PayPal’s Arthi Rajan Explains Why Electronic Payments Security & Customer Experience Can No Longer Be Thought Of Separately
The holiday shopping season is once again upon us. Economists are predicting heavy spending, and e-commerce has become dominant, accelerated by the COVID pandemic. For that reason, Cognitive Business News Executive Editor Loren Moss got together with Arthi Rajan, who a few months ago was promoted to PayPal’s Senior Vice President, Global Fraud Risk, Digital Identity and Platform-as-a-Service.
Rajan explains how customer experience and transactional security, including anti-fraud, are not two separate issues, but really two aspects of the same discipline. Retailers, service providers, and even B2B merchants must provide secure, effortless transactions. It is no longer a matter of secure versus effortless, the paradigm has changed. Arthi explains why:
Cognitive Business News: Why don’t you tell me a bit about your new role and responsibility, I guess is kind of along the same trajectory, but it’s just increased responsibility. So what are you responsible for at PayPal?
Arthi Rajan: Yes, so I have led the global fraud teams at PayPal for a little while. That’s essentially a business unit where it’s all-inclusive: data science, product technology. We’re really responsible for the “L” in the “P&L” and that brand of security and trust. So it’s a critical global function, horizontal across all business lines and that’s a role that I’ve had for a little while. The additional responsibilities that we’re expanding beyond are actually very related to foundation of trust at the company. One is really, I think, centered around the fact that increasingly, identity has to be a strong value proposition to our consumers, but also very critical for us to build those frictionless experiences that we hope to build for all consumers and merchants across our ecosystem, and so thinking about how we should pivot, accelerate and really drive additional value through this idea of digital identity is a strategic map for our future.
“If we want to be a true merchant partner, then we need to be able to serve as that platform OS to them.
I’m leading the charge to kind of determine our strategy there and push forward, and secondly, we’ve built a lot of foundational platform services to serve all of our internal, customer base, and our consumer and merchant base, risk being actually probably the most mature, fraud management being the most mature, but there are other, such capabilities, right? Whether it is our ability to do FX whether it is privacy management, compliance management we’re thinking about, and we’ve been on this journey for a little while about how do we democratize access to those. We invest significantly in scale and maturity and innovation in these areas and how do we provide access to our merchant base directly, even independent of payments? And if we want to be a true merchant partner, then we need to be able to serve as that platform OS to them. And, you know, my teams are also leading the charge and figuring out the best way to set up those experiences and build a revenue line along it.
Arthi Rajan is PayPal’s Senior Vice President, Global Fraud Risk, Digital Identity and Platform-as-a-Service.
Cognitive Business News: You mentioned something interesting. You talked about reducing the friction, of being frictionless, and I think that’s really important from both the merchant side and the consumer side because I think one of the areas where, where Amazon had success is in making payments or making purchases so easy. And I think that when, as a consumer, just yesterday I booked a hotel on a website and then I could use a credit card, but it also said here use PayPal and you click on it, and it just goes, and the PayPal screen came up and said, “Hi, Loren, we know it’s you, just a second,” and everything was done. I didn’t have to fool around with that CVV code or anything like that, or what my zip code, it was just, it was just very easy to do.
And that, I think as a consumer, made it very easy or a preferred method to pay without even thinking about it when the merchant side is interesting, because I look at how with one of our publications, we created a membership. I said, okay, how are we going to allow members to—we’re in all kind of different countries—to pay for it? And it’s like: “oh, okay, I can easily create the subscription service in PayPal,” and we have some other services that we used, but they were paused because most our readers are international and at the time it was coming up: “well, they can’t pay this way because this company doesn’t take that country…” Not anything exotic like North Korea, but it was like, “that country, you can’t…” a neighbor two countries away from the US, and it’s like, “we can’t process that, or we don’t have the right thing,” or “enter your zip code.” Well, they don’t use zip codes in that country! But look, if we use this, “here’s a button, click,” when this button takes you through PayPal, and it’s interesting because it just made things easier as a merchant. But one of the things is, there’s always a balance there between making things easy, but then also preventing fraud, because you can put more steps in there and have the super secure setup, or streamline and open everything up so much that it might, in some ways become easier to exploit. So how do you balance, security with ease of use?
