I am a small merchant. Does PCI DSS apply to me?

PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Does PCI DSS apply to entity using a third-party service provider (TPSP)?

Yes. The use of a third-party service provider (TPSP) does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data (CHD) and card data environment (CDE) are secure. However, the use of a third-party service provider may decrease the risk exposure and reduce the effort for validating and maintaining PCI DSS compliance.