Merchants using only web-based virtual terminals that do not store cardholder data should comply with which SAQ?

Merchants utilizing web-based virtual terminals and not storing cardholder data are categorized under a specific self-assessment questionnaire known as SAQ C-VT. This SAQ is designed for merchants that only conduct card-not-present transactions through virtual terminals and do not maintain any electronic storage of cardholder data.

The key factor leading to the use of SAQ C-VT is the nature of the transactions and the environment in which they occur. By using a virtual terminal solution that processes payments in a secure manner without retaining sensitive cardholder information, these merchants fulfill specific PCI DSS requirements that focus on cardholder data protection while minimizing compliance burden.

SAQ C is intended for merchants that process cardholder data through payment applications on secure systems but might store cardholder data in a limited capacity. Meanwhile, SAQ A-EP applies to e-commerce merchants receiving cardholder data but who route transactions through a third-party service provider, which is not applicable here.

SAQ D, on the other hand, is a more comprehensive self-assessment questionnaire aimed at merchants who do store cardholder data or have a more complex card processing environment involving multiple payment channels.

Therefore, the appropriate choice for merchants using only web-based virtual terminals that do not store cardholder data is SAQ C