I would agree. If you have the form markup in your page, then your JS can siphon off card details (with an iFrame rendered by someone else with the form in the iFrame, you cannot). I do not know the full story on the Stripe DSS3 code but it's trivial in their payment-form submit event handler to grab details before calling Stripe.card.createToken.