There is likely zero chance the OP's recollection is remotely correct. Pandora went public in 2011 with 80 million users, the chances of a publicly listed company of this size taking payments over HTTP in 2012 are about as close to zero as can be. If nothing else, their payment processor would drop them as a customer.
I found this: https://textslashplain.com/2016/03/06/using-https-properly/ Seems like it at least partially corroborates OP's recollection!
Thanks, I stand corrected! Apologies to the OP.
move fast break things
It seems, based on the article in the sibling comment, that Pandora took a overly narrow view of the encryption requirements for working with credit card data. So they served the web pages over HTTP and only used HTTPS for the API calls that transferred the credit card information. This is obviously still insecure because a MITM attack could inject javascript onto the page to steal the data while it was being entered, but at least in the case where an attacker could just read the traffic they might not be able to capture the credit card information.
I can totally believe there were still companies in existence at this time who were still following such misguided interpretations.