There two things to debate here:
1) Do you need to be PCI Complaint if you are using a 3rd party payment processor
2) Is the 90 days requirement valid
If the answer to #1 is yes, the answer to #2 is yes as well. See requirement 8.5.9 here https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
1 is less straight forward and it depends on the answer to:
Does your company handle credit cards directly?
The fact that you have a 3rd party processor does not necessarily imply that you do not deal with credit cards, even if they are not stored on your servers. If this processor provides a hosted payment page which does not reside on your domain you are probably OK. But if your site uses an API to process the cards, meaning card numbers are collected on your domain and then passed to the processor you are exposed to PCI requirements. You can reduce the PCI audit scope by proving that card numbers are not stored locally but you still need to answer all basic requirements.
Also, if you have phone, email or fax sales you are dealing with credit cards and thus exposed to PCI requirements.
And the bottom line is that if you deal with credit card numbers, in any way, and if users have access to the systems that deal with card numbers you will need to make sure that passwords are refreshed every 90 days.
Hope this makes sense.