Learn who qualifies for the SAQ B, and tips to filling it out.  

By: George Mateaki
Security Analyst
CISSP, QSA
SAQ B was developed to address requirements for merchants who process cardholder data through imprint machines or standalone, dial-out terminals. SAQ B merchants can either be card-present, or card-not-present merchants, but they do not store cardholder data on any computer system.

SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know
Here are some things to know about SAQ B.

Who is required to fill out SAQ B?

Here's what qualifies your business to fill out SAQ B:
    SAQ B
  • Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  
  • The standalone, dial-out terminals are not connected to any other systems within your environment; 
  • The standalone, dial-out terminals are not connected to the Internet; 
  • Your company does not transmit cardholder data over a network (either an internal network or the Internet); 
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and 
  • Your company does not store cardholder data in electronic format.
SEE ALSO: SAQ B-IP: Protecting Your Card Data

Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format. 

SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?

What PCI Requirements are included in SAQ B?

SAQ B requirementsHere are the requirements included in this SAQ:
  • Requirement 3: protect stored cardholder data
  • Requirement 4: encrypt transmission of cardholder data across open, public networks
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 9: restrict physical access to cardholder data
  • Requirement 12: maintain a policy that addresses information security for all personnel
Note: While you only attest to five of the 12 sections of PCI-DSS for the SAQ B, you are still required to adhere to all applicable PCI-DSS requirements.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Example questions to address

Here are just a few questions you’ll answer as part of this SAQ:
  • Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
  • Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies? 
  • The personal identification number or the encrypted PIN block isn’t stored after authorization?
  • Is access to system components and cardholder data limited to only individuals whose jobs require access? 
  • Is media sent by secured courier or other delivery methods that can be accurately tracked?
  • Are hardcopy materials cross-cut shredded, incinerated or pulped? 
  • Is a list of service providers maintained? 

Additional tips

Here are a few more things to remember when filling out SAQ B
  • Update security policies: make sure all your policies are updated and accessible to your employees. 
  • Boost your physical security: protect areas of your business that process or store sensitive data, by limited access
  • Train employees: Make sure your employees understand your security policies and implement them
Need help getting PCI compliant? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.