Which Self-Assessment Questionnaire (SAQ) is applicable to merchants using only web-based virtual payment terminals?

The Self-Assessment Questionnaire (SAQ) that is applicable to merchants using only web-based virtual payment terminals is SAQ C. This questionnaire is specifically designed for merchants who manually enter cardholder data through a virtual terminal and ensure that their systems are configured to protect payment card data.

SAQ C acknowledges that the merchant may have a website, but it is primarily concerned with card-present transactions that occur in online environments where the card data is processed through a secure payment gateway as opposed to being stored on the merchant's server. This categorization is vital for assessing the PCI DSS compliance requirements based on various transaction processing techniques used by different types of merchants.

In contrast, other SAQs have different scopes. For instance, SAQ A is for merchants that do not store, process, or transmit cardholder data but rely fully on third-party payment processors. SAQ B is intended for merchants using standalone, dial-out terminals. SAQ D encompasses all merchants not included in the other SAQs and requires a comprehensive review of both security measures and organizational procedures. Understanding these distinctions helps merchants identify the appropriate compliance pathway based on their specific transaction processing methods.