card issuer, introduced c2it (pronounced “see-to-it”), a P2P system being marketed via multimillion-dollar deals with Microsoft and America Online. It only managed to sign up 100,000 customers in its first year, despite offering a $10 sign-up bonus, but officials aren’t letting up. “This business is strategically important to Citi,” says Antony Jenkins, chief operating officer of c2it. “At the end of the day, processing transactions is what banks do.”
Then there’s eBay itself, which acquired PayPal rival Billpoint and began running it as a joint venture with San Francisco banking conglomerate Wells Fargo in March 2000. All these competitors combined have managed to eke out only a tiny market share against surging PayPal. “PayPal had a bit of a head start,” says Kevin Pursglove, eBay’s senior director of communications, “and they are very aggressive.” He adds, however, that “the market is still young,” and that eBay thinks Billpoint will soon begin to achieve something like PayPal’s critical mass.
Traditional credit card issuers seem to be spooked by PayPal, and not just for fear of losing out on online transactions. To understand why, one must understand a basic fact about PayPal’s business model. Let’s say that Julia has just won an eBay auction for an antique lamp, agreeing to pay $276 plus $24 in shipping costs. The seller, whom she only knows through the eBay handle LampMan and his e-mail address, firstname.lastname@example.org, advertises that he accepts PayPal. Already a PayPal member, Julia goes to PayPal.com to send the $300 total payment to that e-mail address. At that point, she has two options. She can instruct PayPal to charge her Visa or MasterCard, or she can have the amount debited directly from her checking account.
Although PayPal claims to be indifferent to the outcome, Julia’s choice makes a big difference financially. If she opts for the credit card, PayPal becomes the merchant of record on the transaction and must pay Julia’s credit card company a two percent “interchange fee.” After collecting the same two percent from LampMan, PayPal essentially breaks even. But if Julia chooses her checking account, PayPal doesn’t have to pay the fee, and it still collects the two percent from LampMan. PayPal, therefore, has the financial incentive to shift as much business as possible to checking accounts. However, if PayPal moves too aggressively to phase out use of credit cards, it risks antagonizing Visa and MasterCard, which currently offer the company their lowest fees, under the assumption that PayPal is significantly increasing the industry’s overall volume.
Thiel and Levchin are careful about such questions. “Yes, we make a bigger margin [on checking-account transactions],” Thiel says. “But we don’t envision displacing Visa and MasterCard. We are enabling consumers to make their own choices. We can’t force them.”
PayPal’s attempts to get customers to abandon traditional banks and credit cards belie this statement. One such enticement: the PayPal money market fund, managed by Barclay’s Global Investors. Under this option, buyers and merchants can earn money on the funds they keep in their PayPal accounts, which makes transactions even simpler and more profitable for the company. More recently, PayPal introduced debit cards, so that customers can use their PayPal accounts for offline transactions as well. If PayPal’s more than 10 million members start using the new debit card instead of credit or debit cards issued by MasterCard and Visa, these giants may begin to see their market share erode.
So Thiel’s claims about having no designs on credit card companies aside, these moves, along with PayPal’s recent launch of an online bill payment service, have exacerbated fears that the company has set its sights beyond online transactions. Such suspicions are rampant even among the company’s own backers. PayPal’s seed money has come not only from traditional venture firms like Goldman Sachs and J. P. Morgan Chase but also from banks like ING, Providian and Germany’s Deutsche Bank, which are hedging their bets against PayPal’s expansion. “Unless they’re partnering with PayPal, banks aren’t keen to see it succeed,” says ING’s Hegstad. “What bank would want to give up ownership of its customers?”
Citibank, with its c2it service, is especially anxious to counter PayPal before growth gets out of hand. “This is a huge opportunity,” says Citibank’s Jenkins. “Technology always changes the way financial services get delivered. Credit-scoring software and database marketing led [30 years ago] to the credit card industry itself. In the future, we think that everyone who now has a credit card will also have a P2P account.” But in the wake of debacles like Bank One’s eMoneyMail, Citibank is proceeding cautiously. “We wanted to understand the fraud component before we mass-market the product,” adds Jenkins.
Even as it contemplates past lessons, Citibank is following a strategy plotted by PayPal-which has already learned so well from past failures that rivals may find it difficult to catch up. Indeed, PayPal’s founders are adamant they wouldn’t have achieved their current position without learning from early failures in the digital-payments marketplace.
The company was born in the fall of 1998, when Levchin, newly arrived in California, attended a lecture at Stanford University given by Thiel, then running his own hedge fund. The two got to talking afterwards and made a breakfast appointment for the following morning. By the end of that meal, Thiel had agreed to help find funding to develop and market Levchin’s software, which at the time scrambled transactions sent between mobile Internet devices.
