What is the requirement for merchants categorized as SAQ-A?

Merchants categorized as SAQ-A, or Self-Assessment Questionnaire A, are required to fully outsource all cardholder data functions. This means that they do not store, process, or transmit any cardholder data on their own systems or servers. Instead, they rely entirely on third-party service providers to handle all aspects of payment processing in a way that meets the security requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS).

This arrangement significantly reduces the security risks associated with handling cardholder data, as these merchants are not directly involved in storing or managing sensitive payment information. By outsourcing these functions, they can focus on managing their business without the complexity and potential liabilities that come from processing cardholder data internally.

The requirements in the other choices do not align with the SAQ-A merchant level. For example, storing cardholder data electronically would directly contradict the requirements of SAQ-A by indicating that the merchant is handling sensitive information themselves. Similarly, having a website that receives cardholder data implies that the merchant is involved in the processing aspect, which is not permitted under SAQ-A guidelines. Finally, maintaining their own payment processing system goes against the fundamental premise of SAQ-A, which is to offload those responsibilities to certified third-party providers