Learn who qualifies for the SAQ B, and tips to filling it out.
|By: George Mateaki|
SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know
Here are some things to know about SAQ B.
Who is required to fill out SAQ B?
Here's what qualifies your business to fill out SAQ B:
- Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;
- The standalone, dial-out terminals are not connected to any other systems within your environment;
- The standalone, dial-out terminals are not connected to the Internet;
- Your company does not transmit cardholder data over a network (either an internal network or the Internet);
- Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
- Your company does not store cardholder data in electronic format.
Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format.
SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?
What PCI Requirements are included in SAQ B?Here are the requirements included in this SAQ:
- Requirement 3: protect stored cardholder data
- Requirement 4: encrypt transmission of cardholder data across open, public networks
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 9: restrict physical access to cardholder data
- Requirement 12: maintain a policy that addresses information security for all personnel
SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?
Example questions to addressHere are just a few questions you’ll answer as part of this SAQ:
- Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
- Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies?
- The personal identification number or the encrypted PIN block isn’t stored after authorization?
- Is access to system components and cardholder data limited to only individuals whose jobs require access?
- Is media sent by secured courier or other delivery methods that can be accurately tracked?
- Are hardcopy materials cross-cut shredded, incinerated or pulped?
- Is a list of service providers maintained?
Additional tipsHere are a few more things to remember when filling out SAQ B
- Update security policies: make sure all your policies are updated and accessible to your employees.
- Boost your physical security: protect areas of your business that process or store sensitive data, by limited access
- Train employees: Make sure your employees understand your security policies and implement them
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.