Learn who qualifies for the SAQ B, and tips to filling it out.  

By: George Mateaki
Security Analyst
CISSP, QSA
SAQ B was developed to address requirements for merchants who process cardholder data through imprint machines or standalone, dial-out terminals. SAQ B merchants can either be card-present, or card-not-present merchants, but they do not store cardholder data on any computer system.

SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know
Here are some things to know about SAQ B.
Tweet: Here are some things to know about SAQ B. http://ow.ly/rdi8309E6mm #PCIDSSTweet

Who is required to fill out SAQ B?

Here's what qualifies your business to fill out SAQ B:
    SAQ B
  • Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  
  • The standalone, dial-out terminals are not connected to any other systems within your environment; 
  • The standalone, dial-out terminals are not connected to the Internet; 
  • Your company does not transmit cardholder data over a network (either an internal network or the Internet); 
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and 
  • Your company does not store cardholder data in electronic format.
SEE ALSO: SAQ B-IP: Protecting Your Card Data

Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format. 

SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?

What PCI Requirements are included in SAQ B?

SAQ B requirementsHere are the requirements included in this SAQ:
  • Requirement 3: protect stored cardholder data
  • Requirement 4: encrypt transmission of cardholder data across open, public networks
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 9: restrict physical access to cardholder data
  • Requirement 12: maintain a policy that addresses information security for all personnel
Note: While you only attest to five of the 12 sections of PCI-DSS for the SAQ B, you are still required to adhere to all applicable PCI-DSS requirements.

 SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Example questions to address

Here are just a few questions you’ll answer as part of this SAQ:
  • Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
  • Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies? 
  • The personal identification number or the encrypted PIN block isn’t stored after authorization?
  • Is access to system components and cardholder data limited to only individuals whose jobs require access? 
  • Is media sent by secured courier or other delivery methods that can be accurately tracked?
  • Are hardcopy materials cross-cut shredded, incinerated or pulped? 
  • Is a list of service providers maintained? 
Follow for more data security articles like this

Additional tips

Here are a few more things to remember when filling out SAQ B
  • Update security policies: make sure all your policies are updated and accessible to your employees. 
  • Boost your physical security: protect areas of your business that process or store sensitive data, by limited access
  • Train employees: Make sure your employees understand your security policies and implement them
Need help getting PCI compliant? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

Monday, March 6, 2017