Who is SAQ B-IP suitable for, and what you need to do to be compatible?
Payment Card Industry Data Security Standard Self-Assessment Surveys (PCI DSS SAQ) allow merchants, service providers, and other businesses to assess every aspect of their security in terms of PCI DSS compliance requirements.
Companies dealing with cardholder data in any way or form must be PCI DSS compliant. Therefore, PCI DSS SAQ is an invaluable tool for how to be compliant.
In addition to ensuring that a company has a tight handle on its network and its various components, it notifies the company of the network’s flaws, possible attack vectors, and specific areas it needs to work on to ensure it is secure.
Also, companies may be asked to present their SAQ to financial or related entities to demonstrate their PCI compliance.
PCI SAQ B-IP has been developed to address requirements applicable to merchants who only process cardholder data with stand-alone PTS-approved point-of-interaction devices with an IP connection to the payment processing organization.
PCI SAQ B-IP identifies merchants that do not store card data electronically but use IP-connected Point of Interaction (POI) devices. SAQ B-IP merchants can perform card-present or card-not-present transactions, but cannot store card data in any computer system.
You can find all you need to know about PCI SAQ B-IP in our article.
See Also: Choosing the Right PCI DSS SAQ
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.
Who should complete the PCI SAQ B-IP?
There are several different SAQs offered by the Payment Card Industry. Because each SAQ contains a different set of PCI DSS requirements, you must get and choose the right one.
Besides, these requirements may differ depending on the business. The conditions and SAQs also vary according to the company’s services and the types of devices, networks, and processes that the business uses to collect, transmit, or store data.
SAQ B-IP includes only companies that store paper reports and paper copies of cardholder data receipts and use a stand-alone point of contact interface (POI) to process their transactions. These terminals are places where your customers can use Chip & Pin, swipe their cards, or enter transactions manually.
The main difference between the independent terminals mentioned in the PCI DSS Self-Assessment Questionnaire B and the terminals mentioned in the PCI DSS Self-Assessment Questionnaire B-IP is that the SAQ B-IP covers the network-based terminals. In contrast, the SAQ B only covers the terminals that transmit data via dial-up connection.
The conditions that make a business eligible to fill SAQ B-IP are as follows;
- If your company only needs stand-alone, PTS-certified POI devices that connect to your payment processor via IP to collect payment card details from your customers
- Independent IP-linked POI devices if certified as described to the PTS POI system on the PCI SSC website (excluding SCRs)
- Individual IP-connected POI devices within the network are not connected to any other network
- Transmission of cardholder data to the payment processor is made through PTS approved POI devices.
- The POI device is not connected to any other system to connect to the payment processor.
- If the business only has paper reports or hard copies of transactions for cardholder information, and these documents are not received electronically.
- If your business doesn’t store cardholder data electronically.
If you meet the above requirements, you can self-assess with the PCI SAQ B-IP. It should be noted that SAQ B-IP is not related to e-commerce platforms.
What is the difference between PCI SAQ B and SAQ B-IP?
SAQ B and SAQ B-IP are essentially very similar. They both affect businesses that only store paper reports and paper copies of receipts with cardholder data and use a stand-alone point of contact (POI) terminal to process their transactions.
Both SAQs apply to merchants dealing with non-electronic card data. The most significant difference between the two SAQs is how data is transmitted from terminal to processor.
SAQ B refers to merchants that process card data via dial-up POI terminals (connected by a telephone line). SAQ B-IP refers to merchants that process card data via POI devices connected to an IP network.
The main difference between the stand-alone terminals specified in the SAQ B and those set in the SAQ B-IP is that the SAQ B-IP covers network-based terminals. In contrast, the SAQ B stand-alone terminals only transmit data via dial-up connection.
What are the Required PCI DSS Requirements for SAQ B-IP?
The PCI DSS requirements for SAQ-IP that you must comply with are as follows:
- PCI DSS Requirement 1: Set up and maintain a firewall configuration to protect data
- PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords
- PCI DSS Requirement 3: Protect stored cardholder data
- PCI DSS Requirement 4: Encrypt transmission of cardholder data over open, public networks
- PCI DSS Requirement 6: Develop and maintain secure systems and applications
- PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
- PCI DSS Requirement 8: Define and verify access to system components
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 11: Regularly test security systems and processes
- PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
PCI SAQ B-IP covers 10 PCI DSS requirements, but some PCI DSS requirements have been reduced. There are 82 questions in total that you have to answer in PCI SAQ B-IP.
Network-based terminals pose a significantly higher risk than ordinary dial-up terminals. Therefore, the PCI DSS Self-Assessment Questionnaire B-IP contains more questions than SAQ B, as it has to protect data when transmitted across data networks.
What questions should you answer on the SAQ B-IP form?
The PCI DSS SAQ B-IP questions are divided into several requirements, including firewall installation and maintenance, encryption of the transfer of cardholder data over public networks, identification and authentication of access for device components, and routine testing of security systems and processes.
Some sample questions to answer for SAQ B-IP with a total of 82 questions are as follows:
- Is direct public access between the Internet and any network component or cardholder data media prohibited?
- Is strong cryptography implemented according to industry best practices or vendor recommendations?
- When the authorization process is complete, is sensitive authentication data removed or made unrecoverable?
- Are there policies that state that unprotected PANs should not be sent via end-user messaging?
- Are critical security updates applied to systems within one month of being released?
- Are 3rd party service provider remote access accounts monitored during use?
- Are media sent by a reliable courier or another method of delivery that can be accurately tracked?
- Are there quarterly external vulnerability scans?
- Is there a list of service providers from which service is provided?
SAQ B-IP has significantly more requirements than SAQ B associated with it because the connection to the network and the related segmentation must be adequately controlled.
How to Complete the PCI DSS Self-Assessment Questionnaire B-IP?
For each question on the SAQ B-IP form, there are various answers to which you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.
You can complete the SAQ B-IP form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that your environment’s scope is adequately defined and meets the eligibility criteria for the SAQ you are using.
- Assess your environment for compliance with applicable PCI DSS requirements for SAQ B-IP.
- Complete all required sections of the SAQ B-IP form.
- Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.
Additional tips for filling out PCI SAQ B-IP
There are a few additional tips you should consider to become PCI SAQ B-IP compliant:
Educate your employees about security policies: Your actions will not work well unless your employees follow their security policies. Organize the training quarterly, if not monthly.
Segment your networks: Make sure your card data processing network is not interfering with the rest of your business environment.
Use restricted access: Allow only employees who need access to card data.
You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire B-IP pdf form here.
Thank you for sharing this.