Learn who qualifies for SAQ B-IP and what you need to do get compliant. 

Michael Simpson, QSA, CISSP
By: Michael Simpson
Principal Security Analyst
SAQ B-IP addresses merchants that don’t store card data in electronic format but use IP-connected point-of-interaction (POI) devices. These merchants may handle either card-present or card-not-present transactions, and do not store card data on any computer system.

Here’s what you should know for SAQ B-IP.

Who’s required to fill out SAQ B-IP?

Here’s what qualifies you for SAQ B-IP:
    SAQ B-IP
  • Your business uses only standalone, PTS-approved POI devices connected via IP to your payment processor to take your customers’ payment card information 
  • The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs) 
  • The standalone IP-connected POI devices are not connected to any other systems within your environment 
  • The only transmission of cardholder data is from the PTS-approved POI devices to the payment processor 
  • The POI device doesn’t rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor 
  • The business has only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically
  • Your company does not store cardholder data electronically

What’s the difference between SAQ B and SAQ B-IP?

Both SAQs refer to merchants that deal with card data that isn’t in electronic format. The biggest difference between the two SAQs is how data is transmitted from the terminal to the processor.

SAQ B refers to merchants that process card data through dial-out POI terminals (connected through a phone line). SAQ B-IP refers to merchants that process card data through POI devices that are connected to an IP network.

SEE ALSO: SAQ B: What Your Business Needs to Do

What requirements does SAQ B-IP address?

This SAQ does address elements in several of the PCI requirements, which includes:
    self assessment questionnaire
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: don’t use vendor-supplied defaults for system passwords 
  • Requirement 3: protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 11: regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel 
Remember that while this SAQ doesn’t require you to attest to all the requirements in PCI DSS, you are still responsible to be compliant with all applicable requirements.

What questions to ask? 

Here is a list of sample questions you’ll need to address for SAQ B-IP.
  • Is direct public access prohibited between the Internet and any system component in the cardholder data environment?
  • Is strong cryptography implemented according to industry best practice and/or vendor recommendations? 
  • Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
  • Are policies in place that state that unprotected PANs are not to be sent via end-user messaging? 
  • Are critical security patches installed within one month of release?
  • Are vendor remote access accounts monitored when in use? 
  • Is media sent by secured courier or other delivery method than can be accurately tracked?
  • Are quarterly external vulnerability scans performed?
  • Is a list of service providers maintained?
SEE ALSO: 5 Simple Ways to Get PCI Compliant

Additional Tips

There are a few things to consider when getting compliant with SAQ B-IP. Here are some additional tips:
  • Train employees on security policies: Your policies won’t do much unless your employees are implementing them. Hold quarterly if not monthly trainings.
  • Segment networks: Make sure your networks that handle card data have no connectivity with the rest of your business environment.
  • Use restricted access: Allow access to card data to only the employees that need it. 
Need help getting PCI compliant? Request a quote.

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.