Yes. By just using a third-party company, does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.