Stripe is certainly a PCI grey area. Conceptually, the data in the form is submitted directly to Stripe servers, and the only thing returned to the merchant is a single-use token. You’re point “that there is potential for someone who has access to the server to replace the Stripe code” is a slippery slope, and I cannot believe anyone is really suggesting that as a PCI concern. Someone with access to any ecommerce server puts that server in unavoidable jeopardy. That person could replace any payment instrument with their own code. They could even add a payment form to the site, even if the site doesn’t take payments. Imagine I gained access to google.com; I could put a payment form on the homepage with an indication that Google searches now cost money, and likely harvest thousands or millions of cards.

However, I don’t understand your repeated mantra “put up or shut up”, “you have no option but to pay it”, “there is little we can do other than pay their fee”. Certainly you have options beyond BarclayCard and Stripe. Full disclosure, I do work for a company that offers competing products, but if any company isn’t living up to your expectations, then I’m not sure why you would stick with them.