PCI audit and 3rd Party hosted software.

A local Y is having a hard time filling out a PCI survey.

Virtually everything except for local document editing (MS Office...) is
externally web hosted by a 3rd party. Their plain Jane web site is
hosted by another commercial hosting company. And ADP is their
payroll/time card web site. Even before they switched to web based I put
them behind a business class firewall. :-)

The survey is asking for their IP/Subnet, load balancer configuration
and approval to have their domain, IP and network blocks scanned. I can
see having their IP scanned since they connect FROM it to the 3rd party
site to enter credit cards into the database and initiate transaction
that are handled by the 3rd party's servers. The domain (external web
hosting using Drupal) only has links to the 3rd party's site for
customers to perform selected functions.

I contend that the 3rd party's Domain, load balancers and IP/Subnet
should be included as that is where the credit card information is
stored and all transactions originate from. However, the 3rd party
contends they have nothing to do with the PCI survey and the Y is the
only thing covered by the survey.

They should pass this step. If nothing else I would like to see the 3rd
party receive the same PCI scrutiny to protect the Y.

Is this normal or is there some form missing to let the Credit Card
auditors know that they need to be looking wider then just the local Y?
Don't 3rd party handlers of credit card information directly full under
PCI instead under their customers without any direct control?

Roger Vicker, CCP