What defines SAQ A-EP?

SAQ A-EP is specifically defined for e-commerce merchants that outsource their payment processing to third-party services. This means that the merchants do not handle cardholder data directly but instead use a secure method provided by an external vendor to facilitate transactions. This scenario is crucial as it mitigates the risk associated with handling cardholder data, ensuring compliance with PCI DSS while still enabling online transactions.

In this context, e-commerce merchants using third-party services must adhere to certain compliance requirements, which are outlined in SAQ A-EP. This includes ensuring that their integrations with the third-party payment processors are secure and that they maintain a level of security even if they are not directly managing cardholder data.

Other options describe scenarios that do not align with the specific requirements of SAQ A-EP. For instance, e-commerce merchants with no cardholder data processing do not fit the definition since they aren't involved in any part of the transaction process involving credit card information. Merchants making in-person payments and those storing cardholder data also have different compliance requirements that would not apply to those using third-party payment solutions. Thus, the accurate association of SAQ A-EP is indeed with merchants outsourcing payment processing.