Email, encryption, and other protections
Here are a few technical measures we take to help you stay secure.
Any time you send or receive a PayPal payment, we'll send you an email to confirm the transaction. If you ever receive a confirmation email for a transaction you didn't make, alert us right away and we'll launch an investigation.
PayPal Security Key
The PayPal Security Key gives you a second authentication factor when you're logging in to your account. In addition to your password, you enter a One Time Pin (OTP) that’s unique for each login. These two factors give you stronger account security.
What is it?
The PayPal Security Key sends you a temporary security code via SMS that you enter in addition to your password to log in to PayPal.
How much does it cost?
It’s free to use your mobile phone as your PayPal Security Key. Standard text messaging rates apply when you receive a security code by SMS. Check with your mobile provider for details.
How do I get started?Click-to-register-your-mobile-phone
End-to-end encryption is an important element in helping to keep your data and PayPal transactions secure. We employ a team of security and compliance experts dedicated to implementing and educating customers on industry standards.
Some of the methods we use include, but are not limited to, the following:
When you register or log into PayPal from your computer or mobile device, we make sure you’re connecting with TLS 1.0 or higher and only make HTTPS connections (HSTS). Strong TLS configurations are the current industry standard for trusted communication channels and allow your information to transmit across the internet in a secure manner. Only allowing HTTPS connections helps to reduce your susceptibility to some passive and active attacks.
When you access PayPal via the IOS and Android apps we implement key pinning. Key pinning ensures that when the TLS connection is established by your mobile device it connects only to a true PayPal server. This prevents situations where you launch the app, expecting to connect to PayPal and a PayPal imposter intercepts your connection request and pretends to be us.
We comply with stringent requirements for data protection while in transit and at rest such as PCI-DSS. In addition to industry and regulatory encryption requirements, PayPal’s Information Security Policies and Controls are reviewed by independent third parties to the following industry standards and guidelines: American Institute of Certified Public Accountants SSAE16 SOC1, AT101 SOC2, Sarbanes-Oxley.