Yes in fact the iframe is the only way of doing it securely with the current web specs. ...and it can in fact be done almost completely seamless for the end user, with lil bit of hacking.
It's not impossible though. One method of doing that is to use the trick where an iframe can communicate with its parent document by altering the #fragment URL, which can be read by both parties. It's dirty but it works. The new HTML5 postMessage API can be used as an alternative for browsers that support it.
haha, yes that too. I was refering to secure payments where the host site can affect he layout of payments but not the secret details. Yes you can do that if being creative. :)