It seems, based on the article in the sibling comment, that Pandora took a overly narrow view of the encryption requirements for working with credit card data. So they served the web pages over HTTP and only used HTTPS for the API calls that transferred the credit card information. This is obviously still insecure because a MITM attack could inject javascript onto the page to steal the data while it was being entered, but at least in the case where an attacker could just read the traffic they might not be able to capture the credit card information.

I can totally believe there were still companies in existence at this time who were still following such misguided interpretations.