Back to Resources | Blogs

Understanding SAQ A and SAQ A-EP Eligibility: A Streamlined Approach to PCI DSS Compliance

February 19, 2025 | PCI DSS

For businesses that accept online payments, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is essential, but it doesn’t have to be overwhelming.

If your business does not store, process, or transmit cardholder data (CHD) and relies on a third-party service provider (TPSP) for payment processing, you may qualify for a Self-Assessment Questionnaire (SAQ) A or SAQ A-EP—a streamlined approach to PCI DSS compliance that reduces assessment scope and effort.

Here’s everything you need to know about who is eligible for an SAQ A and SAQ A-EP and why it might be the right choice for your business:

What is an SAQ A?

An SAQ A is one of several PCI DSS compliance pathways designed for card-not-present merchants (i.e., e-commerce businesses, or businesses that accept only mail or phone orders) that:

  • Outsource all cardholder data functions to a PCI DSS-compliant third-party payment processor; and,
  • Do not access, store, process, or transmit CHD on their own systems or premises.

This means that if your payment page is entirely managed by another entity, or if you integrate payment processing through an iFrame, URL redirect, or another approved method where your environment never touches CHD, you may be eligible to complete an SAQ A rather than a more intensive SAQ option or a full Report on Compliance (ROC).

For merchants that rely entirely on PCI-compliant TPSPs (such as payment gateways) to handle transactions securely, an SAQ A is a practical option for demonstrating compliance while maintaining a seamless, secure customer experience. 

What is an SAQ A-EP?

An SAQ A-EP is similar to an SAQ A, but has one key difference: the merchant maintains functionality on their payment page that could impact the security of a payment transaction. 

Unlike an SAQ A, an SAQ A-EP applies when the payment form used on the payment page is implemented and managed by the merchant, usually in the form of a Direct Post script. Direct Post is when a website uses a script to generate a payment form into the consumer’s (i.e., the cardholder’s) browser, and delivers payment data from the consumer directly to the payment processor. 

The term Direct Post is often mistakenly used interchangeably with iFrame, but these two implementations result in very different compliance responsibilities for the merchant.

Benefits of an SAQ A and SAQ A-EP

If your business is eligible, completing an SAQ A or SAQ A-EP offers documented compliance assurance for your customers, especially when completed and signed by a Qualified Security Assessor (QSA), and minimizes the time, cost, and complexity required to achieve PCI DSS compliance by:

  • Minimizing Scope: Since no cardholder data is handled directly, the number of controls required is reduced.
  • Lowering Risk Exposure: By offloading payment processing to a trusted provider, businesses mitigate security risks.
  • Simplifying Audits: Less required documentation and fewer walkthrough sessions mean a smoother compliance process.
  • Reinforcing Trust: With more verbose reporting than a traditional SAQ, an SAQ A provides structured compliance documentation that satisfies stakeholder and regulatory expectations.

Applying SAQ Eligibility to a ROC

For organizations required to submit a ROC to their customers or other stakeholders—usually service providers or large merchants with high transaction volumes—SAQ requirement templates can be applied within the ROC framework. According to the PCI Security Standards Council (PCI SSC), organizations that meet the predefined SAQ eligibility criteria “may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.” This means that an organization can receive the high level of assurance and reporting that comes with an ROC and QSA-signed Attestation of Compliance (AOC) with the same level of effort and requirements as the much less intensive SAQ.  

For instance, an SAQ A leaves the merchant responsible for 12, 28, or 30 requirements—depending on their specific payment form implementation—while an SAQ A-EP includes 139 requirements.  These numbers are much more manageable than the 251 requirements applicable to a standard ROC.

Notably, SAQ applicability to a ROC is not limited to SAQ-A and SAQ A-EP; it applies to any SAQ template. The sole exception is for service providers, who are required to complete an SAQ-D Service Provider, which is effectively a full ROC, albeit with fewer documentation standards. 

The Bottom Line

If your business relies entirely on a PCI-compliant third-party processor for payments and has little or no interaction with cardholder data, SAQ A-EP and SAQ A, respectively, are smart options to obtain PCI DSS compliance. Not only does an SAQ A-EP or SAQ A simplify the assessment process, but it also allows your team to spend less time navigating compliance and more time growing your business.

Is your organization eligible for an SAQ A or SAQ A-EP? Contact us today for a free consultation.

Let's Talk