.jpg)
Leaders In Payments
Leaders In Payments
Rui Ribeiro, Co-Founder & CEO of Jscrambler | Episode 403
Digital commerce security stands at a critical crossroads, with an average of 66 third-party vendors present during the typical e-commerce checkout flow. Each of these represents a potential security vulnerability that could compromise your customers' payment data. Few understand this landscape better than Rui Ribeiro, Co-Founder and CEO of Jscrambler.
Ribeiro's journey began in Portugal with a computer science background that led him through the banking industry before identifying a crucial gap in 2014: client-side security. What started as a broad security mission has evolved into specialized protection for payment processes, with Jscrambler now serving major e-commerce platforms across airlines, retail, and hospitality sectors.
The timing couldn't be more relevant. With the PCI Council's recent release of PCI DSS v4, client-side security has moved from a best practice to a compliance requirement. Companies must now implement strategies that protect cardholder data by securing JavaScript and payment pages while detecting unauthorized access - exactly what Jscrambler specializes in.
"Security should never be a barrier for innovation," Ribeiro emphasizes. His company's approach allows businesses to continue adding frictionless checkout features while ensuring third parties can't access sensitive payment information. This balance becomes increasingly challenging as merchants integrate chatbots, payment calculators, installment options, and other tools that improve customer experience but potentially expand the attack surface.
Welcome to the Leaders in Payments podcast, where we talk to C-level leaders from across the payments landscape. We'll be discussing the products and services that impact the payment space today, as well as trends and predictions for the future of payments. We will also hear stories from our guests about their journeys to the top.
Speaker 2:Hello everyone and welcome to the Leaders in Payments podcast. I'm your host, greg Myers, and on today's show we have a very special guest, rui Ribeiro, the co-founder and CEO of J Scrammler. So, rui, thank you so much for being here and welcome to the show. Thank you, it is my pleasure to be here, great. So let's start out by having you tell a little bit about yourself, maybe where you grew up, where you went to school, where you currently live, a few things like that.
Speaker 3:So, born and raised in Portugal, studied in Porto but then ended up living in Lisbon. Computer sciences major Overall, always with an engineering perspective, love working in complex problems, started my career working in the banking industry, worked there almost half my life, working life. And then I founded and challenged my good friend and co-founder, pedro Fortuna. In 2014,. We founded J Scrambler and because we saw an emerging problem in the industry so client-side security In 2014, it was at its infancy and we were one of the main precursors, but that started this movement and this career move that I'm now in. And because things keep evolving, from client-side security, we have now specialized mainly in credit card payments and in securing credit card payments and in securing the credit card payment process. So this is my evolution from a career perspective.
Speaker 2:Okay, well, let's dive in and talk about the company. So maybe tell us exactly what you do, who your target audience is, those types of things.
Speaker 3:So we are making sure that no third party is accessing credit card payment or payment data. It might be credit cards, it might be other payment data, and we are preventing mainly credit card skimming attacks on web pages and, as you can understand, when any purchase is being done, only a very few specific companies need to have access to that information and normally these are like verified. These follow very strict security rules and also follow the PCI DSS security standard. But on a normal website, on a normal e-commerce website, you have a lot of third-party vendors, some of them doing analytics, some of them doing performance, verifying that there are not bots. On average it ranges, but on average, about 66 different third-party vendors that are on an e-commerce web store On the checkout process. Normally it's less, but still it's a lot of companies that can be there, so there is a very big security challenge to solve.
Speaker 3:The PCI Council launched a new security standard, a new version of the PCI DSS PCI DSS v4, that, in response to these growing cybersecurity risks, mapped the client-side security topic into the standard and clearly they defined that strategies that allow us or the companies to protect sensitive data of the cardholder, securing JavaScript and or the payment pages, detecting unauthorized access that could lead to fraud later down the road.
Speaker 3:So this is where we are working on, this is where we have specialized ourselves, while the industry is still changing daily, as I was reviewing several of your episodes, and you keep introducing innovation to the payment industry. So it's an evolving topic and we are also seeing this on our side that it's not just credit cards Like today. The payment process includes a lot more complexity than we would look back maybe five years ago, with alternative methods of payment, new forms of payment, country-specific forms of payment, all with the same requirements. All should have the same requirements or at least as strict as the PCI DSS as defined. And this is very important because it means that everyone is making an effort to secure these transactions and, in that effect, we are reducing the fraud of the industry.
Speaker 2:So who are your main customers?
