[trungonnews]

You're missing the point.

While the user is entering the credit card number, there's a chance that someone can intercept and steal the CC.

You can easily solve this problem by putting the credit card form inside your own iframe. :)

[tptacek]

Madness. Are users expected to check the DOM tree before they type their credit card details in to make sure they're sending their info to the iframe they expect to?

The rule should be: if your app has a credit card form under its own banner, the whole thing is implicated for PCI assessments. But that's not the rule.

[robfig]

PCI Compliance is about protecting consumers from third parties, not from the merchant.

As part of Compliance, the merchant attests that he never handles the cardholder information, and that closes off huge portions of it.