PCI stands for Payment Card Industry. The PCI Security Standards Council (PCI SSC) , is an independent body that was created by the major payment card brands (Visa, MasterCard, American Express). It manages and administers the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure that ALL merchants who process, store or transmit payment card information maintain a secure environment. However, it is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI SSC.
The PCI DSS applies to all merchants who accept, transmit or store any cardholder data regardless of size or number of transactions.
Yes. Just by using a third-party service provider it does not exclude a merchant from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS.