Which SAQ would apply to an online merchant that displays a PSP's payment page inside an IFRAME, with all page content from the PSP?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which SAQ would apply to an online merchant that displays a PSP's payment page inside an IFRAME, with all page content from the PSP?

Explanation:
The key idea is that card data never touches the merchant’s environment here—the PSP hosts the payment page and handles all card data entry and processing. Loading the PSP’s payment page inside an IFRAME means the merchant’s site merely displays content from the PSP; the actual CHD flows directly to the PSP and the merchant does not store, process, or transmit that data. That minimal PCI scope aligns with SAQ A, which is for merchants that rely entirely on a PCI-validated third-party payment processor and do not handle CHD themselves. If the merchant were to host or process card data on their own systems, or if there was any direct handling or storage of CHD on the merchant’s side, another SAQ would be needed (for example, SAQ C or D). P2PE would apply only if a true point-to-point encryption solution encrypted CHD at the device and the merchant’s environment, which isn’t the scenario described since the payment page is PSP-hosted within an IFRAME.

The key idea is that card data never touches the merchant’s environment here—the PSP hosts the payment page and handles all card data entry and processing. Loading the PSP’s payment page inside an IFRAME means the merchant’s site merely displays content from the PSP; the actual CHD flows directly to the PSP and the merchant does not store, process, or transmit that data. That minimal PCI scope aligns with SAQ A, which is for merchants that rely entirely on a PCI-validated third-party payment processor and do not handle CHD themselves.

If the merchant were to host or process card data on their own systems, or if there was any direct handling or storage of CHD on the merchant’s side, another SAQ would be needed (for example, SAQ C or D). P2PE would apply only if a true point-to-point encryption solution encrypted CHD at the device and the merchant’s environment, which isn’t the scenario described since the payment page is PSP-hosted within an IFRAME.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy