Looking at the actual payment process it seems you get an iframe embedded within the github page that asks for your credentials. It's not possible for users to verify that the iframe actually belongs to paypal without looking at the source (it doesn't, it actually belongs to https://assets.braintreegateway.com/ and it POSTs there too). If this was any less reputable website implementing this it would look really, really shady.
It also doesn't help with that we've been training users to check the URL bar before filling in their credentials, which won't help at all now.
Hey I'm Pedro, one of the developers at Braintree who built this. We are actively working on this. Initial integrations pointed to a Braintree domain, but any new merchant who integrates PayPal via Braintree will be using a PayPal domain. GitHub will do so shortly.
That's good, but I think the user needs a way to confirm that the pop-in is actually served by paypal, and that that is where their credentials will go. As it is now, what will stop me from faking one of these forms, making it look totally legit, but instead sending the logins to my own server?
Well yes, my point is not to use an iframe like this (unless browsers start to include their own URL bars for those, though that still seems like a terrible idea). Previously paypal opened a regular popup (an entirely new window with its own url bar) or simply redirected the page. Both of those will fully inform the user about what site they are filling their credentials into.
Uh, the fact that normal paypal integrations redirect you to a https://paypal.com page that has paypal.com in the url bar, and a green mark for an ssl certificate that says "Paypal, Inc [US]"? Which we have trained everyone to look out for.
If from the beginning users were trained to only login to Paypal if they're on paypal.com. Could be accomplished in this sort of transaction via a new popup window.
Of course, the horse is long out of the barn on this.
I accept paypal for my SaaS site, and I absolutely hate their system. The IPN system is painful. I spent months playing whack-a-mole trying to figure out how to correctly handle the 20 or so different transaction types.
I use paypal often as a user, and I love it. For recurring billing, I can cancel the service at PayPal and I don't have to worry about some site losing my credit card information to hackers. I also don't have to freak out when my credit card expires and worry that I am going to lose all my data at github if I miss the email.
I used to work at PayPal (6+ years ago), specifically in Merchant Technical Support. Speaking strictly for myself, I hated IPNs too, and having come from another payment gateway with a similarly unreliable out-of-band notification system, I was always mystified as to why folks would build whole fulfillment systems around them.
I mean, I know the API-based product is more expensive, but this is your business, right? If you have any kind of significant volume, I would think the reliability of straight API calls would make the additional cost well worth it.
Personally, I trust paying a person via Paypal vs. a generic credit card form. Or anything really that doesn't let me trust you with my 16+3 digits that grants full access to drain my credit.
Agree, but reluctantly. Given Paypal's horrendous history of freezing funds and poor customer support, I use it only when I have serious doubts about a site's generic form.
Paypal has great customer support if you are a consumer, it is only sellers that have issues. And usually it is because someone thinks it is a good idea to use Paypal as a donation processor (which it is NOT meant for) and are surprised when they get into trouble.
Agree, I my credit card recently got expired and I had to update it in every single website - github, comcast etc. I just connected PayPal with Github and I will just need to update it in one place now.
I see people using paypal more and more. It is a lot easier to remember your paypal information than a credit card number. Especially when that number is likely to change with the amount of fraud that goes on in that realm.
fwiw - I have worked at a number of sites, and all that implemented paypal saw a non trivial conversion bump, some into the double digits, percentage wise. Audience wasn't developers ever, though.
Honestly I know it will probably never happen, but it would be awesome if Stripe added PayPal integration. That way we can accept credit cards like we already do, but also accept PayPal using a single unified API.
A lot of our international users want to pay with PayPal instead of credit cards. International credit cards also have a high tendency to decline.
I would love to see GitHub actually keeping PP off the site and not putting money in their pockets. I am bit disappointed to see such an innovative and open source company not directly supports one of the most shady corporations around.
It also doesn't help with that we've been training users to check the URL bar before filling in their credentials, which won't help at all now.