Speaker 3:So mainly we are working with e-commerce companies, large e-commerce companies, l1s and L2s in terms of level of PCI. That has been our main focus because not only do they do a lot of transactions, because they are also very security, sensitive. Accepting credit cards is critical for any company today and that's where we have been operating. We have been operating it ranges from airlines, very large clothes retailers, also in the travel and hospitality, so those have been like the main markets that we have been exposed to.
Speaker 3:Okay, and since these are large merchants, I assume the footprint is global right, because people can buy on these websites from all over the world and that's part of the complexity that they face Because, if you look at it, when we are engaging with most of these companies, we talk about one payment page, but that payment page is so volatile that it changes from region to region, person to person, device or technology of that device. It's a very complex problem to solve when they have, at the same time, to provide a very good experience to their end users, provide also the assurances for the security requirements and also the business interests at the same time, where everyone is demanding new, innovative ways to engage with the user base and we keep adding stuff to the checkout process to assist in this checkout process. So it's a very complex. These scenarios are always very complex and also very sensitive, like if you add something and it's not performing well, the impact for the business is immediate.
Speaker 2:Yeah, so you know, I've been in the industry a long time and used to always hear fraud and security in the same sentence. Maybe talk about how that's changed, or maybe how that's still the same.
Speaker 3:I think that it has changed a lot in this case of the requirements and we mainly work in the security space, not in the fraud space, but we end up avoiding fraud. We create mechanisms for the companies to be able to control what their third parties are accessing or what type of information they're accessing. In the particular case of payments in the payment industry, we are protecting the credit card information. Data Security is not fraud, but we end up avoiding and reducing fraud, because if there are less cards being stolen, if there's less exposure, we end up producing fraud, because most of the time, in terms of credit card industry, we understand fraud as chargebacks, so it's later on the process, not at the moment of capturing the data or the credit card data.
Speaker 2:Yeah, I'm also curious because in the last five years or so there's been this big push to remove as much friction as possible from the checkout. So how has that affected what you've done?
Speaker 3:You are removing friction, but to do so, sometimes you are adding more third parties to the process, like there was a moment where we were having assistance in the checkout process, where we were having assistants in the checkout process, so while we were typing our credit card information, there was also a chat that could help us in that process.
Speaker 3:If we're facing some roadblock Now, it's most likely an AI chatbot or something similar that is there.
Speaker 3:The problem is that, by default, the browsers don't have the controls to limit the reach of these third parties, so these chat applications or these chat agents by default, the browsers don't have the controls to limit the reach of these third parties, so these chat applications or these chat agents could access that type of credit card information and in that sense, it was reducing the friction, but it's increasing the exposure and risk of the company.
Speaker 3:That's why we come in and we are basically making sure that, yes, the companies can continue to reduce the friction, can continue to add solutions to expedite the sales process, to provide proper estimates in terms of postage, to even break down the payment into multiple installments and stuff like that, which is something that we have seen as an evolution of the industry, but at the same time making sure that none of these third parties are overstepping, because there are two types of problems that can occur. One is intentional attack Someone that is adding a credit card schemer to the webpage. So that's an attack, that's a cybersecurity problem. But there is also the misconfiguration, all the other problems that could lead to you sending credit card information to a company that should never have credit card information because they are not built to have it and so they don't meet the security standards, and that could pose a very big risk on the world.
Speaker 2:What would you say, differentiates Jsccrambler from the competitors out there?
Speaker 3:That's a very good question. First, we are pure play. We have been doing this since 2014,. Since I told you, we are the main or the initial precursor of all this movement regarding client-side security. This is years of expertise that cannot be easily copied. We were the first to launch this category and this type of product, and we keep simplifying and making it very simple for e-commerce or vendors to adopt our technology, in a sense that security should never be a barrier for them to innovate. Security shouldn't be another step in the process.
Speaker 3:As you said, we are streamlining the process. We want to be invisible, we want to make sure that we stay in the background, but at the same time, we are able to provide the controls for the industry to be able to accept payments, as they have done in the past or even in future, ways that are much more evolved than we are today. We are moving into instant payments and stuff like that. It's going to be a very big challenge in terms of fraud because we lose the chargeback capabilities if we are talking about instant payments. So, while this is evolving, we need to provide the security capabilities and we are not limited to just achieving compliance.
Speaker 3:We go much beyond that and I would say that when in here we are talking about the forum, that is about payments. But if you look at it, we started the company focused on every type of data privacy concern that can happen on the client side Social security, healthcare data, like everything that can be considered as private information. We have focused on that. The payment is a subset of what we can do, so this means that we're also bringing a vendor that can help you today with the compliance, today with the payment information, but in the future we can help you cover all the other aspects of privacy and security of your users, which is a very big and complex problem in today's world.
