A merchant with only card-present dial-out terminals should adhere to which SAQ type?

The correct answer is SAQ B. This Self-Assessment Questionnaire (SAQ) is specifically designed for merchants that only have card-present transactions through standalone, dial-out terminals. These terminals typically do not store cardholder data and are directly connected to the payment processor via a phone line, which further reduces the risk associated with storing sensitive data.

SAQ B is tailored for environments where the cardholder data is processed securely and without the need for additional systems or networks involved in handling sensitive payment information. This means that the merchant complies with PCI DSS requirements that are appropriate for such a limited scope and have fewer complexities concerning networks or systems storing cardholder data.

Other SAQ types, such as SAQ A, SAQ C, and SAQ D, address different scenarios or merchant environments. For instance, SAQ A is for merchants that do not store, process, or transmit cardholder data but might use third-party service providers, while SAQ C is for those that handle card data through payment applications connected to the internet. SAQ D is the most comprehensive and is applicable to businesses that do not fit into one of the other categories and may have more complex environments or processes related to cardholder information.

By aligning with SAQ B, the merchant