SAQ B: What Your Business Needs to Do

Learn who qualifies for the SAQ B, and tips to filling it out

SAQ B was developed to address requirements for merchants who process cardholder data through imprint machines or standalone, dial-out terminals. SAQ B merchants can either be card-present, or card-not-present merchants, but they do not store cardholder data on any computer system.

Who is required to fill out SAQ B?

‍Here's what qualifies your business to fill out SAQ B:

• Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;
• The standalone, dial-out terminals are not connected to any other systems within your environment;
• The standalone, dial-out terminals are not connected to the Internet;
• Your company does not transmit cardholder data over a network (either an internal network or the Internet);
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• Your company does not store cardholder data in electronic format.
  

See also: SAQ B-IP: Protecting Your Card Data‍

Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format.

See also: PCI Standards: Which PCI SAQ is Right for My Business?

What PCI Requirements are included in SAQ B?

Here are the requirements included in this SAQ:

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Requirement 7: Restrict access to cardholder data by business need to know
• Requirement 9: Restrict physical access to cardholder data
• Requirement 12: Maintain a policy that addresses information security for all personnel‍

‍Note: While you only attest to five of the 12 sections of PCI-DSS for the SAQ B, you are still required to adhere to all applicable PCI-DSS requirements.

See also: Free SecurityMetrics PCI Guide‍

See also: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Example questions to address

Here are just a few questions you’ll answer as part of this SAQ:

• Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
• Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies?
• The personal identification number or the encrypted PIN block isn’t stored after authorization?
• Is access to system components and cardholder data limited to only individuals whose jobs require access?
• Is media sent by secured courier or other delivery methods that can be accurately tracked?
• Are hardcopy materials cross-cut shredded, incinerated or pulped?
• Is a list of service providers maintained? ‍

‍Additional tips

‍Here are a few more things to remember when filling out SAQ B

• Update security policies: Make sure all your policies are updated and accessible to your employees.
• Boost your physical security: Protect areas of your business that process or store sensitive data, by limited access
• Train employees: Make sure your employees understand your security policies and implement them

‍Need help getting PCI compliant? Talk to us!