Paypal recently announced some changes to their requirements with regards to how websites connect to them. Previously, if you used Paypal as a payment gateway for an online shop (they took care of taking payment and storing data), there was little that the website was required to do other than set up the module or plugin correctly.
As from 17th June 2016, Paypal now has a minimum requirement for encryption for servers (where a website will be hosted), and you will also need to have a SSL certificate set up as well to protect the interactions between the website and Paypal.
So if you have an online shop, that uses Paypal to collect payments, you should first ask your host if it has the minimum new requirements – the server must use SHA256 algorithm and use Verisign G5 certificates. You will also need to buy a SSL certificate and have that applied to the domain so all web addresses will start https instead of http. It is advisable to also check the impact this will have on search engine rankings as well.
My understanding is that if you use Paypal buttons, as long as they don’t use any IPN settings, and the server has the required level of security as above, its not essential to have a SSL certificate. But as you can see from my previous post, there are other advantages to having a certificate in place anyway.