Cyber attacks: a question of when, not if: PayPal builds cyber resilience around the basics

Published May 15, 2020, 7:59 AM

by manilabulletin_admin

Phoram Mehta, Head of InfoSec, Asia Pacific, PayPal

According to the World Economic Forums latest Global Risks Report, cyberattacks are among the top 10 in terms of likelihood and severity of impact. They are very much like natural disasters—destructive, disruptive, and, more often than not, they come without warning. 

While the damage and scope of cyberattacks vary, they are constantly evolving and growing in complexity. Today, many organizations have apportioned larger budgets towards their prevention, detection, and response capabilities. It’s no longer a question of if you get attacked, but when you’re attacked. 

As a global fintech with over 20 years of experience in cybersecurity, PayPal is at the forefront of threat landscape, compliance trends, and research advancements because our goal is to prepare for, rather than react to, potentially devastating cyber attacks. 

99% availability

At PayPal, our resilience strategy is built on a commitment to the ‘five nines’, more commonly referred to as ‘99.999% availability’; that is, for every 100,000 transactions, we aim to only have one transaction dropped. On a daily basis, we not only measure availability for transactions, we also look at the speed at which we can make them happen.

With over 300+ million users worldwide, PayPal is available in over 200 markets, requiring us to adopt a proactive risk-based approach to how our users are protected even as we continue to make our services readily accessible. We have in place rules and defences to block attacks immediately when certain abuse patterns are detected.

We firmly believe that in the digital age, resilience builds trust. Our investments towards extending our services in newer markets comes with a commitment on availability, speed and protection because we understand that the payments we help process support businesses and livelihoods around the world.

Building on the basics 

Foundational processes around patching, configuration management, privileged access management, and the like will be the difference between companies that can get back up quickly and preserve trust from its customers and those that take years to rebuild or just perish. 

At PayPal, we implement a layered security strategy designed to protect our users. 

At the perimeter, we have built defenses to primarily tackle external threats—from hacking attempts to phishers looking to compromise customer accounts. These malicious activities are monitored 24 hours a day, seven days a week, 365 days a year from our cyber-defense centers in the US and Singapore.

Another layer is at the application and product level, which we constantly assess for security vulnerabilities. Through our bug bounty program, we reward researchers from around the world for finding issues in any of the PayPal products, including all acquired products. This not only augments our own defenses and protection capabilities, but also helps bring an incredible level of diversity and collaboration with the broader security research community. Researchers (or ethical hackers) bring new perspectives, coverage and variety that help identify potential vulnerabilities missed by other layers.


We are in the business of digital payments, and it is our mission to make sure anybody can pay to anyone from anywhere using any device in  the most secure, efficient, and seamless way.

When we zoom out and look at the 300+ million customers worldwide – including more than 20 million merchants – that rely on our platform, we clearly see the importance of staying up, staying secure and staying connected with our customers at all times.

It’s a fine balance between availability, security and customer experience; and it’s this balance that enables us to offer added value like our Buyer Protection Policy, which provides consumers with 180 days to request for a full refund if an eligible order is not as described or never delivered.  

At the end of the day we know that cyber risks are growing in intensity and variety. While we feel confident in our ability to defend against most of these attacks, if and when an incident does happen, we want our customers to be able to rely on us to address any issue or dispute in a responsible and reasonable manner. (Phoram Mehta, Head of InfoSec, Asia Pacific, PayPal)