Two things. First, you have a live key set up on this page, which seems like it's problematic if you're not actually providing anything. This should be a test key.

Second, I can manipulate how much I'm paying by changing the HTML. I understand that this is a very simple backend but it's also very open to manipulation. You should, at the very least, add some sort of param signing.