It is clear from various discussions that if I accept the credit card on my site and call Paypal API to pass the CC to Paypal, I have to be PCI compliant as well.
In our solution, user uses forms on our web page to submit credit card information. We then take these credit cards information, send them to Paypal, and receives an ID from paypal that we can store in the database. In future transactions, user does not need to enter the credit card information again. We simply send that ID to paypal in place of the credit card information.
To avoid the PCI nightmare, we want to rely of Paypal toodls/widgest to collect this credit card information in a way that we simply receive the corresponding IDs. The question is, does Paypal have such a widget? What are my options?
Your site will still need to undergo PCI compliance, either with a SAQ A or SAQ A EP, depending on how the application sends the data to Paypal.
Per the PCI Council:
SAQ A: All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)
SAQ A-EP: Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s)
Overall, the concern is to ensure that the site that is performing the redirect is secure. There is a chance that the site is modified so that the iFrame, direct POST, or other means could be sent to a malicious site.