Which SAQ type is designated for all merchants not covered by the other SAQ types?

SAQ D is designated for all merchants not covered by the other types of Self-Assessment Questionnaires (SAQs). This SAQ is comprehensive and applies to merchants who store, process, or transmit cardholder data in ways that do not fit the criteria for the other SAQ types. Merchants falling under SAQ D may handle a range of payment scenarios and have a higher level of risk associated with their payment processes or systems.

This option is intended for businesses that have complex payment environments or use various payment acceptance methods that do not align with the specific qualifications set out for SAQ A, B, or C. Ensuring that the most comprehensive set of controls is applied to these merchants helps maintain a robust security posture, protecting cardholder data effectively.

The other SAQ types have specific eligibility requirements pertaining to how card data is handled, such as only accepting payments through the web or standalone payment terminals. Merchants that do not meet those criteria yet still process payment information must use SAQ D to ensure compliance with PCI DSS.