I distinctly remember trying to sign up for Pandora’s premium plan back in 2012 and their credit card form being served and processed over HTTP. I emailed them telling them that I wanted to give them my money if they would just fix the form. They never got back to me or fix it for several more years while I gave my money to Spotify. Back then HTTPS was NOT the norm and it was a battle to switch people to it. Yes it is annoying for internal networks and a few other things but it is necessary.
I remember even back in the early 2000s https for credit card forms was pretty common. Surprised a company like Pandora wasn't with it by thr 2010s.
There is likely zero chance the OP's recollection is remotely correct. Pandora went public in 2011 with 80 million users, the chances of a publicly listed company of this size taking payments over HTTP in 2012 are about as close to zero as can be. If nothing else, their payment processor would drop them as a customer.
I found this: https://textslashplain.com/2016/03/06/using-https-properly/ Seems like it at least partially corroborates OP's recollection!
Thanks, I stand corrected! Apologies to the OP.
move fast break things
It seems, based on the article in the sibling comment, that Pandora took a overly narrow view of the encryption requirements for working with credit card data. So they served the web pages over HTTP and only used HTTPS for the API calls that transferred the credit card information. This is obviously still insecure because a MITM attack could inject javascript onto the page to steal the data while it was being entered, but at least in the case where an attacker could just read the traffic they might not be able to capture the credit card information.
I can totally believe there were still companies in existence at this time who were still following such misguided interpretations.
In the early to mid 2000s I would believe this. But for a major e-commerce provider in 2012? That seems vanishing improbable.
PCI DSS is the data security standard required by credit card processors for you to be able to accept credit card payments online. Since version 1.0 came out in 2004, Requirement 4.1 has been there, requiring encrypted connections when transmitting card holder information.
There’s certainly was a time when you had two parts of a commerce website: one site all of the product stuff and catalogs and categories and descriptions which are all served over HTTP (www.shop.com) and then usually an entirely separate domain (secure.shop.com) where are the actual checkout process started that used SSL/TLS. This was due to the overhead of SSL in the early 2000s and the cost of certificates. This largely went away once Intel processors got hardware accelerated instructions for things like AES, certificates became more cost-effective, and then let’s encrypt made it simple.
Occasionally during the 2000s and 2010s you might see HTML form that were served over HTTP and the target was an HTTPS URL but even that was rare simply because it was a lot of work to make it that complex instead of having the checkout button just take you to an entirely different site