Does anyone have experience with a very large merchant completely outsourcing their transaction processing in order to avoid the pain, cost and complexity of PCI compliance.

Yes. What is your question?

What is "very large"?

My question is 'does this or can this outsourcing completely exempt the company from PCI-DSS compliance' In other words,transfer all of the compliance cost and complexity to the 3rd party outsourcer and thereby eliminate the need for any form of PCI-DSS compliance and reporting.

Very large = $1.5B in revenue and 65 DBA's or subsidiaries.

My question is 'does this or can this outsourcing completely exempt the company from PCI-DSS compliance' In other words,transfer all of the compliance cost and complexity to the 3rd party outsourcer and thereby eliminate the need for any form of PCI-DSS compliance and reporting.

To a certain extent, yes it can.

However, you cannot outsource everything. For example, the processing of disputes and chargebacks will likely remain in-house. So, there will be some business processes that will be in scope for PCI even though the majority of the technological part of PCI is outsourced.

The bottom line is that while people think the PCI DSS is only focused on the electronic processing, storage and transmitting of cardholder data (CHD), it also involves all of the manual processing, storing and transmitting of CHD. So all of those reports, manual charge slips and other paper based records that hold CHD are also covered under the PCI DSS and need to be protected as well as being assessed.

My question is 'does this or can this outsourcing completely exempt the company from PCI-DSS compliance' In other words,transfer all of the compliance cost and complexity to the 3rd party outsourcer and thereby eliminate the need for any form of PCI-DSS compliance and reporting.

The only way is when that 3rd party is the merchant. That is, 3rd party takes the card payments and separately sends you a payment at the end of the week/month. In this situation, you would not be a merchant (the 3rd party is) and since you do not store, process, or transmit any payment data, you not subject to PCI. Having said this, I am not a fan of this approach and would not recommend it: you lose the customer relationship and risk your brand by putting it in the hands of the 3rd party. However, it can be done.

This is a trend that is increasing in popularity and quite frankly, is a very sound approach. A top-5 merchant ($30billion +) has outsourced every aspect of their payment process with great success.

It cannot 'exempt' a merchant from compliance but can significantly reduce the requirements. Remember the requirements only apply if CHD is stored, transmitted, or processed. By removing the data the rquirements are largely removed. In the best case scenario, the company simply has to ensure they are in compliance with requirement 12.8 (Contracts) and that is it.

In most cases, the burden of compliance with fall somewhere between 100% of requirements applying and 1% but saving yourself from some is better than none at all.