MO/TO merchant with all payment functions outsourced to a compliant provider should use which SAQ?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

MO/TO merchant with all payment functions outsourced to a compliant provider should use which SAQ?

Explanation:
Scope and outsourcing determine which SAQ applies. If a mail order/telephone order merchant has moved all card data handling to a PCI DSS‑compliant service provider and does not store, process, or transmit cardholder data on their own systems or premises, their PCI assessment is covered by SAQ A. This SAQ is designed for merchants whose entire card data environment resides with a compliant provider, leaving only minimal, non-CHD tasks for the merchant. In this scenario, the merchant’s environment never touches CHD, so SAQ A is the appropriate choice. The other options fit different setups: SAQ A-EP is for e-commerce sites where the merchant’s site can affect the CHD environment and requires additional controls; SAQ C-VT applies when card data is entered through a PSP’s hosted virtual terminal; SAQ D covers more complex or ineligible environments.

Scope and outsourcing determine which SAQ applies. If a mail order/telephone order merchant has moved all card data handling to a PCI DSS‑compliant service provider and does not store, process, or transmit cardholder data on their own systems or premises, their PCI assessment is covered by SAQ A. This SAQ is designed for merchants whose entire card data environment resides with a compliant provider, leaving only minimal, non-CHD tasks for the merchant.

In this scenario, the merchant’s environment never touches CHD, so SAQ A is the appropriate choice. The other options fit different setups: SAQ A-EP is for e-commerce sites where the merchant’s site can affect the CHD environment and requires additional controls; SAQ C-VT applies when card data is entered through a PSP’s hosted virtual terminal; SAQ D covers more complex or ineligible environments.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy