PayPal Holdings Inc. has restored some service in its TIO Networks bill-pay operation but pressing questions remain about the security vulnerability that spurred PayPal to shut down the service and about how TIO’s problems will affect PayPal chief executive Dan Schulman’s strategy to serve the underbanked population.
The incident also raises questions about why the security issue wasn’t exposed earlier, perhaps during PayPal’s due diligence. The company announced its $233 million acquisition of TIO in February and closed on the deal in July. “It should have shown up in due diligence. It’s kind of surprising it didn’t,” says Lawrence S. Berlin, a vice president at Chicago-based First Analysis who follows PayPal.
Others aren’t so sure. “While due diligence teams certainly look for these types of issues, the architecture is usually so complex that it’s easy to miss something. PayPal’s not the first company to get an unpleasant surprise post-acquisition,” notes Julie Conroy, research director at Aite Group, a Boston-based consulting firm. A PayPal spokesperson did not respond to a request for comment for this story.
PayPal posted a notice on Nov. 15 that it had started to restore TIO service for “some” billers that do not have an alternative provider. The statement was not more specific. The action followed PayPal’s announcement on Nov. 10 that “security vulnerabilities” it had discovered at Vancouver, British Columbia-based TIO led it to suspend TIO’s operations. No specific information about the security issue was available.
While TIO is far from the largest payment platform in the PayPal stable, the suspension has interrupted service on a network comprising 900 bill-pay kiosks, 10,000 billers, and some 65,000 walk-in locations. What the suspension is costing PayPal is not known, but Digital Transactions News calculated earlier this month that a single day’s shutdown would block, on average, 164,000 transactions worth $19.2 million.
In its last filing as a publicly held company, TIO noted its revenue for the three months through April 30, 2017, totaled $18.5 million at Thursday’s exchange rate with the Canadian dollar. At that rate, the company is taking in more than $200,000 daily. Before the acquisition, TIO’s shares were traded on the Canadian Securities Exchange.
Still, some analysts say that revenue is small enough for PayPal that the San Jose, Calif.-based payments giant could opt to unwind the deal rather than wrestle with the security problem and its possible implications. When it announced the suspension, PayPal hinted its inquiry into the vulnerability could lead in that direction. “A focus of the investigation will also include TIO’s practices and representations prior to the acquisition,” the company said in its Nov. 10 announcement.
That outcome would represent a stumble for PayPal in carrying out CEO Schulman’s ambition to steer the company into services that support unbanked and underbanked consumers. The company will have to weigh that possibility against the potential fallout from the security issue, say some analysts. “[TIO] could be important to their strategy, but it may not be worth the headache,” says Berlin.