As he took up the quest, however, Thiel immediately hit a solid stone wall of skepticism. Although funds were flowing freely to thousands of half-baked Web ploys at the time, the market the two men were eyeing was already littered with high-profile fiascos like CyberCash, DigiCash and First Virtual as well as dozens of lesser-known flops aimed at popularizing new brands of encrypted digital currency for online payments. “We met with a hundred different venture capitalists,” Thiel recalls. “A lot of people told us it was insane to be going into this space.”
As the company struggled to get off the ground, however, Levchin and Thiel delved deeply into the state of digital-cash technology in order to learn from the spate of calamities and bankruptcies in that market. “There are a half a dozen different theories about why DigiCash and all the others failed, and all the theories are valid,” says Thiel. “We tried to avoid making the same mistakes.”
The first mistake involved complexity. Most of the early digital-cash solutions required users to download hard-to-use software, known as digital wallets, that encoded money in an encrypted format; consumers simply refused to go to all that trouble just to pay for something. What’s more, merchants had to adopt a standard called Secure Electronic Transactions for deciphering encrypted payment codes; those systems typically required the purchase and installation of sophisticated workstations.
PayPal opted for the far simpler Secure Sockets Layer encryption method-built into most browsers and already used by many e-commerce companies-to scramble data sent by its customers. The system also relieves merchants from the obligation to protect their customers’ financial data; indeed, that data is never in their hands. PayPal sends no payments or payment codes by e-mail. Only notifications about transactions are transmitted over the Internet. When money is transferred between accounts, the debits and credits happen only on PayPal’s secure servers in California, which cannot be accessed over the Internet. “All the money lives and dies on our servers,” says Thiel. “We decided to force all the complexity of keeping transactions secure upon ourselves,” adds Levchin. “Consumers and merchants shouldn’t have that burden.”
Micropayments were another holy grail of some early digital-cash companies. Ill-fated ventures like First Virtual and Digital Equipment’s MilliCent aimed to create payment systems that could handle transactions under $5-even those of just a few pennies-potentially opening up vast new markets for selling news articles, songs and other low-priced information goods. Yet micropayments never caught on, possibly because users didn’t appreciate being nickel-and-dimed to death and possibly because there really isn’t much money to be made collecting change. “It reminds me of that Saturday Night Live skit,” Thiel says, about the First Citiwide Change Bank, which specialized in exchanging coins for dollar bills. The punch line was, “All the time our customers ask us, How do we make money doing this? The answer is simple: volume.”
Instead of promoting micropayments as a separate market, PayPal simply processes small charges like any other transaction. While the maximum is set at $10,000, PayPal will process payments as low as one cent. The company, of course, loses money on such tiny transactions, but Thiel says there haven’t been enough of those to cause a problem. “If it becomes a major expense,” he says, “we could change our policy very quickly.”
Another roadblock for early digital currencies was their lack of liquidity. DigiCash and more recent flops, like Flooz (a currency used for giving gift certificates that could be redeemed at certain Web sites), weren’t denominated in dollars but were more like poker chips in a casino. You couldn’t spend these strange new digital currencies universally, and that made people reluctant to accept them. “Money needs to be liquid,” says Thiel. “The most popular currency in the world is U.S. dollars.” PayPal has customers in 36 countries, and it charges higher rates for international money transfers. But to keep transactions on one simple level among all its members, there are no currency conversions. With PayPal, everything happens in U.S. dollars.
By far the biggest obstacle for any company trying to create a universal payment system is trust. Visa, MasterCard, American Express and Discover have spent billions of dollars building up trusted brands through advertising and marketing campaigns. PayPal has hardly spent anything. Instead, it issued a guarantee. It now ensures merchants that follow certain rules that it will reimburse them for any fraudulent transactions. The chief rule is that merchants must ship all merchandise to the account holder’s official address, with no items going to a buyer’s “office address,” for instance. Stealing a credit card number, insisting on a phony shipping address, walking away with the goods and sticking the merchant with the bill is one of the most popular swindles on the Internet. PayPal’s rule and guarantee may seem simple (though the company has drawn some heat for not extending the same protection to defrauded buyers), but mainstream credit card companies have been unwilling to take even those steps.
Fighting financial fraud in a world of interconnected data networks isn’t just a way to save some money; it is and must remain one of the core competencies of the world’s banking system. That’s why, possibly fearing PayPal really has developed technologies and tactics to combat con artists better than anyone else, especially in the tricky Internet commerce arena, the giants of the industry have organized themselves to fight back. In recent months, longtime rivals Citibank, Bank One and Wells Fargo banded together with some two dozen other companies to form Project Action, an alliance aimed at standardizing secure Internet payment transactions. In what could be the ultimate compliment, PayPal hasn’t been recruited to join.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today