It's called PCI. Unless there was a contract between Ribbon & Twitter this is not at all okay since they were taking payments within the same origin of twitter.com, thus bringing twitter.com into scope of PCI compliance for Ribbon. This was a really basic mistake if there was no contract. Everyone who knows anything about PCI understands this very well.