While payments will still work when embedded on (non-secure) pages without an SSL certificate, this is not recommended and should be avoided where possible.
The form itself is served securely over HTTPS in an
iframe element. It's worth noting that many users will be wary or distrustful of a payment page that does not visibly say the page is secure, or reflects an inscure connection on their browser.
If you are unable to serve the parent page (the page containing the embedded form) securely over HTTPS, we recommend simply providing a redirect to the direct form URL instead of embedding.