What’s the difference between PCI SAQ A and SAQ A-EP?

The PCI Self-Assessment Questionnaire scope determines how much compliance burden you carry. For Magento merchants:

• SAQ A: You outsource all cardholder data handling. The full checkout (incl. iframe / redirect) lives on a PCI-validated third-party provider (Stripe Hosted, Braintree Drop-in, PayPal Hosted, Adyen HPP). Magento never touches the PAN. ~22 questions, low scope, the easiest path.
• SAQ A-EP: Your site renders the payment page (or fragments) but the actual PAN entry goes to a PCI provider via JS SDK / iframe (Stripe Elements, Braintree Hosted Fields, Adyen Drop-in). You "could" potentially impact card data via XSS / JS injection, so you carry more responsibility. ~191 questions, full vulnerability scanning + penetration testing required quarterly.
• SAQ D: You touch raw PAN in any way (logged, stored, processed in your app). ~329 questions, full PCI DSS audit by a QSA. Avoid at all costs.

The audit’s q12 specifically rewards being on SAQ A or SAQ A-EP. If you’re unsure which you are, your acquirer / payment gateway has a portal that tells you. The biggest mistake I see is merchants who think they’re on SAQ A but their checkout pulls a custom JS file from a non-PCI third party — that’s SAQ A-EP territory, sometimes SAQ D if it touches the form.