SAQ-A-EP is applicable to which type of merchants?

SAQ-A-EP is specifically designed for e-commerce merchants who outsource their payment processing and do not store, process, or transmit cardholder data on their systems. This type of Self-Assessment Questionnaire (SAQ) is tailored for merchants that leverage a third-party payment processor, as it allows them to remain compliant with PCI DSS requirements while ensuring that they do not manage cardholder data directly.

Merchants that fit the SAQ-A-EP criteria typically embed payment processing services on their website, such as hosted payment fields, to facilitate secure transactions while offloading the storage and protection of sensitive payment information to a trusted third party. This significantly reduces their compliance burden since they are not handling sensitive information themselves.

The other options do not align with the characteristics of SAQ-A-EP. For instance, merchants processing payments in physical stores typically utilize different SAQs that address their specific risk profiles. Similarly, merchants who manually enter cardholder data into a webpage usually require a different type of SAQ that accounts for their direct handling of sensitive data. Lastly, merchants that only use print machines are generally outside the scope of the electronic payment processing models covered by SAQ-A-EP, thereby making this option unsuitable as well.