Arthi Rajan: Yes. I mean, one, thank you for summarizing the heart of it. I think why PayPal has always been a very compelling value proposition, not just to consumers, but to merchants, it’s sort of the heart of our value system and our philosophy around being truly a commerce enabler and growing that SMB base across the globe, which is the backbone of so many economies. So it was a really nice way through your experience to summarize why we exist and why enabling this sort of idea of a wallet that can be accepted universally is so important, the point on security is one obviously kind of close to my heart. Look there are a few things here, right? There is a very large spectrum of consumers in the ecosystem.
There are extremely digitally aware, digitally native, security aware, consumers, who understand basic cybersecurity principles like keep passwords secure, don’t share passwords, have your computer systems, your phones with the apps downloaded, clean and secure. There are some kinds of basic things around cybersecurity hygiene, and there is a large group of consumers that are very familiar with them, and then you have a whole other set of consumers that are not necessarily already educated, that we have to balance, frictionless with high security, high fraud management type of experiences with, and we’re always going to have that. You have to expect that. I think the few things that become important, one, the consumers that actually I mentioned also, but just speaking about consumers for a second, they don’t transact online with the expectation of friction, right?
They expect to go online, do what they came to do, shop, pay, and get on with their lives. They don’t expect to be slowed down, and every introduction of friction is an opportunity to lose a consumer. The PayPal equation here has pretty tremendous impact to merchants. So merchants go where consumers or accept what consumers want to shop with, and consumers go where they can trust, and go through a shopping experience without having to worry about post purchase, what happened, so both sides of that equation are really important. But like I said, you have to just assume that they expect frictionless, they also expect security, right? Those are very basic expectations. It’s not necessarily a value that you bring to consumers anymore. It’s just the thing you must do if you want that digital economy, that commerce economy to thrive, so that’s one of the fundamental philosophies that we work off of, and everything is built on top of that.
On the balancing between the two types of experiences, there are certain things that are important to consider, how much friction is appropriate when somebody is signing up and entering the ecosystem, you know, the front door, the first time they ever interact with PayPal? In this case, whether you’re a consumer or a merchant, how much do we learn about them in that interaction, both explicitly and implicitly, right? And explicitly, I think it is somewhat managed because there are also regulatory obligations. Like you don’t expect to sign up for a bank account without some basic amount of identity verification. It’s a little bit different I think in digital wallet, or FinTech ecosystem, but there’s an opportunity there to do certain types of identity verification, and there’s a ton of innovation evolution happening there around facial biometrics, etcetera, that allow that experience to be as pain free as possible. And I think of those as explicit ways of building a large, trusted ecosystem with high fidelity identity.
“They expect to go online, do what they came to do, shop, pay, and get on with their lives. They don’t expect to be slowed down, and every introduction of friction is an opportunity to lose a consumer.”
That’s always an opportunity that helps secure the experience past that point without any friction, but one that may not always be available, accessible, or adopted by the consumer base. So then there are all these other implicit behavior signals that you need to be prepared to listen to and do something with, and make something of and translate to the right types of experiences. And those things fall under various categories, everything from where you’re transacting, from your geolocation, what devices you’re coming from, other attributes around the device that present certain types of inherent security risks, right? Like cookie management, like impersonation, man in the middle, scripted logins and signups. There’s a whole set of things that you can learn implicitly and then what’s important to do is invest in the right type of behavioral machine learning & analytics to be able to make sense of the good and bad in that entire section of data.
This combination of explicit and implicit signals allows you to have those segmented, differentiated experiences and set that balance right later in the life cycle. Like as much as you can, when the user is not in the payment funnel, the better off you are, and then you have to really optimize that payment to be very experience centered. I hope that answered the question. It it’s very much about managing the user journey, not just waiting until the point that is the most sensitive to friction to manage that security risk.
Cognitive Business News: You talked about a couple of interesting things there, tools like machine learning, artificial intelligence, and I find it interesting because I travel internationally quite a bit, I’m from one country, live in another, cover several different countries across our different publications, and it’s interesting because there’s nothing more embarrassing than, than you are either a client dinner or something like that, and you’ve got a table full of guests and you’re off somewhere and you’re trying to close some deal or even if it’s a social situation and you’re maybe in a different country, not even just a different country, but even a different state in the US or a different province in Canada, and then you go to pay and then your card is declined and you’re thinking, well, why is this?
