What is the only type of cardholder data storage allowed for merchants under SAQ C?

Under the Self-Assessment Questionnaire (SAQ) C for PCI DSS compliance, merchants are typically not allowed to store any cardholder data. This is because the SAQ C category is designed for merchants with payment applications that are connected to the internet but do not store cardholder data.

The primary focus of SAQ C is to ensure that credit card transactions are secure while minimizing the risk of data breaches. By prohibiting cardholder data storage, the potential for data theft and exposure is significantly reduced. Merchants are encouraged to implement secure payment methods and rely on third-party processors for payment information without retaining sensitive data.

The other options, while they might represent scenarios where some form of cardholder data storage is present, do not align with the requirements of SAQ C. For example, encrypted cardholder data, while secure, still qualifies as storage and thus does not meet the criteria of not allowing any cardholder data storage. Similarly, storing cardholder data on paper or partially masked cardholder data is also not permitted under SAQ C. The strict requirement of no cardholder data storage is crucial for maintaining compliance and enhancing security for merchants under this specific SAQ version.