Yes, a 3DS entity may choose to outsource the hosting and management of its HSM infrastructure to a third-party service provider as long as all applicable requirements are met. The 3DS entity should work with their service provider to determine which requirements are covered by the service provider and which are covered by the 3DS entity. The 3DS entity remains ultimately responsible for ensuring that all applicable requirements regarding the hosting and management of HSMs are met. Please refer to the “Use of Third-Party Service Providers / Outsourcing” section in the PCI 3DS Core Security Standard for more information.
Article Number 1487