[saikat]

To make sure there isn't confusion here, having card details go through your server, even if you aren't saving them, still can lead to certain PCI compliance burdens (e.g. you may need to get an audit from a PCI auditor verifying this).

Having the card never go to your server is the best way to make sure you are PCI compliant, as you mention.

[vampirechicken]

One component is the transit security -is the data safe from interception in transit (on the network). The other component it security of the data at rest - is the data safe from interception if it comes to rest on your server (sessions, databases, etc.).

From data security standpoint is is easier to let somebody else do it, but end users tend to have a less satisfying checkout experience.

[MBCook]

Ah, thanks. Like I said, I wasn't sure. We made sure we were PCI compliant, but I wasn't in charge of that by any means.