Which SAQ type involves merchants with all payment operations handled by an external service provider?

SAQ A is specifically designed for merchants who outsource all their payment processing operations to external service providers. This means that these merchants do not store, process, or transmit cardholder data on their own systems or premises, thereby significantly reducing their scope of PCI DSS compliance obligations. Merchants qualifying for SAQ A are typically those that use fully hosted payment solutions, where the service provider manages the entire transaction process, ensuring that sensitive cardholder information is not within the merchant's environment.

The other options represent different scenarios of cardholder data handling. SAQ P2PE applies to merchants using point-to-point encryption (P2PE) solutions and still handling some PCI-related responsibilities. SAQ C-VT is intended for merchants who manually enter cardholder data into a virtual terminal on a protected server. SAQ D is for merchants not eligible for any of the other SAQ types, often involving more complex operations and higher responsibilities concerning cardholder data security.