Merchants who have all payment functions outsourced to a compliant service provider are required to complete which SAQ?

Merchants who have fully outsourced all payment functions to a compliant service provider typically complete SAQ A. This Self-Assessment Questionnaire is specifically designed for merchants who do not store, process, or transmit any cardholder data on their own systems or premises. Instead, they rely entirely on a third-party service provider to handle these functions securely.

SAQ A recognizes the reduced risk associated with this level of outsourcing, as the merchant is not engaged in any activities that would expose them to cardholder data. Therefore, it requires less validation and is less complex than other SAQs.

Choosing SAQ A indicates that the merchant has taken the necessary steps to ensure that their payment processing is compliant without requiring in-depth self-assessment due to their reliance on a compliant service provider. Other SAQs, such as SAQ C and SAQ D, would apply to merchants who do store or process cardholder data, which is not the case here.