The page itself is loaded via HTTP, but all credit card information is transferred to Stripe & Helium via HTTPS. Again, with Helium, no payment information actually needs to hit your servers (Sam's blog, in this case).

I think this is a valid concern. IIRC such payment-related Javascript code should only be included in https:// context as other script code might interact with the payment form.

It's actually against the stripe Terms of Service to use live mode keys on a non-https site.