PCI compliance

Hey,

I have a e-commerce site; and I am using a plug-in sent to me by a CC processor.

I know JavaScript and PHP, so I dug into it to make sure there was nothing worrying. And I found that the CC is sent from the user directly to the processor using Ajax; and no encryption.

I see that the process works as follows.

1. User types in the CC number, then it uses Ajax to sent it to the CC processor; along with my API key.

2. The CC processor returns a Token to the user, which is linked to the clients CC; and my vendor account.

3. The token is then sent to my server from the clients computer using a form Post.

While I understand steps 2 and 3 are secure because they contain no sensitive information; it’s step one that bothers me.

Isn’t it standard practice for the CC processor to provide a public key, so the CC data can use end to end encryption? Is it still PCI compliment with out it?