At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.
If they were using stripe how did they pass details through onto HTTP? as far as I remember their webhook won't even communicate with an unsecure page. They must be using some other payment gateway.
I didn't follow every link you included, and didn't expect to argue about this – also, I didn't realize this was your post, my bad!
You can ignore my comment about the /payments page, I'll assume you checked that, so yeah, that's insane if you can update payment information on an insecure page.
Rather than me point out exactly why what you just said was completely wrong, I suggest you download it from here:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....
At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.