If a merchant or service provider does not store cardholder data, the PCI requirements still apply to the environment that transmits or processes cardholder data.