It's just your standard XML posts. Any language with a library capable of doing https will be fine. I can't give you specific code because I implemented Authorize.net using the PHP API and not XML, but I know it can be done. My brother uses Unity 3D, which is more for 3D iPhone apps and less for interface sorts of apps, but even it has a WWW library.
In answer to your first question - if you don't store the credit card information, all transmissions to Authorize.net are secure, and you erase the credit card information from the phone after sending, then you're complying with PCI DSS. The only potential security flaw is if they can uncompile your app somehow and get the Authorize.net login ID and transaction key, but you could theoretically set up a web server as an intermediary - pass the credit card info to it, have it add the login ID and transaction key, transmit to Authorize.net, get a response back, pass that response back to the iPhone app. That way the app doesn't have the Authorize.net info. Also has the advantage of you being able to use the regular Authorize.net API's, since the transmission between the iPhone and your web server can be in any format you want, and the web server can run something like PHP that you probably won't have available on your phone.
That, now that I've thought about it, is probably a better way to go. Do you know anything about web programming?