In order to maintain PCI compliance, your login.php page cannot allow un-encrypted logins. Currently, even if you have SSL installed on your domain, if someone manually enters in a non-ssl url like:

http://www.somesite.com/login.php

They will be allowed to login without encryption, which is a bad thing.

To remedy this issue and force SSL regardless of the url entered in the browser is a simple matter. Edit login.php in your main catalog directory and add the following code at the very top of the file, just under the opening <?php tag:

    if( $_SERVER['SERVER_PORT'] == 80) {
        header('Location:https://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/'.basename($_SERVER['PHP_SELF']));
        die();
    }

This code automatically forces all HTTP/NONSSL url requests to use SSL, so there is no way to use an un-encrypted login on that page. This will allow you to pass your PCI scans for logins.