It's not an additional step, but rather a more secure step IMO.
Steam requires you to directly type in your card's number and can remember that information, and AFAIK that data is stored locally on a file in your PC. I'm not sure if the mechanism changed, but some time ago it was saved into the ClientRegistry.blob file, inside your Steam folder (as a side note, I wouldn't be surprised if it gets saved into a raw binary format; people with a minimal knowledge in DBMS know what I mean
).
PayPal, on the other hand, should encrypt data server-side and on a different server than the ones used for transactions and web services, not to mention Steam accounts get stolen easier than PayPal ones...
Also, I'm paranoid, so yeah, I'm with James Mason here....PayPal XD