Good points, but one thing I'll caution on. You can outsource the responsibility but you can't outsource the ultimate accountability. Recognizing that you're not able to handle a particular task is a fine reason to outsource it and this is a perfect example. But at the end of the day, you hired them.
Even with the best indemnification agreement your wife's business will suffer to some degree if there's a breach. It is, after all, your wife's brand first and foremost. If she accidentally sells subpar yarn due to a screwup at her supplier she can't completely wash her hands of the affair when customers complain. Same thing if your PCI vendor lets you down.