Re: "the little HTTPS padlock shows up in the browser address bar"
I would imaging the iframe loader is on a third party site that is loaded via a javascript src file. Not directly on their server.
Checkout page rules: Do not use any third party code on that page (or a login page). Do not load a third party payment s[processor into an ifarme.
Biting the hand that feeds IT
