I plan to build an Android/iPhone app. The app will contain a few forms and stat
ID: 659820 • Letter: I
Question
I plan to build an Android/iPhone app. The app will contain a few forms and status screens. One of the screens will ask the user for their card details. Once they'll click submit they'll be sent over to a third-party via a secure channel (https); but not stored at all in the application.
Update: We will not be taking payments through the app, just provide a form for users to register their cards. Future request to the third-party include the userId and an authorization field.
Do I need PCI compliance in this case?
Explanation / Answer
Any merchant accepting payments, regardless of the method, needs to be PCI compliant. To accommodate the various methods of accepting payment (outsource, redirect, iframe, POS, etc.) the PCI council has developed different self assessment questionnaires (SAQ). The SAQ forms are essentially a paired down list of requirements from the full PCI DSS. The requirements included in each of the SAQ forms are those that are most applicable to the way you accept payments.
Based on the method of processing you implement you will need to select the proper SAQ form, make sure you meet all the requirements list, and then complete the SAQ and Attestation of Compliance.