Yes. Otherwise an attacker could serve a page that looks just like your page, but has different javascript that ships them the credit card numbers.

If you're not using SSL, you should just assume that an attacker can break your page in every conceivable way.

Yes, absolutely 100% yes an SSL certificate is still required. Look up mixed content warnings and why they're a bad thing.

You get a mixed-content warning for HTTP on HTTPS, but not HTTPS on HTTP as you're already insecure on the original page anyways.

fwiw -- my site is hosted with a company that doesn't have ssl, and we just direct our payments over to a heroku page, which is served by ssl on their free plan.