And I noticed that, and I guess everybody’s experience is different, but that never happens anymore. If I use my PayPal MasterCard…I’ve got a couple different banks and some banks it’s kind of a, a crapshoot and you don’t know if it’s going to be a surprise, or you checked into the hotel and it’s like, “no! Declined!” You call them and complain, and they say, “it’s for your own protection.” Well, it’s really for their protection! But what kind of—and obviously I don’t want to get into your “secret sauce” or anything like that, but how have you been able to employ these types of technologies like machine learning to balance, to provide that security? To look at patterns and say, “hey, here’s somebody who never travels and all of a sudden they’re showing up somewhere else,” versus “here’s somebody who travels all the time?” How do you manage that, and how do you balance that with, like you said, creating frictionless experiences and protecting both customers and yourself without getting customers upset with you?
Arthi Rajan: One, I will say this is never an easy problem to solve. So I think, we have the advantage at PayPal of investing significantly in machine learning and in AI, especially in the fraud space, since it’s so incredibly fundamental to our brand, it’s not often easy to justify those investments, to centralize those investments and then really deploy the best of talent. It’s not an easy problem to solve, and so I will admit that this is something that we have worked very hard to get right over not one or two years, but over 20 years.
That’s where approaching this problem, I think from very early investments before big data was a thing. So it’s definitely been a journey of many, many years, and I think the financial ecosystem has to catch up, there’s no choice. You know, transaction declines, etcetera, impact everybody, right? They impact, merchants, the most, they impact consumers. It’s not always shopping for something that is disposable, right?
Oftentimes these decline experiences happen at very critical times. Like you said, like at very embarrassing restaurant experience is one such example, but: you are trying to buy a train ticket to get somewhere, that’s a critical experience, kind of fundamental to day-to-day life, and so the more that commerce, digital payments, etcetera are not just about shopping, it’s about financing very intrinsic parts of your daily life. The more important it is to get it right, and so everybody has to play catch up to some extent.
The other thing I will say is on sort of whether it’s machine learning or being nuanced about when is the right time to decline a transaction versus go through perhaps a slightly different type of friction experience, like a step up or a second factor, becomes very important, and that’s what ML allows you to do. It allows you to really segment your risk base into things that you feel very confident about because you have explicit trust.
All of the things that I talked about that you managed over the life cycle of the customer, that you’ve learned enough about them that it’s a pretty low risk transaction, a low risk interaction, and we can let those things go, which things you know are likely to be bad. So the sort of red zone and the green zone, it allows you to separate out and the better your data sets, the more advance your techniques, the better your data scientists are at the art behind the science, the better you’ll be able to separate the greens and the reds. But it’s very important to have the right set of experiences to manage that yellow band, which is not always possible, it’s harder to do at point of sale, more nuanced, requires a lot more capabilities, requires a lot more experience, investments to be made, to be able to take that yellow band of users through alternate experiences that allow them to self-resolve, self-solve a potential decline before it has to be a decline.
We don’t always get that right. I think, the yellow band is very important and that needs to be secure, and it needs to be good enough to serve as a proxy for explicit good, so that’s one thing. The other, I think is more as I mentioned a little bit, or alluded to, the art behind the science. ML is not just about a bunch of machines crunching the whole set of data and spitting an out some amazing results. What goes into tuning, those models, tuning those strategies really separating through very expert intelligence in the fraud space, what are good stories and bad stories and be able to kind of match them up.
“Commerce, digital payments, etcetera are not just about shopping, it’s about financing very intrinsic parts of your daily life.”
A travel example is a great one, right? You see that a user was transacting in the United States, the next day, there is a transaction originating in Europe. Now there could be two very alternate explanations for that behavior pattern. It could be that they took a flight and got to Europe, and they’re now transacting there. It could be that their card was stolen, and it was used somewhere other than where they are, but there’s often a trace somewhere, right? That trace could be because the device that belongs to the user that they have transacted from several times in the past, where they signed up from in very safe, secure sessions that didn’t generate any risk signals is the same device that you see transacting in this new story, right? it could be a device footprint that allows you to say, hey, this is a good story, not a bad story.
It could be a transaction pattern. Maybe there was a plane ticket purchased, maybe there was an airport purchase that happened 10 hours before this transaction originated, and the more you can connect those stories, the more accurate that decision is going to be, and so that’s what the art and science allows you to do. The science allows you to kind of create some probability at rest, but the art allows you to carefully review, look at these feedback loops. When did you get it right, when did you get it wrong, and be able to really manually train those models to do the right things without it being creepy. So it’s very important to do that right because like I said, you could be interrupting a very fundamental experience, critical to day-to-day life of that consumer. It’s important to get it right.
Cognitive Business News: That makes a lot of sense, what you just said. I remember complaining with the bank on the phone one time, “why is this blocked? I bought the hotel reservation with your card, I bought the plane ticket with your card, and I show up in the place where I bought it for and you call it suspicious!?” Öf course they can’t see where you’ve got your hotel reservation from, but they can see that you make travel purchases or that some people travel constantly and other people don’t, and things like that, and to be able to incorporate that and to use that intelligently.
Last question, you’ve been very generous with your time. I think that now, when we look at the technology, with smart devices, whether they’re smartphones, facial recognition biometrics, is there anything on the horizon? You don’t have to share your product roadmap or anything like that, but I can already log into my PayPal app on my phone with my fingerprint and things like that, but still, how can maybe these things be used for security in transactions in the future, in ways beyond just: “okay, I can log into my phone.” How can platforms like PayPal incorporate some of these next generation technologies?
Arthi Rajan: Great question, and one I think, as I alluded to, something that we’re spending a lot of time investing in developing. There are good stories here, and kind of still work in progress innovation happening in the industry in this space. I’ll say two things. One, I think we’ve gotten, managing security, managing identity, managing trust in a low fidelity environment, really, well. We’ve done that part. This is like all of the investments I talked about and the best talent in the industry, the largest of data sets the most technology investment that, I’ve seen be made in this in this space, the industry, we’ve done all of that over the last 20 years, and I think our merchants really benefit at the end of the day.
Apart from consumer security, the more fraud we can prevent going out to issuers, the higher likelihood that issuers are going to also profit more, so net conversion rates for those merchants is very important to them, and very much enabled by all of this investment we’ve made in ML. But that is still as I would call it, a low fidelity identity environment. It is all implied behavioral analytics, implied identity verification. There’s only so far that can go. When I talk about those yellow bands, how do we really think about second factor authentication, how do we think about ways of really triggering those alternative experiences instead of declining transactions, we have to go to out-of-band ways of securing that transaction, and that’s often happens to be OTPs (One-Time Passwords) and SMSs (text messages), which are fundamentally high friction and low security.
The likelihood that the user is going to be scrambling to find their phone in order of respond to a security notification, to complete a transaction are low. It’s likely they’re going to exit that transaction and come back another time, or maybe not. We need to find low friction ways of doing security validation and biometrics is most definitely an easy one. You always have your face! So the ability to just to authenticate with your face is a very powerful way of doing identity management, of doing authentication, but there are nuances there. That in itself is an area that fraudsters are trying to get around, whether it’s deepfakes or otherwise. So we have to evolve the technology to be able to really do this at scale while we think about not just what is applicable now, but what might be applicable in two or three years. We need to be able to do this in the most inclusive way. We have to be able to train for facial recognition, facial authentication across all ethnicities across the globe. So being able to do it right is just as important as doing something, so we are investing, the industry is moving very much in this direction to be able to do facial biometric tethering at account signup for authentication, etcetera, but it’s also evolving to other things, like fingerprints like voice, and some combination of this is essentially the direction that we will head. And definitely coming a strong consumer value proposition to be able to provide that sense of security and frictionless authentication, and a very strong value proposition to our merchant. So we’re actively investing here, but like I said, very much part of our value is to do it right, do it inclusively, and to be able to do it in a device agnostic way across the globe…and so more to come!
Cognitive Business News: That’s good to hear, as you were mentioning that some of the problems with some of the older ways of doing things. I can think of another financial institution. They said “we need to verify you, we’re going to send you an SMS.” Well, I was in a different country and I changed SIM cards! There are many international travelers or people who, just live globally too. I’m like, “I’m not gonna get that message because I have my other SIM card!
Arthi Rajan: I mean, this is high friction, low security, right? That’s a great use case Loren, but there are other ones actually. There is this huge emergence, especially actually during the last two years of COVID where there is this explosion of e-commerce, and it’s so much easier to hide behind that FedEx spam text message or that Amazon spam text message that the shopper is going to click on, right? So this emergence of social engineering has made that SMS channel less secure than it used to be, so there is definitely something for us to think about. Yes, it’s an easy alternative, but often the highest friction, one with the lowest security and we need to get past it.
Cognitive Business News: I agree. Thank you again for your time and congratulations again on your obviously well-deserved promotion, and I hope this is just the first of many conversations. I hope that we can check back in periodically and talk about the progress that you make there at PayPal. Thanks a lot.
Arthi Rajan: Absolutely, I appreciate the time. Thank you, Loren.
