The comparison of the applicability for the SAQ A and SAQ A-EP is depicted in the table below.
| SAQ A | SAQ A-EP | |
| All Cardholder Data
Functions Completely Outsourced |
Partially Outsourced E-Commerce
Payment Channel |
|
| Applies to: |
Card-not-present merchants
(e-commerce or mail/ telephone-order)* |
E-commerce merchants |
| Functions
Outsourced |
All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers |
All processing of cardholder data
is outsourced to a PCI DSS validated third-party payment processor |
| Control
of Cardholder Data |
Merchant's
e-commerce website does not receive cardholder data and has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored |
Merchant's
e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor |
| Payment pages | The entirety of
all payment pages delivered to the consumer’s browser originates directly from a PCI DSS validated third-party service provider(s) |
All elements of
payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s) |
| Third-Party
Compliance |
Merchant
confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant |
Merchant
confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant |
| Merchant Systems | Merchant does not
electronically store, process, or transmit any cardholder data on their systems or premises, but relies entirely on a third party(s) to handle all these functions |
|
| Data Retention | Merchant retains
only paper reports or receipts with cardholder data, and these documents are not received electronically |
|