The issue with it however is that the initial page is delivered over an insecure connection, which allows any part of it to be modified in the usual MITM style. Nothing prevents an attacker from changing the link that is served to the client with something else that looks like that payment system and functions the same, but logs the payment information. There's a reason Firefox now disallows mixed HTTP/HTTPS content by default[0]