Which SAQ applies to an online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS compliant service provider?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which SAQ applies to an online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS compliant service provider?

Explanation:
Understanding how cardholder data flows determines which SAQ applies. If the online merchant’s site collects card data on its payment page but the actual processing is handled by a PCI DSS–compliant service provider, the data touches the merchant’s environment during entry even though it’s processed elsewhere. In this setup, the appropriate questionnaire is the SAQ A-EP, which covers e-commerce merchants who have a payment page on their site and rely on a third-party processor to complete the transaction. The merchant must ensure the integration is secure, that card data is not stored on their systems, and that handoff to the processor is done through a PCI-compliant path. SAQ A would be for situations where the merchant does not touch card data at all on their systems, which isn’t the case here. SAQ B-IP and SAQ C describe different deployment patterns where card data handling, storage, or processing occurs in contexts not matching this scenario.

Understanding how cardholder data flows determines which SAQ applies. If the online merchant’s site collects card data on its payment page but the actual processing is handled by a PCI DSS–compliant service provider, the data touches the merchant’s environment during entry even though it’s processed elsewhere. In this setup, the appropriate questionnaire is the SAQ A-EP, which covers e-commerce merchants who have a payment page on their site and rely on a third-party processor to complete the transaction. The merchant must ensure the integration is secure, that card data is not stored on their systems, and that handoff to the processor is done through a PCI-compliant path.

SAQ A would be for situations where the merchant does not touch card data at all on their systems, which isn’t the case here. SAQ B-IP and SAQ C describe different deployment patterns where card data handling, storage, or processing occurs in contexts not matching this scenario.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy