It seems you are asking about two different things? But I would like to try to answer both of them.
QUESTION 1
If I understand you correctly, your first question asks how PayPal can provide protection for a client from a “business partner,” which I, like PayPal, most often call a “merchant.”
You specify the username and password collected by the "business partner", so I will talk about this first. Usually the username and password are protected only by the site on which they are collected. Often a site will have a login and session that are separate from the login and session that are for PayPal. Thus, even if the site uses PayPal, the site probably does not use PayPal to protect the account credentials for accessing its site.
If the site uses PayPal, and the user / client will be prompted to log into their PayPal account for payment, then the credentials should be sent only to the PayPal website (you can see paypal.com in the form action [see source]). Typically, a customer can only log in to PayPal through a form on the page served by PayPal (paypal.com is located in the URL). I would be suspicious of any page that prompts a user to register with their PayPal account that did not have paypal.com in the URL domain. Even eBay, which is now under the same ownership as PayPal, will have eBay users to enter their PayPal account credentials on a page that is submitted through paypal.com.
There are several ways to process payments using PayPal. Typically, merchants process PayPal payments in such a way that the customer enters their credit card information only on PayPal servers. This is one of the ways that PayPal can protect a customer from a business partner / seller. When a customer’s credit card information is collected by PayPal, PayPal does not provide credit card information to the seller. The merchant only sends the details necessary to receive information about the status of the payment / transaction.
PayPal also offers the customer a different type of protection. It's called “Purchase Protection” (formerly “Buyer Protection”), and it is basically a combination of guarantees, policies, web applications, organization, and much more that is designed to ensure that the buyer receives what the seller pays for.
In addition, I would like to add: many merchants view credit card information as a commitment. Some may collect it to allow the user to process future payments without re-logging in, but many simply do not store credit card information to avoid liability. You should never transmit credit card information in unencrypted form. You can verify that your credit card information will be sent in encrypted form by checking the validity of the form on the form that collects your credit card information. Most browsers tell you whether your information will be hosted under protocols that are compromised in security, such as HTTPS (encrypted), to HTTP (plain text), so sometimes checking that the current MIGHT url is good enough (although there are still ways around this )
QUESTION 2
SOAP is a data exchange protocol that can be used for communication from the seller ("business partner") and PayPal. I don’t think that usually there is a SOAP transaction (as you stated) between the client and the business partner (seller), but the PayPal SOAP API can be used from the seller to PayPal. This data transfer method is as secure as other methods because the connection must be encrypted in order to connect to PayPal SOAP servers. For more information, see the PayPal SOAP API or SOAP Protocol for more information.