[nupark2]

This seems like a risky compliance hack to be relying on. While it might conform to the letter of the law[1], it absolutely does not comply with the spirit of PCI compliance in regards to securing cardholder data.

There's literally no security difference between processing the card transaction through your own servers, and processing it client-side via HTML/JS that your servers are providing (and can modify).

[1] I wouldn't have thought this would meet compliance requirements, but I'm not a PCI expert -- I've only had to work on compliance on the user side, and deal with the auditing requirements.