If you are transmitting usernames, passwords and payment information, use SSL.
You can use https while managing user accounts in User Manager web interface. PayPal payments can be made also without SSL. Uncheck the box "Secure response" for the subscriber. It means, that PayPal sends payment result details to User Manager in plain text. If there is some "man in the middle" it can sniff which PayPal user (email address) transfered how much money to your account. However it does not mean, that an attacker can make fake payments, because User Manager makes secure SSL connection back to PayPal and checks whether it really sent the data which is received by User Manager.
It is relatively easy to sniff this plain text data for users, who are in the same network (other HotSpot users), there are tools available, including freeware.
By not using SSL (https) you risk to publish your client data:
*) Email address
*) User Manager (HotSpot) login and password
*) Transfered money amounts - possibility to track your income
However no kind of credit card information is visible to hackers and no fake payments are possible.