What SAQ applies to merchants with segmented payment application systems connected to the internet?

The correct selection is SAQ C, which is specifically designed for merchants with internet-connected payment application systems that are segmented from other parts of the merchant's network. This segmentation is crucial because it allows for a focused approach to securing cardholder data while still maintaining the integrity of the broader network.

SAQ C requires merchants to implement robust security controls relevant to the payment applications, such as ensuring that only necessary services are allowed, maintaining secure configurations, and conducting regular vulnerability scans. Merchants utilizing SAQ C are typically not storing cardholder data post-authorization and are expected to use strong security protocols to protect transmitted data.

In contrast, other self-assessment questionnaires cater to different scenarios. For instance, SAQ B is intended for merchants using standalone terminals that do not connect to a network, while SAQ D applies to all other merchants that do not qualify for other SAQs and generally have more extensive security requirements. SAQ P2PE is for merchants utilizing a validated point-to-point encryption solution to completely protect cardholder data. Thus, SAQ C specifically addresses merchants that maintain segmented payment systems connected to the internet, ensuring that appropriate security measures are implemented.