PCI DSS and outsourcing, what US buyers should verify

If a process touches cardholder data, PCI DSS applies, and outsourcing it does not move the obligation off your plate. The Payment Card Industry Data Security Standard sets the requirements for handling card data, and any partner that processes, stores or transmits it on your behalf has to meet them. Here is what to verify before you sign.

This article is general guidance, not legal or compliance advice. Confirm your specific obligations with a qualified assessor.

What PCI DSS covers

PCI DSS is the security standard that applies to organizations that handle payment card data. It covers how card data is stored, processed and transmitted, how access to it is controlled, and how systems that touch it are secured and monitored. When you outsource work that involves card data, the standard reaches the partner doing that work.

Responsibility does not transfer

This is the point buyers miss most. Outsourcing the work does not outsource the responsibility. If your partner mishandles card data, the exposure is still yours. That is why the standard expects you to manage your service providers, not just trust them. You remain accountable for the data even when someone else is handling it.

What to verify before you sign

Ask any prospective partner for evidence, not assurances. Confirm the scope of their PCI DSS compliance and that it covers the work you are handing them. Ask for current documentation of their compliance status. Understand exactly which requirements they take responsibility for and which remain yours, because the line between the two has to be explicit and agreed.

Ask how they control access to card data, how they segment and secure the systems that touch it, and how they would notify you of an incident. A partner ready for this work will answer clearly and produce the documentation. A partner that waves the questions away is telling you something.

Shared responsibility, written down

In any outsourced arrangement, some PCI DSS requirements sit with you, some with the partner, and the split has to be documented. A clear responsibility matrix, agreed in writing, prevents the dangerous gap where each side assumes the other has a control covered. Get this on paper before the work starts, not after an incident.

Keep it current

PCI DSS compliance is not a one-time certificate. It has to be maintained, and the standard itself evolves. Build periodic review into the relationship so the partner's compliance stays current and your documentation reflects how the work actually runs today.

Handled properly, outsourcing payment-adjacent work is routine. The mistake is treating compliance as the partner's problem alone. Verify it up front, write down who owns what, and keep it current, and you keep the protection that the standard exists to provide.