jwolthuis - 6:30 pm on Mar 15, 2013 (gmt 0)
This means you don't have to deal with PCI Compliance at all.
Not true; You still need to follow the PA-DSS guidelines.
For example, you can't create a form that collects payment info, stash it in your database, then post the info on behalf of the shopper.
Also, the guidelines require that you test your code against vulnerabilities. For example, can *I* post a redirect to your site, saying that a payment was successful? Do you log fraudulent attempts like this?
If you're storing payment authorization codes (handy if you ever need to issue a refund), are they stored securely in a separate database (not on your web server), behind a firewall?