Under the SMS security facility, account holders simply register their mobile phone number on their account detail page, and whenever they pay using their Paypal account, the company's servers will generate a challange/response text to their mobile handsets.
Each time Paypal sends a text message to the authorised user of the account, a six digit security code is sent as the message body.
This code is then entered on the Paypal website, or that of its partner, so acting as a two-factor authentication system.
Paypal isn't surcharging for the service so, provided users have a mobile phone contract with a bundle of minutes every month, then the text messages should not cost them any extra.