It is secure as the form action is <form method="post" name="login_form" action="https://www.paypal.com/uk/cgi-bin/webscr?SESSION=eyTo_GPBitTgGmY6sywhsNkpDeNTlB63S5wwShCTj-5d2JDJM3BYck-kTju&dispatch=5885d80a13c0db1f3893a48c4ade7e5f0b07bad3416f38806fa0f445e05d0ae3"> Which means that the data is posted to a https connection aka secure connection. In addition to this the callback elements from their server require the connection to also be secure - havent tried to set it to a unsecure connection but my understanding is that it will not make the callback if the connection isnt secure