Why does PayPal suck so bad? And why so consistently bad?

I grew up in the alps, and ever since I had a dial-up modem (mid 90s) I was able to do some online-banking. Simple banking at first, but working. It was nice not to have to go to the bank anymore in order to fill out the 5 or 6 lines on the paper wire-order-forms. On top of that, I started buying things on eBay and wired the money to the seller, all from home, and was pretty happy with it.

After a while I bid for items from the US, and quickly ended up using PayPal as a payment method - quite frankly, there weren't any other convenient options around. I remember always asking myself the same question - what is the point of PayPal? Of course, it was for paying for my items, but I never understood why anybody would prefer paying via eMail, which in turn is connected to your bank account, instead of just wiring money from your bank account. Back then, I just thought oh well, international wiring is probably complicated.

Well - 15 years later, I moved to the US. Never having visited the US before, I learned about many things in american life, of course, that I didn't know of in detail. One of those things was the answer to my question "why PayPal?". To put it in a nutshell - the US banking system sucks. Sorry if I offend anybody, but it really does suck. And even that is an understatement. Among many things, I couldn't believe that I can't wire money from bank to bank in the same way as I did 15 years (!) ago, in Europe. I literally spent 30 minutes clicking through my account on my bank's website, looking for the wiring page, before realizing that it just doesn't exist.

And then I realized that people send rent-checks to their landlords every month (or drive all over town, ever month, to drop them off), that half of the people get paid in checks or cash, that there are money orders and cashier's checks, incredibly high bounce- and overdraft fees, etc..
At that time, I was still naive enough to believe that wiring - despite not online - is the normal way of doing things, so I went to the bank to wire money. How wrong I was: they made me come back with my passport, then they asked me anti-terror questions (lol) similar to those you get at the airport, and then I had to fill out a 2-page long form (not 5-6 lines, like in Europe). And on top of that it took a week (!) to wire money to another US bank.

I have the feeling they printed a check and sent it across the country.

Suddenly, PayPal started to make a LOT of sense. I mean, even offline-wiring in the US sucks so bad, that it made sense somebody having thought about doing something about it. Something in me keeps thinking that Peter Thiel, with his family connections to Germany, saw those banking system differences as well. And maybe exactly that led to the co-founding of PayPal. But well, that's just a thought, and probably not the case...

Anyways, PayPal established itself as a convenient way for payments and grew big. For many people it became a part of daily life, including me. All kinds of shopping systems, online donation buttons, etc. support PayPal, and if they don't, people are not shy in asking you to support it.

Every once in a while I had some troubles with PayPal, mainly them wanting me to verify my account over and over again. Annoying, but not a big deal. Then I opened a new account in order to connect it to a different bank account in a different country. As I lived in quite a few different countries over the last 10 years, having multiple accounts is normal - apparently not so much in the eyes of PayPal. I used the new account for a while, until I had a bigger international money transfer from my new account to my older account. I got a call from PayPal interviewing me about the purpose of that payment, and - guess what - anti-terror questions. Sending bigger amounts of money to a foreign account apparently is always suspicious, ... whatever. "Bigger" was actually $2500, in that case. I dealt with it until I got another call, and I kinda had enough. I told the guy in a snarky way that it gets annoying, resulting in PayPal freezing my account.

So, at this point, PayPal became frustrating, but I have to admit - me not playing by their rules was the reason for them to freeze my account. Granted, I can't deny that, but it left a bitter taste in my mouth. I heard similar stories from other people, and I guess I'm not alone with that perception.

However, being annoyed is one thing, but I wouldn't have thought a company dealing with money would deploy buggy, insecure and temporarily broken code, as I realized last week. I'm working on an online fundraising campaign, in parallel to one on KickStarter. There are quite a few people that don't want to use KickStarter for several reasons, one being people simply not wanting to use Amazon payments. Every day, we received mails from people asking if they can use PayPal or simple CreditCard payments.

So, we set out to support both and I got the task to integrate those payment systems. I started with CreditCard payments, using stripe.com, which worked flawlessly from the beginning. The documentation is clean, easy to follow, and the process is simple, yet secure. Get a token, double check the payment data on your server before ringing the client up... done.

Then I worked on the PayPal integration and consistently ran into problems, for an entire week straight.

