We’re going to see the emergence of RegTech as an industry: Sri Shivananda

Sri Shivananda, SVP and CTO of PayPal talks about what’s driving the digital payments space, security challenges, and why RegTech is the next big thing in the game.

p2p payment roundup paypal main interface
Ben Patterson / IDG

Since its inception in 1999, PayPal has had a front-row seat in witnessing the monumental transformation in the digital payments space.

Raking in over US$15.4 billion in revenue in the last financial year, PayPal exceeded the US$100 billion mark in total payment volumes in 2017. A tête-à-tête with the man spearheading technology at PayPal, Sri Shivananda, SVP and CTO, throws light on the tech innovations that take center stage in the digital payments space, the impact of IoT, and the evolution of RegTech as an industry.

Edited excerpts

Sri, could you run us through some of the trends in the digital payments space – both from a consumer as well as from a merchant point of view?

sri_shivananda_cto_paypal PayPal

Digitization and mobile are the two most noticeable trends, even though most of the world still operates with cash. Even in advanced countries like the US and in Europe, 30 percent of the transactions are still cash transactions.

There's a lot going on in person-to-person payments and e-commerce. The core innovations are around securing identities. Earlier, the user experience was uniform for all users. Over a period of time, that became segment-centric. And now, we're beginning to see the dawn of hyper-personalization – you understand the individual and create experiences that cater to that person.

Another focus area is to eliminate friction from payments, while ensuring that transactions are secure. There's a lot of effort around making multi-factor authentication as seamless as it can be, and in some cases, to make it more implicit than explicit.

As opposed to generating OTPs, there are so many other attributes that can be used to authenticate transactions - be it device-related or location-related. You can now identify a person through implicit multi-factor authentication.

In addition to this, payments are beginning to become more ambient. The consumer experience of payments will go a bit into the background. Subscriptions, for instance, are recurring billing agreements that are carried on in the background.

Merchant experience, on the other hand, is defined by the scale of their business. For a large enterprise, you have to give them all back-end capabilities in addition to front-end applications so they may conduct their business in a compliant manner.

Merchants are now beginning to ask for risk functions – they need us to run a risk check to these if a transaction should or should not be honoured. Merchants expect us to provide reliability, security, risk management, back-office management, and pretty much everything a payments player is expected to do.

What's your vision of the digital payments space in 2020? Where is the industry heading?

The scaling of digital payments has not even hit the starting point. There is so much more digitization to be done; we're at least a decade away from full digitization.

We're also going to see IoT playing a significant role in purchase behaviours and mechanisms. First, we replicated the physical store with a website. With the advent of mobility, we turned towards apps.

The question you need to ask yourself is: what if commerce came to you?

We foresee the emergence of RegTech as an industry. We'll now have to explore technology platforms that will support RegTech. I wouldn't be surprised if some cloud providers start including some of these functions in their offerings.

With the widespread proliferation of IoT, what has changed in the digital payments architecture? How much of the core architecture needs to change?

There are three aspects to this – there's the core payment operating system, which is the utility – this comprises of identity, payments, risk and compliance. Think of this as the brain of the system. But lying on top of this is customer experience, and this changes every month or every year.

It used to be web only for almost a decade, then mobile came into the spotlight, and now it's there's on an IoT interface.

But all of these continue to be built upon the same brain. A strong payments and risk and identity platforms are durable and will continue to evolve. The ability to deliver new experiences will also matter.

So, the brain and the back-office management remain the same. The layer above that – the customer experience is dynamic and is continually changing.

Now IoT also gives rise to questions around security – both at the back-end, as well as at the device level. Added to this is the challenge posed by the massive volume and velocity of data. How is PayPal bracing up against these challenges?

We've always been a company that doesn't share customer data with any merchant. We use methods like tokenization, where a customer’s payment credentials are vaulted only with PayPal.

We generate one-time use tokens that can be can only be used with a particular merchant, at a particular point in time. This means that even if someone manages to get hold of the token, they can't really do anything with it because the token is encoded with the user's location and is valid for a duration of 10 seconds.

Card data is in the vault and is used only in the back-end. We as a company, have always believed in the concept of paranoid computing. We've built our systems in a way that expects the environment to be hostile.

Internally, the way you treat data is very critical. Crypto-resiliency is of key importance here. It's the ability to encrypt data in a way that cannot be broken at any point in time. This not only means using the most modern ciphers, but also re-encrypting the data even if there's no customer activity.

Even when we're transmitting data between our own datacenters, we use https protocol between two machines.

We are in the business of trust. So when a customer entrusts you with their data, treating it like your own and keeping the worst possible contingencies in mind, is of immense importance.

Additionally, the adoption of DevSecOps ensured that everyone who builds software is accountable for their system being reliable and secure. When you bring in accountability, people take ownership. Now we have 5000 engineers across the company focused on reliability and security in additional to building applications and features.

A lot of organizations – from banks to ride-sharing companies to WhatsApp, have their own payment gateways now. In what way is PayPal leveraging technology to stay relevant and ahead of the curve?

In the long run, every customer will question how many payment instruments they would like to carry.

The companies you pointed out offer something else as their primary value proposition and payment services as an add-on. Most customers are not comfortable with providing their payment credentials to each and every payment gateway. Consumers are looking for convergence.

We want to be the payment operating system for the world. What we can do is to allow companies to have payment-processing capabilities without having to actually function as a payment company.

And therein lies the power of our global platforms – 200 markets, with 100 different currencies, catering to 267 million active users, including merchants. When consumers see PayPal on a merchant site, they feel comfortable because they don't have to share their payment credentials. A lot of companies have been able to overcome the barrier in processing payments, but the barrier to scale still remains.

Quite recently, one of India's leading private banks experienced an outage that lasted for a couple of days. We've seen the same happening with other payment gateways. How does PayPal ensure that it's always up and running?

We started off as an internet company, so scale has always been a part of our DNA. Over the years, we've focused on standardization, redundancy and resilience. We've also ensured that we operate all the applications that serve PayPal on one common platform.

We've made infrastructure investments in such a way that no matter what we built – be it a web app, a value-added service or changes to the risk engine, the core platform remains the same.

The biggest investment we've made is on observability. It's the ability to monitor every part of the stack and know exactly what's going on.

As companies scale up and process more payments, things start breaking at the seams. We use machine learning to manage capacity by generating projections of payment volumes. We add capacity ahead of time to ensure that when the volume peaks, we are there to serve it all.

Numerous companies are leveraging AI & ML in the digital payments space. What, in your opinion, is the next wave in artificial intelligence?

Machine learning is an extremely advanced method compared to a rule-based methodology. It's because humans wrote the rules and they wrote rules based on biases. ML eliminated those biases.

Organizations are now thinking about machine learning on machine learning. For instance, training can be done using ML. Eliminating bias from the data and maintaining balanced datasets are of key importance.

We are now seeing the emergence of genetic algorithms. Genetic algorithms modify themselves based on the conditions they are subjected to. There used to be a time when the algorithm was a fixed code. But what if that code itself is variable?

The only chance we have to get security right in the long term is through the use of AI. This is because hackers have also started leveraging AI; it's a machine versus machine war.

However, one needs to bear in mind that a combination of human and machine is the strongest. You want the machine to learn as much as it can on its own accord. We used this model in security, assessing risks, and we're now beginning to use it in infrastructure and customer support.

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon