Which SAQ should a merchant use if they rely on a PCI DSS compliant service provider's hosted payment page and do not store cardholder data?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which SAQ should a merchant use if they rely on a PCI DSS compliant service provider's hosted payment page and do not store cardholder data?

Explanation:
When card data could flow through the merchant’s online environment, you must choose the SAQ that addresses that shared scope. If you rely on a payment page hosted by a PCI DSS–compliant service provider but this page is integrated into the merchant’s website (for example, embedded or loaded in a way that the merchant’s site participates in the checkout flow), card data may be entered or touched within the merchant’s environment. In that case, the appropriate self-assessment questionnaire is the one designed for e-commerce setups where the hosted payment page is within the merchant’s domain or integration, addressing the applicable PCI scope for that scenario. This is why that option is the best fit. SAQ A would apply only if the customer is redirected entirely off the merchant’s site to the provider’s page with no card data entering the merchant’s environment. SAQ P2PE is for point-to-point encryption where the merchant never handles unencrypted PAN, and SAQ B-IP is for certain POS/terminal scenarios, not typical for a hosted online checkout.

When card data could flow through the merchant’s online environment, you must choose the SAQ that addresses that shared scope. If you rely on a payment page hosted by a PCI DSS–compliant service provider but this page is integrated into the merchant’s website (for example, embedded or loaded in a way that the merchant’s site participates in the checkout flow), card data may be entered or touched within the merchant’s environment. In that case, the appropriate self-assessment questionnaire is the one designed for e-commerce setups where the hosted payment page is within the merchant’s domain or integration, addressing the applicable PCI scope for that scenario. This is why that option is the best fit.

SAQ A would apply only if the customer is redirected entirely off the merchant’s site to the provider’s page with no card data entering the merchant’s environment. SAQ P2PE is for point-to-point encryption where the merchant never handles unencrypted PAN, and SAQ B-IP is for certain POS/terminal scenarios, not typical for a hosted online checkout.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy