Confident Clean a Hacked Site Workshop Join me March 21st for this 90 Minute Workshop  Claim your spot

PayPal Identity services lift off!

WordPress

It’s always the way. The one event you don’t go to and all the cool toys are announced. This year is the first time I didn’t make it to Innovate PayPal developer conference and they announced a huge pile of new stuff including an interesting ecommerce platform hybrid thingiemagik.

However, what really interested me were their new identity services. Now, several sites have been jumping up and down with headlines like PayPal becomes an identity provider,  which is a tad odd. They have been for a while with both an Authentication API and more recently, OpenID implementation. What the new services do is bring these experiments to the main stream, with support for both identification and authorisation.

PayPal Identity Implementation

The OpenID system is PayPal’s new standard mechanism for identification for third parties. It’s part of a collective of mechanisms for identity provision called PayPal Access. This is an interesting step to create a brand.

One of the biggest problems we have faced in the past with PayPal identity services is convincing users to make use of it. Many users, when asked to Login  via PayPal assume they are being asked to enter a payment flow. The OpenID implementation follows the OpenID v2 specification. It can return basic details such as name and the user’s address, and for people running PayPal related services, two exceptionally useful parameters: PayPal account type and the PayPal Verified status. Unlike a normal OpenId implementation, the domain you’re using it on needs to be whitelisted. And to make full use of the system, the entire process should be under https.

PayPal Authorisation Implementation

What is new is the announcement that at last PayPal will be supporting OAuth. OAuth is a token-based service that, once a users identity has been confirmed, grants permissions for your site to take certain actions. Initially, these actions will be limited to accessing certain information, but hopefully, the old permissions API and Adaptive Payment flows will be initiated from Oauth token.

PayPal Access – Branding Identity

As I already mentioned, for me the biggest issue with PayPal’s previous identity services was the lack of branding and PayPal’s attempt to instill user confidence. Having spent so much time and energy into preventing phishing scams, PayPal trained its users not to trust anything that looks like PayPal from a third party site. Consequently, digital payments, embedded goods payment flow and its previous identity service attempts have had issues with consumer confidence.For PayPal to be able to push PayPal Access, they will need to not only push the concept to developers, but also to consumers.

Unifying the technologies into a brand is a good starting point. Making the user experience and language coherent and obvious that no additional charges will be made isn’t quite there yet. The PayPal Access login and approval screens still look too much like a payment flow. They also fail to tell the user why they are logging in until post-login. That said, as PayPal access becomes more widespread, and people are regularly confronted with it, confidence will improve.

On to the cool stuff ¦
If you are a privacy advocate do yourself a favour look away now ¦

User Profiling with PayPal Identity Services

In addition to the refreshed OpenID and implementation of Oauth, PayPal also added some additional identity services to improve user profiling: Prospect API, Segmentation API and Product Recommendation Service API. Each of these allows a site to gain information about a PayPal user and their buying habits. It also harnesses the power of the Intelligence Engine on Ebay to product categorise ” You can cross-sell from your own inventory to that user.

Prospects and Segmentation APIs

How much is any given user worth? What are their spending habits? How active a shopper are they? With the segmentation and prospects API, a merchant is able to profile individual users overall PayPal habits, including how frequently they shopping, the average spend value of a shop, etc. None of this is finite data. Instead, users are grouped in terms of usage frequency the groups are: Engaged, Habituated & Casual

So, what can you do with this data? Well, for your initial sale, probably not much. But post-sale, this data provides extra details about the user’s sales prospect. For example, if we wished to sell a group of products, we could do so in two ways: individually at a low price, or bundled together at a higher price. With our customers profiled we could target groups differently.

The casual user but big spending group could be targeted with the bundle deal. The super engaged but low spending users could then be targeted with individual products over a range of time.

This does lead to the obvious privacy concerns, of course. In reality, people have been buying and selling this data for years, and all major eccomerce sites are using prospect analysis of some sort.

PayPal is bringing this down to mid-level merchants. It’s worth emphasising that this is PayPal, so expect it to be near impossible to get access to these APIs, without jumping through a dozen or so hoops, while standing on one leg.

The problem comes in when offering these services ” There really is no way to do it, without providing user information. The grading bands are wide enough that the demographic information could not be used to judge any financial information. After all, just because someone is a heavy PayPal user does not mean they’re wealthy or poor.

The new data, while interesting and useful, really is scratching the surface. An aspect I would love to see included in the data is a user’s refund/chargeback rate and their average subscription rate. For membership sites and other recurring subscription sites, an idea of how long they have got the user for could totally change the way they present information.

For example, if I know a member subscribes for roughly 3 months, while my overall average is 4 months, I can change my content delivery strategy, so that open content (that starts 1 week and ends the next) is sitting over a 3 month period and not the 4 month mark.

Future of PayPal Identity Services

The announcements are a good start, albeit a slow one. Most of what I have talked about is still in Alpha (with exception of OpenID) rushed out for Innovate. And given PayPal’s track record, these are still a year or more away from becoming a reality.

The shift to OAuth is important. PayPal is not just providing services to identify users, but also a fully-fledged authorisation system, which is an industry standard. This has to be applauded, but the old user experience bugs from the old identity system are still there. Even with branding and without a large marketing push, consumers will still struggle to see PayPal as being used for anything other then paying.

One of the things I hope OAuth brings is a unified system. Then, I as a merchant can use OAuth to authenticate and authorise the user, make a call to the segmentation API, present my offer, and start the payment flow with the auth token. This way, the user only has to sign in once.

As a merchant and developer, I want a flow similar to:

Login -> Segmentation API -> Show Offer -> Make Payment -> Show Upsell -> Setup Subscription

This flow should be easy for the consumer. Sadly, this flow currently requires 3 separate PayPal sign ins. And each successive sign in degrades consumer confidence and will power.

With the whole X.Commerce brand, PayPal is trying to create a platform like Amazon and Facebook have. The cornerstone of any platform is opening it to third parties, but given the nature of PayPal’s business, this has to be done in a controlled manner.

The identity services are a step in the right direction, but so often before PayPal has taken a step in the right direction, only to have its own bureaucracy prevent any real usage. I really hope this is not going to be the case and the X.Commerce platform lives up to its promise.

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)