An online merchant transmitting cardholder data to a PCI DSS-compliant service provider falls under which SAQ?

The correct choice reflects that an online merchant transmitting cardholder data to a PCI DSS-compliant service provider uses SAQ A-EP. This particular Self-Assessment Questionnaire is designed for merchants that redirect customers to a third-party service provider for payment processing, without storing or processing cardholder data on their own systems.

SAQ A-EP is specifically meant for e-commerce merchants who do not have control over their payment processing but still have a website that supports the transaction process in some capacity without handling the sensitive card data directly. The focus of this SAQ is to ensure that such merchants are compliant with the standards required to securely process cardholder information while utilizing external service providers.

Other options, like SAQ D, apply to merchants that store, process, or transmit cardholder data directly, making it unsuitable for those only using compliant third-party services. Similarly, SAQ P2PE is for merchants using point-to-point encryption technology and SAQ A is meant for merchants that do not store any cardholder data and completely outsource their payment processing without any integration into their systems, making them less applicable to the scenario posed in this question.