[JimmyL]

It would be trivial, which is one of the problems with A-EP when you look at it from the POV of someone who knows something about web security.

As for iFrames vs. Direct POST, from https://www.pcisecuritystandards.org/documents/Understanding...:

Examples of e-commerce implementations addressed by SAQ A include...[merchant] website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process...Examples of e-commerce implementations addressed by SAQ A-EP include...[merchant] website creates the payment form, and the payment data is delivered directly to the payment processor (often referred to as 'Direct Post')

[grandalf]

Right. Which is why SAQ A-EP was invented -- to prevent merchants from gaining compliance based on the loophole that they are using a js library or offsite link to collect payment.

[matthewarkin]

it would be trivial but the iframe (Stripe Checkout) does qualify for SAQ A.

[grandalf]

Correct: The use or non-use of stripe.js is irrelevant for whether a merchant needs SAQ A or SAQ A-EP.

SAQ A applies when using one's own server infrastructure, and SAQ A-EP applies when using a PAAS.