I don't believe it's possible for a site accepting credit cards on a non-SSL page to be PCI compliant, period, no exceptions. It's trivial to MITM to steal your card info.
The merchant's page is loaded over an insecure connection, but the credit card details are sent to Stripe's servers over a secure connection using an iframe. So it's secure; the customer just can't verify that it is without looking at the source.
If the merchant's page include any Javascript over an insecure connection (for example, jQuery from a CDN) then an attacker can intercept this connection and replace the Javascript by a malicious script that will remove Stripe's iframe and replace it by any other iframe.
So yes, passive network sniffing won't work with Stripe's iframe being loaded over HTTPS, but this does not protect against any type of "active" man in the middle attack.
Not exactly. Iframes aren't involved (yuck how ugly!). Javascript is used to catch the form's submit, all the data on the form (credit card info) is sent straight to Stripe's server over https (via AJAX) and then their server sends back a response.
Their implementation is both elegant and smart. Even easier than Braintree.
How does the customer know it's even Stripe's javascript running at all? There's nothing preventing the injection of malicious JS to capture the card number.
