They added SSL but it appears they are still making some kind of mistake. They claim to be using stripe.js (edit: http://mayone.us/distribution-plan/) which, as far as i know, creates a token so you don't have to send the credit card information over to your server protecting you from liability. It seems like they have still implemented it incorrectly. If you click "Pledge" it still sends the raw (albeit now encrypted) information to their wordpress server.