SAQ A vs SAQ A-EP: Which One Do You Need?

When it comes to PCI DSS compliance, choosing the right Self-Assessment Questionnaire (SAQ) can mean the difference between a straightforward 22-question assessment and a more comprehensive 181-question evaluation. The distinction between SAQ A and SAQ A-EP is crucial for e-commerce businesses, as selecting the wrong one can result in unnecessary complexity or, worse, non-compliance.

This comparison matters because the wrong SAQ Choice affects your compliance timeline, costs, and audit requirements. While both questionnaires serve card-not-present merchants, they apply to fundamentally different payment processing scenarios.

Quick Answer: Choose SAQ A if you redirect customers to a third-party payment processor and never handle card data on your systems. Choose SAQ A-EP if you collect payment data on your website but use a hosted payment page or iframe solution.

Overview of Each Option

SAQ A: Card-Not-Present Merchants with Complete Outsourcing

SAQ A is the simplest PCI DSS validation method, designed for merchants who have completely outsourced all cardholder data handling. This applies to businesses that redirect customers to third-party payment processors (like PayPal, Stripe Checkout, or Amazon Pay) where the merchant’s systems never touch, process, store, or transmit cardholder data.

The questionnaire contains only 22 questions focused on basic security policies, network security, and maintaining compliance with your payment processor’s requirements.

SAQ A-EP: E-commerce with Hosted Payment Solutions

SAQ A-EP (E-commerce Partially Outsourced) addresses merchants who collect payment information through their website but use hosted payment solutions, embedded payment forms, or iframe solutions. While payment processing is outsourced, these merchants still have some exposure to cardholder data during the collection phase.

This questionnaire includes 181 questions covering comprehensive security controls, network segmentation, vulnerability management, access controls, and monitoring systems.

Key Differences at a Glance

Detailed Comparison

Requirements Comparison

SAQ A Requirements:

Maintain compliance with payment processor requirements
Implement basic network firewall policies
Establish information security policies
Restrict access to cardholder data by business need-to-know
Monitor and test networks regularly (at processor level)
Maintain vulnerability management programs (at processor level)

SAQ A-EP Requirements:

All SAQ A requirements plus:
Install and maintain network security controls with proper segmentation
Conduct quarterly vulnerability scans of public-facing web applications
Implement strong access control measures including multi-factor authentication
Regularly monitor and test networks and systems
Deploy file integrity monitoring on web servers
Maintain detailed logging and log review procedures
Conduct annual penetration testing
Implement incident response procedures

Scope Comparison

SAQ A Scope:
The scope is extremely limited because the merchant never handles cardholder data. The primary focus is on:

Ensuring payment processor compliance
Basic corporate security policies
Understanding PCI DSS requirements that apply to your service providers

SAQ A-EP Scope:
The scope encompasses your entire e-commerce environment, including:

Web servers hosting payment forms
Database servers (even if not storing card data)
Network infrastructure connecting payment systems
Administrative systems with access to the cardholder data environment
Any system that could impact payment security

Effort and Cost Comparison

SAQ A Costs:

Minimal internal resources (2-4 hours annually)
No technical security investments required
Payment processor fees only
Basic documentation maintenance

SAQ A-EP Costs:

Significant internal resources (40-80 hours initially, 20-40 hours annually)
Technical security investments:

– Web application firewalls
– Vulnerability scanning tools
– Log management systems
– Security monitoring solutions
– Multi-factor authentication systems

Potential consultant fees for gap assessments
Annual penetration testing costs ($5,000-$15,000)
Quarterly vulnerability scanning fees ($1,200-$3,600 annually)

Use Case Fit

SAQ A Perfect Fit:

Simple redirect payment flows
Minimal technical complexity
Small businesses with limited IT resources
Organizations prioritizing ease of compliance

SAQ A-EP Perfect Fit:

Custom checkout experiences
Advanced payment features (saved cards, subscription billing)
Businesses with dedicated IT security resources
Organizations requiring detailed payment analytics

When to Choose Each

Scenarios Favoring SAQ A

Complete Payment Redirection:
Choose SAQ A when customers are redirected away from your website to complete payment. Examples include:

PayPal Standard integration where users click “Pay with PayPal”
Amazon Pay redirection workflows
Stripe Checkout hosted pages
Any solution where payment forms are entirely hosted elsewhere

Limited Technical Resources:
SAQ A is ideal for organizations with:

Small IT teams
Limited security budgets
Simple e-commerce requirements
Preference for outsourced complexity

Risk-Averse Organizations:
Businesses prioritizing minimal compliance burden and reduced liability exposure benefit from SAQ A’s complete outsourcing approach.

Scenarios Favoring SAQ A-EP

Enhanced User Experience:
Choose SAQ A-EP when maintaining control over the payment experience is crucial:

Custom-branded payment forms
Seamless checkout flows without redirects
Integration with existing customer account systems
Advanced payment features requiring data collection

Technical Capability:
SAQ A-EP suits organizations with:

Dedicated security personnel
Existing security infrastructure
Technical expertise for implementation
Budget for comprehensive security controls

Business Requirements:
Consider SAQ A-EP for:

Detailed payment analytics needs
Complex subscription or recurring billing
Multi-step payment processes
Integration with existing business systems

Hybrid Approaches

Some businesses start with SAQ A and migrate to SAQ A-EP as they grow. This approach allows:

Initial rapid deployment with minimal complexity
Learning PCI DSS fundamentals through simpler requirements
Gradual investment in security infrastructure
Migration to enhanced payment experiences as business scales

Decision Framework

Questions to Ask Yourself

Technical Architecture Questions:
1. Do payment forms appear on your website domain?
2. Does cardholder data ever touch your servers, even temporarily?
3. Do you use iframes or embedded payment solutions?
4. Can you implement and maintain network segmentation?
5. Do you have resources for quarterly vulnerability management?

