
PayPal gets simpler: lets you pay without leaving merchant sites - nreece
http://venturebeat.com/2014/01/13/paypal-gets-simpler-soon-you-can-pay-with-paypal-without-leaving-merchant-sites/
======
patio11
Paypal users (on the business site) owe Stripe an increasing debt of
gratitude, since "We do what Stripe does 2 years after they do it" may just
yet bring Paypal kicking and screaming into a modern UX. (I say that as
somebody who likes Paypal, but certainly not for their technical agility.)

See: [https://stripe.com/docs/checkout](https://stripe.com/docs/checkout)

The last time they did paid Stripe the highest form of flattery was when they
redid their API docs, which for literally over ten years were ponderous 400
page PDF documents that you had to get behind a login to find. You can find
the new Paypal docs here:

[https://developer.paypal.com/docs/api/](https://developer.paypal.com/docs/api/)

If that looks a little familiar:

[https://stripe.com/docs/api](https://stripe.com/docs/api)

It looked even more familiar the last time I actually used the Stripe docs --
looks like Stripe has restyled since then.

------
fin1te
Looking at the screenshot in the article, it seems that the payment screen is
embedded in a light-box, as opposed to a popup.

IMO this is not a good idea. You can't see the URL, so you can't verify that
you're actually entering your credentials on *.paypal.com (without checking
the page source, something an average user won't do). Opens it up to phishing
attacks.

At least with the current flow (and for Facebook/Twitter/etc share dialogs) it
opens in a popup with an address bar. Easy to verify you're on the correct
site.

------
AndrewDucker
Good step in the right direction.

What I'd _really_ like is the ability to say "Trust this store".

I buy stuff on Steam with Paypal all the time, and I honestly trust Steam to
let me buy stuff for my account. If I could tell Paypal that so it wouldn't
make me go via its web page every time I buy a game, that would be great.

~~~
jzzskijj
I, for one, have been very happy, that when I start paying my shoppings in
whateveritisthistime.com, that I am redirected to paypal.com with a green lock
on address bar etc. But "Trust this store" would be a great idea for paying in
some reputable sites I have personally chosen reputable.

~~~
Semaphor
Those were my thoughts as well. I hope there will be the possibility to get
the normal redirect as well, I don't really want to enter my PP details on
some random site.

------
pfg
So, how would I be able to verify that what I'm seeing is actually PayPal's
login form, and not some phishing page? I thought that's the reason for doing
a full redirect. Or does this only work when you're already logged in on
PayPal, and other than that you'd still be redirected?

~~~
nreece
While it's a valid question, I suppose other payment solutions like Stripe
Checkout
([https://stripe.com/docs/checkout](https://stripe.com/docs/checkout)) and
Braintree.js
([https://www.braintreepayments.com/docs/javascript](https://www.braintreepayments.com/docs/javascript))
also work on a similar principle and hence pose the same vulnerability.

~~~
pfg
Apart from the "Remember me anywhere"-feature (which I wasn't aware of, is
this a recent addition?), I think Stripe and Braintree.js are recognized by
users as yet another credit card form, and not as a virtual bank with a
private login the way PayPal is. Most users probably don't even notice they're
not handing their CC info to the website, but to some third-party service
instead. So they'd have to be comfortable with giving their payment details to
the shop anyway.

If I chose PayPal however, which is marketed as a safe way to pay online, I
don't want to have to put any trust in the site itself. That's why I want to
be able to verify I'm actually entering my login details on PayPal's site.

------
marme
What would be better is if paypal would stop freezing businesses' account when
they receive something as simple as a charge back. Paypal's main market is
small businesses who can not afford the time or cost of setting up a merchant
account. This is the same businesses who cant afford to have a large chunk of
their fund frozen for months at a time while a tiny dispute is resolved

------
charlesism
PayPal gets rid of its only good feature. Am I missing something, or are
PayPal opening the gates for hackers to inject malicious code into third party
websites and steal user credentials? I'm making the prediction right now, that
they'll quietly remove this security atrocity after the first year of
exploits.