Speaker 2:Okay. Well, when you step back and look at the payments industry as a whole, where do you see it headed, say in the next three to five years? And certainly you can answer that in kind of the lens of what you do, but curious your views on the future.
Speaker 3:So we have a worldwide scope. Okay, so US is our main focus. We also have Europe, and we also have Latin America and also Asia customers across the world, and what we have seen in many countries is that the payment landscape is changing a lot. Governments are issuing their own payment or instant payment solutions that compete directly with credit cards. In Brazil, we have PIX I think they were one of the initial ones where the government created an alternative method of payment that is now the main method of payment In Europe.
Speaker 3:Each country has its own kind of system that is becoming sometimes more popular than credit cards. And, of course, we have the example of China, but that's a totally different market system that is becoming sometimes more popular than credit cards. And, of course, we have the example of China, but that's a totally different market, where WeChat is the main method of payment. So I think that this trend is not going to stop. It's going to accelerate, and I see that the industry is also looking at it and in the case of MasterCard, for example, they are even talking about identity as the proof of payment, with all the privacy slash, security challenges that are going to come up, like we are trading the credit card number for the identity of the user. What are the challenges for that? And I would even say and they must have studied this many governments are going to challenge them on using identity as a way of payment, but that trend is going forward.
Speaker 3:For sure, the biggest evolution that we have in the latest years, at least for me as a user, has been paying using the phone. I forget to wallet at home and I can do everything nonetheless Online. It's a mix, like where we are doing PIN 3DS, different types of authorizations, and we go to the bank. It's a challenging process, but the priority must be given towards we need to have the security capabilities in place before we move into other forms of payment, because we risk that we go forward and then we look back and we say we opened a Pandora box and now no one is trusting this payment system. There's a lot of complex problems to solve down the road.
Speaker 2:Right right them. There's a lot of complex problems to solve down the road, right right. Well, what do you think about sort of the AI side, where you know MasterCard, visa made some announcements I don't know if you saw Google earlier where basically you have agents that can now buy for you without you even practically knowing? I mean sort of how does that? I mean, does that really matter? Or, at the end of the day, they're still checking out. So your solutions make sense.
Speaker 3:The first security challenge that we are facing with AI is that AI needs data to operate and while we are controlling third parties AI agents that can be embedded into these pages, they pose a security risk for many companies. So our strategy as a company has always been, or is, in the case of AI we need to define the limits of the information that they can access to make whatever they want to do Because AI works well if it ingests a lot of data, but which data do we want it to be accessible?
Speaker 3:Do we want AI to access credit card information data when you're doing a checkout page? I would challenge that, but maybe no one is enforcing this, and I am proactively enforcing like. If something doesn't have access to that information, we don't risk anything. You're talking about like, then. About like using agents, which is more or less the same as saying using bots to do purchases for you.
Speaker 3:We had these challenges like when no one could buy a PlayStation, or when no one can buy a concert because the new ticket or the newest release of the PlayStation runs out in five seconds. And then it's the secondary market where you're buying from someone else, and then you're losing that relationship with the brand. You're losing even that warranty. Maybe you're losing a lot of things by doing it that way. So I think that we need to be attentive to making sure that the relationship between the consumer and the brand is intact. It's a trust relationship. It has always been like that. We buy from store A and not from store B because of price, but because we trust store A to give us the right product with quality, in time and being able to provide the support after that sale. If we're using agents, we're giving the power to the people that build the agents and not this relationship. I don't like it that much as a consumer, but it depends on how easy it's going to be and what are the advantages for us.
Speaker 2:Right, right. Still a lot to come on the AI and payment side, I think.
Speaker 3:We still need to use it and feel comfortable, because at the moment some things are amazing, but how much do they impact my day-to-day life? It's still to be seen and hopefully it's all in a positive way.
Speaker 2:Let's hope so. Well, let's switch gears a little bit and talk about you, so maybe walk us through your background up until you founded the company and what precipitated the finding of the company.
Speaker 3:So my background is in IT. We were very focused on security from. I was very focused and my co-founder also was also very focused on security. We understood that the world was changing, like everyone was going to buy online, and that our life was very different from when we first started the company. And we understood that the browsers were going to be the main mechanism for us to interact. And we understood that the browsers were going to be the main mechanism for us to interact, and so we started building technology to make sure that that interaction with the user was secure.