Business Requirements Questions:
1. How important is a seamless checkout experience?
2. Do you need detailed payment analytics?
3. Will you offer saved payment methods or subscriptions?
4. What’s your budget for security infrastructure?
5. Do you have dedicated IT security staff?

Risk Assessment Questions:
1. What’s your comfort level with security complexity?
2. How do you prefer to handle compliance responsibilities?
3. What’s the impact of potential security incidents?
4. How quickly do you need to achieve compliance?
5. What are your long-term e-commerce plans?

Evaluation Criteria

Priority Matrix:
Rate these factors by importance to your business:

Compliance simplicity (favors SAQ A)
User experience control (favors SAQ A-EP)
Cost minimization (favors SAQ A)
Payment feature flexibility (favors SAQ A-EP)
Technical resource availability (impacts feasibility)

Decision Tree

1. Start Here: Does payment data ever touch your systems?
– No → SAQ A
– Yes → Continue to #2

2. Do you have dedicated IT security resources?
– No → Consider staying with SAQ A redirection model
– Yes → Continue to #3

3. Is seamless payment experience critical to your business?
– No → SAQ A likely sufficient
– Yes → SAQ A-EP appropriate

4. Can you invest in comprehensive security infrastructure?
– No → Reconsider SAQ A
– Yes → SAQ A-EP is viable

Common Misconceptions

Myth: SAQ A-EP Is Always Better

Reality: SAQ A-EP isn’t superior to SAQ A—it’s designed for different scenarios. Many successful e-commerce businesses operate effectively with SAQ A’s redirect model. The “better” choice depends entirely on your business requirements and technical capabilities.

Myth: You Can Choose Either One

Reality: Your payment processing method determines your SAQ type. You can’t simply choose the easier option if your technical implementation requires the more comprehensive assessment. Misrepresenting your environment to avoid SAQ A-EP requirements constitutes non-compliance.

Myth: SAQ A-EP Provides Better Security

Reality: Both approaches can provide excellent security when properly implemented. SAQ A achieves security through complete outsourcing, while SAQ A-EP achieves it through comprehensive controls. Neither is inherently more secure.

Myth: SAQ A Is Too Limited for Real Businesses

Reality: Many large, successful e-commerce operations use SAQ A. Companies like those using PayPal Standard, Amazon Pay, or Stripe Checkout can handle millions in transactions while maintaining SAQ A eligibility.

Myth: You Can Start with SAQ A and Upgrade Later

Reality: While technically possible, this isn’t an “upgrade”—it’s a fundamental change in your payment architecture. Moving from SAQ A to SAQ A-EP requires rebuilding your payment system and implementing extensive security controls.

Frequently Asked Questions

Q: Can I use SAQ A if I collect email addresses on the same form as payment data?
A: No. If your website collects any information on the same form as payment data, even non-payment fields, you typically fall under SAQ A-EP requirements. The form must be entirely hosted by your payment processor for SAQ A eligibility.

Q: What happens if I choose the wrong SAQ type?
A: Selecting an inappropriate SAQ constitutes non-compliance. If discovered during an audit or after a security incident, you may face fines, increased oversight, or loss of payment processing privileges. Always choose based on your actual technical implementation, not convenience.

Q: How often do I need to complete my SAQ?
A: Both SAQ A and SAQ A-EP must be completed annually. However, SAQ A-EP also requires quarterly vulnerability scans and ongoing monitoring, making it a more continuous compliance effort.

Q: Can I switch from SAQ A-EP back to SAQ A?
A: Yes, but only by changing your payment processing method to eliminate cardholder data exposure from your systems. This typically means redesigning your checkout process to use redirect-based payments instead of hosted forms.

Q: Do I need a QSA (Qualified Security Assessor) for either SAQ?
A: Neither SAQ A nor SAQ A-EP requires a QSA for self-assessment. However, many businesses engage QSAs for gap assessments, especially for SAQ A-EP due to its complexity. Your acquiring bank may also require third-party validation regardless of your SAQ type.

Conclusion

The choice between SAQ A and SAQ A-EP fundamentally depends on your payment processing architecture, not your preferences. SAQ A serves businesses using complete payment redirection, offering simplicity and minimal compliance burden. SAQ A-EP addresses e-commerce operations that collect payment data through their websites while outsourcing processing, requiring comprehensive security controls but enabling enhanced user experiences.

Consider SAQ A if you can achieve your business objectives through redirect payments and prefer minimal compliance complexity. Choose SAQ A-EP when seamless payment experiences are crucial and you have the resources to implement robust security controls.

Remember that this decision impacts not just your initial compliance effort, but your ongoing security responsibilities, costs, and operational requirements. Take time to evaluate your current architecture, business requirements, and available resources before making this critical choice.

Ready to determine which SAQ is right for your business? Try our free PCI SAQ Wizard tool at PCICompliance.com to assess your specific situation and start your compliance journey with confidence. Our tool analyzes your payment processing method and provides personalized recommendations, plus access to expert guidance and affordable compliance tools trusted by thousands of businesses worldwide.