  1. It started out with the simplest form of payments, the express-checkout form. That form is simply insecure, and to my surprise, pretty much nobody talks about that, online. A user fills out the form with data, hits the submit button, gets redirected to PayPal and confirms the payment. Since the form data is sent there and the payment is finalized there, the data is at no point actually checked for validity on the merchant's server. The sent data includes the price - that means it's trivial to send a modified price across the wire, but to keep the item name/number. Sure, a seller should check if he actually got the correct amount of money for the ordered good(s), but that's a manual process.
  2. Being a little irritated, I wondered what to do about that, and found the IPN (Instant Payment Notification) system, which can be used to do a final check on our server, then send back a confirmation to PayPal to proceed with the checkout. Wow, stuff like that shouldn't be optional, but enforced.
    Then I noticed that in order to use it, one has to send a notification URL along with the payment form to PayPal, to tell their server who to notify. That is basically the address of the merchant's server. Oh my programmer-god... Given the fact that a client can obviously modify what to send out with a form, this becomes a bit laughable. Sure, let's set up an own server, and see what PayPal sends back in terms of notifications. *facepalm*
    Besides, another thing is that the IPN system is just cumbersome to work with in a local (as in localhost) development environment. PayPal can't notify me on localhost, and no, I prefer not to develop on the live servers.
  3. What to do? Well, there is a way of using a secret passcode that PayPal (optionally) sends back to us, but at this point it became frustrating and seemed to be overly complex. Especially not being happy with the localhost problem, I dug into other options, and indeed, turns out that PayPal has an actual API, a RESTful one (actually, they have 2 - the one I chose is the newer one). Yay! The day is saved... NOT.
  4. First thing I ran into was a confusing checkout. Despite the actual payment working just fine, the order summary page upon being redirected to PayPal was just empty. A quick google search dug up this - according to a reply of a PayPal developer this is actually a bug that will be fixed very soon. Well, I guess very soon means +15 days, as it is still broken.
  5. The second thing I ran into is the documentation of the RESTful API. It is partly incorrect. Things that are required are stated as being optional and vice-versa. Some other things are just wrong. Annoying, but ok - looks like that API is fairly new, and whatever, bad documentation is nothing new. I'm not the only one that ran into that - even in the stackoverflow post mentioned above, the same problems I had were pointed out and discussed. Again, the documentation is still incorrect and not updated, 2 weeks later.
  6. After a while, I got everything working, and made peace with the broken order summary - some people got confused, but we have a final confirmation page at the very end of our payment steps (with a custom summary), so it's not that big of a deal.
    So far so good, except that PayPal just stopped working a few days ago. Digging into the code that uses the RESTful API, it turned out that the call requesting the oauth token did get a 500 error back. Nice... - although the error already states that it's most probably a problem on their side, I double checked everything before contacting PayPal.
  7. So, my first thought was (out of past experiences) that I maybe have to verify something for our account and logged into the PayPal site. Sorta. The login attempt ended in a blank screen saying "Bad Request" and that my cookie size is too big. Seriously? I cleaned out the cookies. Now the login seemed to work but was hanging forever. Refresh. Oh... my cookie is too big again.
    Checking online, a lot of people seemed to have the same problem that day, some reporting that they were able to login just fine using Safari. Tried that, and that worked, indeed.
  8. Nothing looked suspicious in the account settings, so I tried to contact PayPal and filed a bug report. After two days and two more bug reports in the hope of getting some answer, I posted something on stackoverflow, where I got an answer from a PayPal developer, telling me to file a bug report. Seriously?
    So, I explained my situation to him, and finally got a reply to my actual ticket(s).
  9. It took another 2 days to have working payments again, somebody at PayPal fixed the problem on a sunday. Yay for us.

PayPal, why do you suck so bad? I probably hit every single stumbling block for the same task that took me two hours to do with Stripe. Sure, I can understand that there are problems, and things that go wrong, but from a company handling money I would expect that stuff is properly tested, deployed and handled. Or that a ticket filed under the highest priority gets a reply after maybe 2 hours, not two days. Or maybe that whoever I talked to a few years ago didn't just freeze my account because I came across as a smartass.
Honestly, just sucking less than money wiring through american banks is not good enough.