With the spread of the Covid-19 coronavirus, in early March, PayPal decided to switch to remote working overnight.
Recalling how the company shifted its working patterns, Sri Shivananda, chief technology officer at PayPal, says: “While we are a digital-native organisation and we were always ready for remote work, some staff in customer support needed to be enabled for remote work.”
Altogether, he says, it took up to four weeks to get everyone coping with the new remote working setup.
Although the volume of email use did not change, Shivananda says: “Slack and the use of collaboration tools doubled overnight.” This required a different approach to meeting and interacting with teams. “In an office, you walk around, tap on someone’s shoulder and get help. Now this is more formal on Slack,” he adds.
This shift to online collaboration questions the old paradigm of management, says Shivananda. Previously, everyone was expected to be in an office to collaborate, but then “people found new ways of working”.
That said, working at home during the lockdown does put a strain on people’s mental health, he concedes. “Everyone went from being a professional at work, to where they are coder, a cook, a teacher and a carer, all at same time. At PayPal, we do weekly surveys to find out how people are feeling and what concerns are top of their minds.”
He says the company has policies to reimburse staff for home office equipment and offers wellness days off so people can take a break. “We are inclusive, connecting, compassionate and helping people to be their best in a sub-optimal environment,” he adds.
Shivananda grew up and had his early education in India, before moving to the US in 1996. He worked in Detroit in 1998, but says it was too cold there. So he moved to Austin, Texas, worked for a startup and then went to San Jose and spent 15 years at eBay.
Since 2015, Shivananda has worked at PayPal. “One of the first things to learn is time management,” he says. “With the right organisational structure, you are as busy as you want to be.”
The nuts and bolts
Like many of the internet giants, PayPal started as a US-only payment service, and has expanded into a global payment powerhouse.
Architecturally speaking, Shivananda says: “All the workloads that serve customers are organised into tiers.” There is a front-end tier, a web application programming interface tier, and a tier of services that call the internal payment services system that sits on top of PayPal’s database infrastructure.
Shivananda says that like other complex architectures, PayPal’s IT is redundant, organised into multiple regions and is resilient to failure. It is divided into services and domains, and there are domains covering areas such as compliance and credit. The services are built as microservices, which interact with middleware.
The architecture uses a hybrid cloud, with some systems hosted on-premise and others hosted in the public cloud. But, over time, Shivananda expects more will move into the public cloud.
Securing payments and infrastructure
As a payment service, PayPal has needed to put a lot of emphasis on building in strong security. “For us, security is the number one priority,” says Shivananda.
PayPal’s security architecture is built on the concept of defence in depth, which means everything must be secured. “We do not count on perimeter [security],” he says. “Even our own datacentres are treated as if they were on the open internet.” On top of this, application firewalls are deployed on the edge, he says.
PayPal’s architecture requires what Shivananda describes as “volumetric defence”, which needs to cope with millions of fraudulent login attempts.
He is a strong believer in ensuring that there is end-user education around the risks. “Social engineering existed long before the internet,” he says. “People got cheated out of their money. As a large company, we have an obligation to customers to put in controls to reduce this.”
Along with educating customers on good security practices, technology such as two-factor authentication can limit fraudulent login attempts. But PayPal being an obvious target given its footprint, scammers will often try to lure customers using official-looking email messages that appear to have come from PayPal.
Along with Microsoft, Google and Yahoo!, PayPal is a co-author of the DMarc (Domain-based Message Authentication Reporting and Conformance) email protocol, which aims to ensure that an email’s domain is genuine, so the recipient can be confident that the sender is legitimate.
Shivananda says the other aspect of securing payment services is risk engineering. “We look at all factors of a transaction,” he says. “Is this how a user would normally behave?”
Big data analytics and machine learning can process many different factors to make sure a transaction is safe, he says.
Bridging the skills gap
No conversation with an IT head is complete without recognition of the skills crisis that plagues enterprise IT. As society becomes increasingly tech-enabled, there is no denying that the world needs more programmers, and Shivananda says he is a strong believer in open source software and its ability to tackle the skills crisis.
“It is impossible for you to hire all the experts in the world,” he says. “But there are many more people creating software because they have a passion to do it.”
For Shivananda, open source is a two-way street and people who consume open source code should also contribute back. “You share like a social network,” he says.
In Shivananda’s experience, this has benefits for code quality. “When diverse people build together, it becomes more robust,” he says