I'm building a new web application that serves a form requesting the user's card information. Submitting this form will post the form data to a different, fully PCI-DSS compliant application.
Does the application that serves the form to users need to be PCI-DSS compliant also, even if I don't read card information in that application?
As far as my brief googling session has shown, it seems that PCI-DSS compliance is required in any application that "handles" card information. I'm not entirely sure where "handling" that information begins and ends.
PCI/DSS was updated in 2014 (with requirements that became mandatory in Jan 2015) to deal with services mechanisms like that used by stripe in the form of a more stringent self assessment questionnaire (SAQ A-EP V3) which is described as:
New SAQ to address requirements applicable to e-commerce merchants with a websites that do not themselves receive cardholder data but which do affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data. Content aligns with PCI DSS v3.0 requirements and testing procedures.
This makes it clear that compliancy is required.