Does the application store, transmit or process cardholder data? 
Does the application have access controls and authentication mechanism?
Are full credit card numbers or the credit card account numbers displayed to the users ?
Are Card Holder name, PAN, Expiration date or service code stored in the the database or any form of data storage?
Is any of this data stored in clear text long term, including backups of this data? 
Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
Do you share any card holder data with other applications or web services in the same network?
Does the application have any form of debug log system?