As a part of our theme on data privacy, we interacted with Guru Bhat, GM of Technology and Head of Engineering at PayPal, who has more than 20 years of experience in the industry. Currently, a lot is being spoken about digital payments transforming the way transactions are taking place in India. The government has been crafting and implementing a multitude of policies and regulations, and Indian has seen an upswing in the dependency and utilisation of cashless transactions. With this upward trajectory also comes the inevitable question of data privacy, cybersecurity, data protection, improved policies and regulations. Bhat shares his expertise on the subject and how PayPal ensures data privacy of customers at all levels:
Analytics India Magazine: Tell us how you ensure that data privacy is at the core of PayPal
Guru Bhat: We connect the merchants and customers from across the world. In the old days when you would go to a shop around the corner, you had a relationship and trust that was built over the years. But in an era of online commerce, that doesn’t exist and it is hard to build trust. We popularly say that PayPal is not payments business, but trust business, which is a fundamental premise for both merchants and customers. We safeguard their trust in us as well as the payment experience, which makes us a successful company. Keeping data safe is fundamental to us and we never share details about customers’ financial information to the merchant. The merchant doesn’t know anything about the type of card that a customer is using, the limit on that card, or any such thing. This is something we take very seriously.
AIM: What kind of technologies and precautionary measures are used by PayPal to ensure data privacy of their customers?
GB: We invest heavily in security. We use the tightest levels of security with SSL and encryption, both with data that moves around from the outside and inside the company between our data centres. We have tight security even when traffic moves from one datacenter to another. We use a lot of software-based as well as physical security to isolate the data to make sure that nobody enters these data centres without the right permission and biometrics. We also have extreme levels of security to detect any intruders in the system. The entire process self-destructs and shuts off automatically in case there is an unwanted breach.
AIM: With the growing dependency on digital payments and cashless transactions, what are some of the challenges you deal with?
GB: Our lives have changed as we have become more digital over the years. We leave a digital trail of data as we lead our lives, as we use phones, use apps, or transfer money. In most cases, data is being used for our benefits, but at the same time, there is an expectation that this data will be used in a secure and respectful way that guarantees our privacy.
We as a digital payment company feel blessed, given the environment that we are in, where regulators, as well as the governments are taking serious measures to encourage the digital money business. We are fortunate to be recipients of such a strong trend and there are certain challenges that come with it. One of them is that the scale is constantly increasing. In the most recent quarter, we had 237 million customers including 19 million merchants. This number is increasing, and we are growing at a 25 percent rate on many of the key metrics that are important to us. There is a huge amount of data. For example,We have over 150 petabytes of data on our systems and it grows at 80 terabytes per week. We process about 260 transactions per second. The problem here is ensuring security. We have constantly kept the attack sources down and made sure that we give attackers very few chances to even come in, in fact, zero chances. We have to have a strong front door and zero back door. Front door is how we do our risk management in our fraud detection. We rely heavily on AI, ML and DL to manage our fraud loss rate to be the best in the world, which is 0.28 percent. At that scale, we operate over 450 billion dollars in payment across a year. That’s a very low fraud loss rate and that’s the strength of having a right team and right technology.
AIM: How do you use AI and DL to ensure data security?
GB: AI is in the public eye these days. It’s predominantly a confluence of two factors — one is data, which is the biggest asset for AI to build on. The second is computing power, which has increased dramatically. When you have access to data, it has to be analysed quickly to derive insights from it and act on it. This is why AI is so popular today.
PayPal has been in the payments business for 20 years now with tons of data, and billions of transactions. We put this data on AI machines who learn from it and act on it to get better with every transaction.We moved from Linear Regression using 30-40 variables to Neural Networks to Deep Learning where the activation function has 6 or more hidden layers and 600 neurons per layer with 1500 features. If you look at why AI and DL are needed, consider millions of transactions in a day and use human oversight to process it all — it’s impossible at that scale. Secondly, if a transaction happened and later you decided to check if it was fraudulent or not, you will be losing tons of money and you cannot survive as a payments company. It is important during the course of a transaction to block all bad and fraudulent transactions. This is where intelligent machinery comes into play.
AIM: What are your thoughts on some of the burning issues around cybersecurity and data protection in India, such as the Facebook data leak or apprehensions of people to get Aadhaar done?
GB: Without going into the specifics of any company and the challenges that they are facing, what I can say is that there is a vision that government has in terms of digital India and managing risks and security. No matter which segment of the population you are catering to, there will be concerns around it. As a country, we definitely need to pay heed to the legitimate concerns of its citizens and make sure that we provide an infrastructure that is extremely convenient, gives an amazing experience along with the safest experience possible. Across the globe, many governments are moving in this direction. For instance, Europe recently introduced GDPR, a global data privacy regulation. These kind of measures are going to increase the level of trust that citizen would have in the system.
It is important not only for the regulatory authority in the government to do their part but also for companies like PayPal, where we take this very seriously and are committed to making sure that we provide a win-win situation for customers. We make sure that we comply with all the regulations in all the markets that we exist in, and that we are keeping our customers’ privacy at all levels. That’s what makes us successful as a company.
AIM: What are some of the best practices you think that companies can adopt to make sure that there is no misuse of data?
GB: A lot of this comes down to culture. Customer empathy is a significant part of the culture at PayPal. In any product that we put out, we are answerable to our stakeholders. Like every company, we aim to be successful, we aim to increase the size of our business, level of our impact and continue to grow. But before we do all of that, we have to make sure that we satisfy our customers. If the culture of the company is being empathetic to the customer, and always thinking from their lense, then there would be no misuse of data. Whenever we introduce a new feature, we ask the question — is this good for our customers? How are we going to protect the new pieces of data that we would collect? And so on. This is at the heart of what we do and protect our customer information even in ways that we can probably not foresee today. We make sure that we block all access to any illegal use of this data.