Small ecommerce merchants on Stripe, Square, PayPal, or a similar fully-outsourced payment processor usually qualify for PCI DSS SAQ-A — the lightest compliance path. But if any card data touches your systems (even briefly, even through an iframe you control), you may be bumped to SAQ-A-EP or SAQ-D, which carry 10x the annual compliance work. This tool walks you through the 20 eligibility questions. Read the walkthrough for what each question means.