Which Self-Assessment Questionnaire (SAQ) should a merchant use if they accept payments via telephone and enter cardholder data on a webpage?

The appropriate Self-Assessment Questionnaire (SAQ) for a merchant who accepts payments via telephone and enters cardholder data on a webpage is SAQ-C. This option is specifically designed for merchants with payment processing methods that include interactions where cardholder data is entered online, such as through a web page.

SAQ-C is intended for merchants that are not fully outsourced to a third-party service provider but do handle card data in a way that requires compliance with certain security measures. It acknowledges situations where cardholder data is handled, while still maintaining lower risk levels compared to other SAQs that apply to merchants with extensive card data handling needs.

In contrast, other SAQs like SAQ-D cover a broader range of requirements for businesses with more complex processing scenarios, while SAQ-A applies specifically to merchants handling payment via a fully outsourced method (where they do not handle cardholder data at all), and SAQ-B applies to merchants using standalone payment terminals, which doesn't directly align with the online card data entry context described in the question. Therefore, SAQ-C is the most fitting choice given the circumstances outlined.