You're in a grey area here from what I can tell and you may want to consult a QSA for the proper answer on it.
PCI is required for all merchants and has been for several years. If there's processors that are not requiring it, they're taking a fairly substantial risk because associations dumped liability for non-compliant level 4 merchants on them. You'll still find some as you suggested, but it is required, and most processors require their merchants to be prove compliance or get compliant through whatever QSA they outsource to.
However, if I'm seeing this correctly you're not technically the merchant, so you may be subject to PA-DSS, which is an entirely different animal. Since you're providing the service in which your application will have access to full card information as it's entered by the merchant's customer, and the merchant or end-user doesn't have the ability to prove that the application is secure, you are tasked to prove compliance. A few years ago, you could use PABP (best-practices) and have a compliant application but as of now PA-DSS is required and is enforced by almost all processors.
On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA-DSS.
Here's a guide on Visa's site: http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
Anyway, I would at least consult a QSA to see where you stand in all this. You could also talk to whatever processor you are working with. Most processors are less than proficient in understanding PCI, even though they're tasked at policing it, so a QSA is where I would start.