3DS is not just 2FA, but it has an option to shift liability to the card issuer in case of card-stolen disputes. Our fraud has come to near 0 once we started 3DS enforcement. 1% of 3DS transactions don't lead to a liability shift, and in such cases, we flag those transactions and call the customer to get more forms of identification that they own the card.

With PayPal - beyond ownership of email address (which is already compromised), there's nothing else to validate against.