Which Self-Assessment Questionnaire (SAQ) type is applicable to merchants with segmented payment application systems connected to the Internet?

The appropriate Self-Assessment Questionnaire (SAQ) for merchants with segmented payment application systems connected to the Internet is indeed the one that allows for a focus on specific security requirements relevant to that scenario.

Merchants that have their payment activities isolated from their main networks might utilize this SAQ, as it acknowledges the presence of segmentations and different levels of security controls. SAQ C is specifically designed for merchants processing cardholder data but maintaining such data on systems that are out of scope for Payment Card Industry Data Security Standard (PCI DSS) requirements, as long as those systems are properly segmented. This means that while the merchants do engage with cardholder data, they have established adequate isolation to minimize security exposure.

Other SAQs like SAQ A are structured for merchants that fully outsource their payment processing to a third party, thus having no cardholder data stored or transmitted. SAQ D is generally comprehensive and applicable to those that do not fit into any other categories, which is too broad for this specific case involving segmentation. The SAQ P2PE is tailored for those using validated Point-to-Point Encryption solutions, which is not specifically mentioned in the context of the question.

Thus, choosing the SAQ C aligns well with the situation where there is segmentation of