For mobile apps, is direct post able to be used with SAQ A-EP? My prior understanding was that only iframe was eligible for this, but there seems to be an unspecified allowance (see below). It makes sense the would be an exception since if the payment card collection form is implemented using native controls, it's not like it can be modified by malicious third party JavaScript like malvertisements.
To qualify for SAQ A-EP which is by far the easiest SAQ level / requirements, the SAQ lists the following condition: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-A_EP.pdf
Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s);
However, on https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf it says that direct post may be permitted in some cases and still qualify for SAQ A-EP:
Merchants using a Direct Post e-commerce implementation may be eligible for PCI SAQ A-EP, providing they meet the eligibility criteria of that SAQ. Merchants should consult with their acquirer (merchant bank) or with the payment brands directly to determine whether they are required to validate their PCI DSS compliance and which reporting method they should use.
More commentary
The Direct Post Method uses the merchant’s website to generate the shopping cart and payment web pages. The merchant’s payment form, loaded in the customer’s browser, sends the cardholder data directly to the PSP—not via the merchant’s website or systems—ensuring cardholder data is not stored, processed, or transmitted via the merchant systems. However, the payment form is provided by the merchant; therefore, the merchant’s systems are in scope for additional PCI DSS controls, which are necessary to protect the merchant website against malicious individuals changing the form and capturing cardholder data.