Speaker 3:So we started by protecting applications so protecting JavaScript, protecting web pages and then we evolved into the data privacy aspect that I have been mainly focusing on in this discussion, where we are monitoring the third parties and making sure that information stays within the people that should be accessing that information. So we have always been trying to do and having a very good success at doing it so simplifying the security of the client side. Simplifying in a sense, that we cannot demand from the developers to be able to build a good experience and still build all the tools that they need to do that experience in a secure way. So we need to assist them and that's why we keep building new and innovative products that help companies build more secure applications and maintain the data privacy of their users.
Speaker 3:Because, again, and going back to the trust, I trust a company not to lose my data. I trust a company, when I'm paying, that they're going to use that credit card only for that transaction or, if it is a subscription, for that product subscription. We cannot break this. These trust relationships is what makes a company great and makes the continuous process of growing, and if we lose these capabilities, this is a critical resource. It's like power, water and the ability to buy online. Maybe I would put, today, internet, power and water as the priorities that most people have, and then the ability to buy stuff. So it's a critical resource and we need to basically continue to produce technology to make sure that it continues to work with the security conscious process that assures the privacy of the users.
Speaker 2:Okay, Well, what are some things you're passionate about? So, maybe one work-related passion and one personal passion. It's clear that I'm a very big.
Speaker 3:Security is the main topic that I lead from every day. But my passion, to be honest, is when I see our progress and I see our customers come back to us and say this is a solution that was easy, that we deployed, that we are getting value. So I value the technology itself, but I value more the fact that today I cannot pass a day without recognizing a customer of ours that is more secure because we are there with them, a customer of ours that is more secure because we are there with them. This is what kind of makes me tick every day when the day is not going so well. And then you see oh, I helped that brand. Oh, I helped that brand. So I really enjoy that process.
Speaker 3:From a personal perspective, I'm kind of boring because I'm a geek. I have passion for what I do, because I'm the CEO. I don't code, I am not allowed to touch the code base of the company, but still I still have all those instincts and on my free time I continue to be a geek. So I really enjoy tinkering with the fucking stuff. The camera is like this is the wide view that you guys have, but if you guys were able to see to the other side. There's like a router that is opened up and stuff like that and a soldering iron and all of that, because I need those elements to continue to be happy to feel that we are still building stuff and not just being the CEO and focusing on financial and customers and stuff like that.
Speaker 2:Right, right. Well, if someone came to you, maybe they just graduated from college, they're looking at the payments industry and they say, hey, I want to build a career in payments or fintech, and maybe they're even changing careers from another industry and they want to come into payments because of all the excitement in this industry what would you tell them they need to do to be successful in this industry?
Speaker 3:I think that, first, there's no better time Banking payments I've never seen so many changes as now. Before, everything was very static in banking. Everything was very static in payments. There's no better time than this. The other would be associate fine startups that you relate to For you to grow personally. Startups or a big company with a startup culture is the best way for you to grow. I started in a banking environment, but I have to say that I had to leave to continue to innovate at some point. And it's not that there are a lot of very competent, very intelligent people in all the banking industry, but they are limited in terms of their scope, what they can do. They have to go through a lot of red tape, they have to go through a lot of control, so it's very tough for them to innovate. And if you're not fighting the system in a persistent way, you can end up in a nine to five job where the thing that motivates you is the paycheck. Paycheck is important, but it shouldn't be your main motivation, don't get me wrong.
Speaker 3:Like, it's very important, but the main motivation is that you are growing, that you are learning stuff, that you are making a difference, and startups provide that environment for you and luckily now there are a lot of startups and even banks are pushing for that startup environment with new brands and new branches that are more dynamic and more focused on the customer.
Speaker 2:Okay, Well, Rui, we've covered a lot of ground, obviously, about you, about the company, about the industry. Is there anything else you'd like to mention before we wrap up the show?
Speaker 3:I think it's very exciting the things that are happening in the payment industry. Is there anything else you'd like to mention before we wrap up the show? I think that it's very exciting the things that are happening in the payment industry, and we need to make sure that we implement all the controls, and that's why we require technology and innovation like the one that J Scramble is building, so I'm very excited about the future of payments.
Speaker 2:Yeah, okay, well, thank you so much for being on the show today. I know your time is very valuable, so thank you so much for being on, thank you, thank you. Thank you very much, and, to all your listeners out there, I thank you for your time as well, and until the next story.
Speaker 1:Thank you for joining us this week on the Leaders in Payments podcast. Make sure you visit our website at leadersinpaymentscom, where you can subscribe to the show and where you'll find our show notes. If you enjoyed listening, please share on your social channels as well.