CiviCRM doesn't perform any financial transactions itself - it relies on having all of such operations performed by payment processing gateways.
Direct answer to above question depends on which PayPal you're using. For PayPal Pro, it is critical that you have SSL (users are entering credit card info on a form on YOUR site) on your side. Note that CiviCRM does not support shared SSL, so the certificate must be installed on your own domain. For PayPal Express and Web Payments Standard all credit card info is entered directly on SSL secured forms on PayPal's servers. Check the documentation at CiviContribute Payment Processor Configuration for more details.