Login on every page requires SSL on all pages

Question

Our website has a login form that shows up in the header on every page on the website. This is what my boss wants however we need to get PCI compliant and it says any sensitive form (login/password) requires SSL. So does that mean the entire website has to be running under SSL while a user is not logged in?

Another question related to that, we have third party security software scanning and testing our site and it sends HTTP post to the login form on all the pages and reports it is unsecured because it submit's it under HTTP. I am wondering how a company like say Godaddy does it because they have a login/password on their homepage yet I can access it via HTTP and submit my login information just fine. By that logic they are not secure because it allows me to do that right? I feel like I am missing something but not sure what.

-EDIT- Some information that came from the security site:

Description A vulnerability exists that allows an attacker to harvest sensitive information (login credentials, etc) that are thought to be SSLsecured.

Specifically, a form was found on an HTTP (unencrypted) page that sends information to an HTTPS (encrypted) page. An attacker could leverage cache poisoning (DNS/DHCP/ARP/etc) or another vulnerability (e.g. XSS) to cause the HTTP page to send information to an attacker-controlled website instead of the legitimate HTTPS site.

Furthermore, toolkits exist to automate the process of harvesting such credentials, connecting to the legitimate HTTPS site and establishing the attacker as a transparent proxy between the victim and the legitimate host where the attacker sees all information in cleartext (including login credentials, etc).

Victim<---------HTTP--------->Attacker<---------HTTPS--------->Legitimate Site

CVSS Score 2.1

Solution

Do not allow any information you want SSL secured to originate from an unsecured page.