PCI DSS 4.0 allows merchants to use third-party services but holds them fully responsible for any security risks. Effective March 31, 2025, this standard mandates rigorous evaluations of third-party vendors and regular compliance checks. Merchants must implement controls like network segmentation and encryption to mitigate risks but ultimately cannot outsource liability for data breaches. The choice remains: outsource with due diligence or manage security in-house.
https://www.tripwire.com/state-of-security/latest-pci-dss-standards-use-third-parties-your-own-risk