Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
-PCI Guide Frequently Asked Questions
Many small businesses are operating under the mistaken belief that they can safely disregard PCI compliance if they use a third party to process payment card transactions. Although some exposure may be transferred to the third party, it is rare for all risks to transfer. Merchants are still responsible for meeting compliance standards within their own sphere of operations. The contract between the merchant and the third-party processor should detail exactly who is responsible for which risks.