It's more than that. The loaded JS library renders your inputs into iFrame elements (for PCI compliance). So it takes that HTML and embeds it down. Recent PCI changes added different-domain hosting for the form itself as a requirement for compliance, which is why you see providers moving to different sorts of embedding.
