It's an IFrame, so no credit card info is ever actually on Twitter.com. In fact, the entire Ribbon card interface is served on a different host. Because of that, Twitter doesn't actually have to be PCI compliant-- they never see credit card or payment information.
Wrong! Check the Feb PCI clarification update. iFrames don't take anything out of scope because at the end of the day the SSL session shown by the browser is that of the originating site.
In this case Twitter is the only company that can secure the page containing the iFrame code:
Merchant is responsible for:
Managing website and servers (if self-hosted),
including applicable PCI DSS requirements
If website/server hosting is outsourced,
applicable PCI DSS requirements for
management of third parties (e.g.,
Requirement 12.8)
Having written agreements with any third
parties and ensuring that they protect
cardholder data on behalf of the merchant, in
accordance with PCI DSS
Securing the web page(s) containing the
iFrame code.
