I had the same discussion with a new parking management company at my apartment complex. I told them I wasn't going to put confidential information on a site that doesn't use https, and they tried to tell me that they used a third party for authentication so my data wasn't stored there... I don't even know how to explain to them.

"You're telling me that once you have my information you throw it away immediately. That's great, but you are still forcing me to give you my information in the first place by standing in the middle of the street yelling it through a loud hailer".

If the form is POSTed directly to stripe (which is the recommended usage), your info is never seen by a third party. The site in question would only potentially store a token. Are you sure this wasn't the case?

If the form itself was delivered over http then it doesn't matter. An attacker could easily change the POST address to something else. And how could you even tell? Browsers don't display the URL that a submit button is going to POST to...

Of course if an attacker can MitM any HTTP web page on a site (ie. if a site is not all SSL) then it really doesn't matter if they serve the form over HTTPS because the attacker can set up another form over HTTP and the victim will be none the wiser.

And then there's the possibility of XSS in which case neither lack of MitM access or use of HTTPS will be sufficient protection.

This is true. You'd have to look for a script tag with src of https://checkout.stripe.com/checkout.js. Alternatively, you could try to follow the onclick handler for the button (Event Listeners in Chrome).

At the time I had to enter my card number it wasn't the case.

Just checked again and when I go to the card number screen it is now HTTPS.