Which SAQ applies to an online merchant that displays a PCI DSS compliant service provider's payment page in an IFRAME, with all page content coming from the PSP?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which SAQ applies to an online merchant that displays a PCI DSS compliant service provider's payment page in an IFRAME, with all page content coming from the PSP?

Explanation:
The main idea is that card data never touches your own systems when the processing is fully outsourced to a PCI DSS–validated provider. If the merchant’s online page just embeds the PSP’s payment page (for example, in an IFRAME) and all the content comes from the PSP, the CHD is handled entirely by the PSP and not by the merchant. That means your environment has no CHD storage, processing, or transmission, so the simplest SAQ applies. In this scenario, because the PSP hosts the payment page and handles all card data entry and processing, a SAQ A attestation is appropriate. The merchant’s responsibilities are limited to showing and integrating the PSP’s page; there’s no direct handling of card data on the merchant’s side. Why the others don’t fit as well: SAQ A-EP is for merchants whose website can still affect CHD or where CHD could pass through the merchant’s site in some way, requiring additional controls. SAQ P2PE would be used if a true P2PE solution encrypted at the device and decrypted only in a secure environment were involved. SAQ B is for card-present scenarios (and other setups involving POS devices), not online-only flows.

The main idea is that card data never touches your own systems when the processing is fully outsourced to a PCI DSS–validated provider. If the merchant’s online page just embeds the PSP’s payment page (for example, in an IFRAME) and all the content comes from the PSP, the CHD is handled entirely by the PSP and not by the merchant. That means your environment has no CHD storage, processing, or transmission, so the simplest SAQ applies.

In this scenario, because the PSP hosts the payment page and handles all card data entry and processing, a SAQ A attestation is appropriate. The merchant’s responsibilities are limited to showing and integrating the PSP’s page; there’s no direct handling of card data on the merchant’s side.

Why the others don’t fit as well: SAQ A-EP is for merchants whose website can still affect CHD or where CHD could pass through the merchant’s site in some way, requiring additional controls. SAQ P2PE would be used if a true P2PE solution encrypted at the device and decrypted only in a secure environment were involved. SAQ B is for card-present scenarios (and other setups involving POS devices), not online-only flows.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy