PCI DSS is the Payment Card Industry Data Security Standard. More information about this can be found here: link to wikipedia...
We use Stripe Inc. to process payment transactions. They make the following statement about their PCI compliance:
“Is Stripe PCI compliant?
Stripe has been audited by a PCI-certified auditor, and has in turn been certified as a PCI Level 1 Service Provider, the most stringent level of certification available. You can confirm our certification in Visa's registry of service providers.
How we use Stripe:
Stripe provide a code module that has been integrated into our application to handle the payment card details provided by the customer. These details are sent directly to Stripe in an encrypted form.
The payment card details are not received by, and not held anywhere, on any of our servers. To be clear, we never receive and therefore cannot store the following items on our servers: Primary Account Number (PAN) or Card Verification Code (CVC).
The application does temporarily contain the PAN and CVC when entered by the app user until the card has been tokenised by Stripe. Once tokenised the application does not retain anything other than the last 4 digits of the card number so we can display this information enabling the customer to see which card is being used. The application also keeps the expiry date (which it never displays) so that it knows when to ask for new payment details once the old ones have expired. Both the expiry date and last 4 digits are stored in the devices encrypted password store and are only available for the applications use.
Stripe provides us with a token that is used by our server as a proxy for the actual payment card. This token can only be used by us through the Stripe service. The token is of no use to a third party and cannot be used as a credit card number.