I would suggest using HTTPS on your main domain. While you do include an iframe from a HTTPS source for the form that asks for a credit card, someone could MITM the main domain and replace the iframe source with something else, and the user might never know.