Which merchant category does not allow for electronic transmission of cardholder data?

The choice indicating that “SAQ-A” is the correct answer aligns with the understanding of the Self-Assessment Questionnaire (SAQ) categories established by the Payment Card Industry Data Security Standard (PCI DSS). SAQ-A is specifically designed for merchants who accept card-not-present transactions exclusively and do not store, process, or transmit cardholder data on the merchant's systems or premises.

As a result, merchants in this category typically use a third-party service provider to handle all cardholder data functions, ensuring that no sensitive card data is handled directly by them. This makes it crucial for merchants categorized under SAQ-A to maintain stringent compliance without the electronic transmission of cardholder data on their own systems.

Other SAQ categories, such as SAQ-B and SAQ-C, are designed for different types of merchants who may handle cardholder data differently, either through physical devices or more comprehensive systems, thus allowing for some level of electronic transmission of that data. SAQ-A-EP is intended for e-commerce merchants who may have some level of electronic handling but still do not store cardholder data.

Understanding these distinctions is essential for ensuring PCI compliance and safeguarding cardholder data.