Anyone who stores, processes, or transmits credit cards is subject to some sort of certification with respect to PCI. Your customer's credit card information is being entered into an external website (whether by you or your customers) and as such, you, as the Merchant are ultimately responsible for ensuring the data is being handled safely. Fortunately, PCI has regulations in place that also extend to the companies that run these external websites (Service Providers) and they too must receive certification.

As you complete your PCI-DSS, the Self-Assessment Questionnaire (SAQ) should ask you whether you have validated that the Service Provider you chose is PCI Compliant. With an entirely hosted (SaaS-based) application, that would mean that they would have achieved their PCI-DSS Service Provider Level 1 or Level 2 certification. Level 1 certifications can be verified with Visa or MasterCard.

Level 2 Service Providers must submit their application through a Level 1 Service Provider to Visa and MasterCard, but should have some confirmation from either the Service Provider or Visa/MasterCard of their Service Level 2 certification and when it expires. As a Merchant, your decision to enlist the services of a Third-Party to store, process or transmit your customers' credit card data does not relieve you of the need to ensure that data is being handled pursuant to the PCI-DSS. The SAQ is the means by which the card brands ensure you remain engaged and are actively involved in ensuring the Service Provider receives/maintains their PCI certification.