I have a payment processing client that runs exclusively on the desktop. The operator enters payment data and clicks a button and my app sends the data off to a payment gateway via a secure channel. My app never stores sensitive payment data, although it does encrypts and saves the merchant's gateway login info.
Am I in scope? If I am, why are web browsers out of scope when the perform the exact same function in the same way?
If the operator keys in a credit card card number then yes; your software both accepts & transmits cardholder data so it, the machine running it & any network(s) its attached to are all in scope of PCI and so must be compliant.
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply
Browsers are not in scope only when the person using one to enter card details is the owner of the card & not a 3rd party merchant. PCI only applies to merchants & other processing entities, not the customers of the issuing card schemes.
Your app handles card numbers and is involved in the authorisation and/or settlement of card transactions. If you are providing it as off the shelf software it is in scope for PA-DSS.
The organisation that installs your app and runs it in their environment is in scope for PCI-DSS.
