If you use single sign-on (SAML SSO) to access PayPal, you are legally attesting that your organization meets federal and state cybersecurity requirements for multi-factor authentication — and you must provide proof if PayPal asks.
This new provision shifts compliance burden to users for specific security standards (NY DFS Part 500 and federal safeguarding regulations) and requires users to attest and provide proof of MFA compliance.
View full change record →Business account holders using SAML SSO are making a binding legal attestation that they comply with NY DFS Part 500 and the FTC Safeguards Rule (16 CFR Part 314) — if this attestation is false, they face both contractual liability to PayPal and regulatory exposure to state and federal authorities. Organizations should audit their MFA implementation against both standards before enabling SAML SSO.
Cross-platform context
See how other platforms handle SAML SSO Multi-Factor Authentication Compliance Attestation and similar clauses.
Compare across platforms →This clause shifts significant compliance responsibility onto business users by requiring them to self-certify MFA regulatory compliance, creating legal and contractual risk if their SSO implementation does not actually meet the cited standards.
(1) REGULATORY FRAMEWORK: This provision implicates the FTC Safeguards Rule (16 CFR Part 314, updated 2023) requiring MFA for access to customer information systems, enforced by the FTC. NY DFS Part 500 (23 NYCRR 500) requires MFA for all remote access and privileged accounts, enforced by the New York Department of Financial Services (NY DFS) with civil monetary penalties. NIST SP 800-63B provides technical standards for authentication assurance levels referenced by both regulations. (2)
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.