To be eligible for SAQ A, all elements of the payment pages must only originate from PCI DSS compliant service provider(s), and no single element of a payment page can originate from the merchant?s website.

To be eligible for SAQ A-EP, each individual element of the payment page must originate from either the merchant website or from a PCI DSS compliant service provider. If any element of the payment page originates from a source other than the merchant website or the PCI DSS compliant service provider, then the implementation is not eligible for SAQ A-EP.

It should be noted that all eligibility criteria for a particular SAQ must be met in order to use that SAQ. For example, a merchant could have a website where all payment page elements originate from a PCI DSS compliant service provider; however, if the merchant does not also meet all the other eligibility criteria for SAQ A or for SAQ A-EP, then they would not be eligible for either SAQ.