I want to write an iPhone app that provides a common ordering interface for a number of disparate sites that do not have an ordering API. To ensure I can rapidly adapt to any changes in each site's ordering process without having to release a new version of the iPhone app, I need to build a service that serves as an ordering proxy.
The ordering proxy does not directly process credit card transactions. It only passes the transactions on to the various sites. To avoid keeping any credit card details on the central server, I want to have the iPhone app securely store the user's credit card data for future use.
You have multiple questions here so lets address them one by one.
Now the proviso: If you allow the user to store his credit card data on the phone using your app you are basically like a program that allows a user to store his passwords locally (on an iPhone, PC , Mac whatever). There is an expectation on the part of the consumer that you will do so in a responsible and secure fashion following industry best practices. If your application ever gets hacked or it can be shown that sensitive credit card data fell into the wrong hands because of a bug in your program you can expect some major lawsuits. Proceed cautiously and with full disclosure so that people can't claim later that they had no idea that you were storing their credit card data.
Further you would be well advised to insure that your iPhone app uses encryption and security at least as good as what PCI would require.
As a way of understanding the logic here, merchants are precluded from writing credit card numbers and names down on a piece of paper ant tacking it to the wall of their office. PCI is designed to insure merchants do the right thing. The is nothing however making it illegal for a consumer from doing something stupid like writing his credit card number on a post-it note and sticking it on his computer at work. You are not a merchant, and are not providing software for merchants. You are more like the company that sells pens and post-it notes to consumers.
Definition by PCI Security Standards Council (SSC)
If you are developing applications to accept credit cards for processing (so your app connects to a service provider for processing) which you plan on selling to other merchants then your application must pass PA-DSS. If you are developing an application for internal use only then you are still required to complete PCI DSS.
I would recommend you check out PCI Security Standards web site and look to see the level of compliance you must show based on their various requirements. I recommend that you use the words of store and submit carefully as these words can change your requirements for PCI.