Comparison of the SAQ A vs SAQ A-EP
The comparison of the applicability for the SAQ A and SAQ A-EP is depicted in the table below.
SAQ A |
SAQ A-EP |
||
---|---|---|---|
Applies to: |
Card-not-present merchants (e-commerce or mail/telephone-order)* | E-commerce merchants | |
Functions Outsourced |
All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers | All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor | |
Control of Cardholder Data |
Merchant's e-commerce website does not receive cardholder data and has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored | Merchant's e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor | |
Payment pages |
The entirety of all payment pages delivered to the consumer’s browser originates directly from a PCI DSS validated third-party service provider(s) | All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s) | |
Third-Party Compliance |
Merchant confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant | Merchant confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant | |
Merchant Systems |
Merchant does not electronically store, process, or transmit any cardholder data on their systems or premises, but relies entirely on a third party(s) to handle all these functions | ||
Data Retention |
Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically |