I have a web form on which my customer enters his credit card details along with other info. I then send this data to my backend server. I save the non-sensitive information to my database. I DO NOT store the cc details but pass them over https to a 3rd side.
Do I expose my customers to any risks? Should I worry about PCI? What would be best practice to pass such details to a 3rd side?
As you're handling cardholder data, you're in scope for PCI and should be compliant.
Depending on the volume of cardholder data you're handling, you may be able to self-assess rather than require an on-site assessment by a QSA.
You should ensure you're receiving the card data over a secure HTTPS implementation i.e. using TLS v1.1 or TLS v1.2. You can test this on ssllabs.com
You should ensure the third party you're engaged with, and who is handling your customers cardholder data, is PCI compliant.
In terms of other risks, you should ensure the web interface/form presented to the client has been developed using secure software development lifecycle processes. Also, review the PCI DSS as there are plenty of requirements to implement and security processes to adhere to.
@AndyMac is correct in all details, but just to be clear, according to the PCI DSS:
PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
When you say "I DO NOT store the cc details but pass them over https to a 3rd side" you are describing the act of transmitting CHD, and that puts you in scope for PCI.
In fact, if you are accepting credit cards for payment, you are subject to PCI. The least possible amount of scope is to qualify for SAQ A-EP, which requires a solution such as iframes which will ensure card data goes directly to your processor and not to you. But even then, you still have 12 or so questions of SAQ A-EP to satisfy.
