Home PCI SAQ PCI SAQ B

PCI SAQ B

By
Surkay Baykara
-
1
4767
pci saq b
pci saq b
Table of Contents show

Which organizations does PCI SAQ B apply to and discover tips for achieving it?

The SAQs provided by the Payment Card Industry Security Standards Council (SSC) is designed to assist vendors and service providers in self-assessing their compliance with the PCI Data Security Standard.

In doing so, merchants can not only identify and evaluate their security practices but also help them plan more action to become PCI compliant.

SAQs can also be shown to the recipient bank of merchants or service providers to prove that they are PCI compliant at a particular time.

PCI SAQ B was created to meet merchants’ requirements that process cardholder data via slip machines or stand-alone dial-up terminals. SAQ B merchants can carry out transactions with or without a card, but they cannot store cardholder information in any computer system.

See Also: Choosing the Right PCI DSS SAQ

You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.

Who should fill out PCI SAQ B?

The Self-Assessment Questionnaire B must be completed by companies that process credit card data via slip machines or a stand-alone dialing terminal.

Card slip machines are non-electronic devices that print the payment card transaction result and transfer the print to a carbon paper receipt. Typically, the seller returns one copy of the carbonless form to the customer and keeps the other documents for processing with the credit card company.

On the other hand, stand-alone dial-up terminals are an electronic point of sale (POS) device where your customers can insert their payment cards for payment processing. This terminal can be a PIN entry device (PED) with chip and PIN or swipe credit and debit cards.

If you are a business that physically performs card-related transactions, or if you carry out card-not-present transactions such as mail/phone orders without storing card data on any device, you must complete the PCI SAQ B questionnaire.

However, if you are an e-commerce company or entering customer card-related data into a machine or database, you should not fill out this form.

The conditions that make a business suitable for filling SAQ B are as follows;

  • If your company uses only one printing system or only stand-alone dialing terminals (connected by a phone line to your processor) to collect payment card details from your customers;
  • Independent dialing terminals in the network are not connected to any other system.
  • Stand-alone dial-up terminals do not have an Internet connection.
  • If your organization doesn’t transmit cardholder data over a network (internet or internal network)
  • If any cardholder data kept by the organization is on paper and these documents cannot be obtained electronically
  • Your organization does not store cardholder data electronically.

You can self-assess with PCI SAQ B if you meet the above requirements.

Note that PCI SAQ B is not related to e-commerce platforms, as merchants applying for it are not expected to store or transfer electronic cardholder information.

What are the PCI DSS Requirements for SAQ B?

For SAQ B, you must meet the following PCI DSS requirements:

PCI SAQ B covers 5 PCI DSS requirements, but some PCI DSS requirements have been reduced. There are a total of 41 questions you have to answer in PCI SAQ B.

Note that although you only need to meet five of the 12 PCI DSS requirements for SAQ B, you still need to comply with all relevant PCI DSS requirements.

Sample SAQ B Questions You Should Answer

For PCI SAQ B, with 41 questions, some of the questions you need to answer are:

  • When the authorization process is complete, is confidential authentication data deleted and made unrecoverable?
  • Are there policies that state that unprotected PANs should not be sent via end-user messaging technologies?
  • Is a personal identification number or encrypted PIN key stored after authorization?
  • Is access to system components and cardholder data limited only to what is essential for their business?
  • Are media sent via secure courier or other forms of distribution that can be accurately tracked?
  • Are printed copy materials crushed, burned, or pulped in a cross-cut form?
  • Do you keep a list of service providers from which you get service?

These questions often come with a list of expected tests, such as observing processes, reviewing policies and procedures, or examining data sources.

It is essential to pay attention to these because if you do not meet or understand a question’s requirements, the expected answer list provides the actions you can take to respond appropriately to the questions.

What are the differences between SAQ B and SAQ B-IP?

SAQ B and SAQ B-IP are essentially very similar. They both affect businesses that only store paper reports and paper copies of receipts with cardholder data and use a stand-alone point of contact (POI) terminal to process their transactions. Both SAQs apply to merchants dealing with details on cards that are not in electronic format.

However, the main difference between the stand-alone terminals specified in the PCI DSS Self-Assessment Questionnaire B and those set in the PCI DSS Self-Assessment Questionnaire B-IP is that the SAQ B-IP covers network-based terminals. In contrast, the SAQ B terminals only cover data transmission via dial-up connection.

In other words, the most significant difference between the two SAQs is how data is sent from the terminal to the processor.

SAQ B refers to merchants using dial-up POI terminals to process card data. SAQ B-IP applies to merchants who process card data via POI devices connected to an IP network.

How to Complete the PCI DSS Self-Assessment Questionnaire B?

There are several answers to each question on the SAQ B form that you can indicate your company’s status regarding the requirement. Your answers to the questions may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.

You can complete the SAQ B form by following the steps below in order:

  1. First, determine the applicable SAQ for your environment.
  2. Confirm that your environment’s scope is adequately defined and meets the eligibility criteria for the SAQ you are using.
  3. Assess your environment for compliance with applicable PCI DSS requirements for SAQ B.
  4. Complete all required sections of the SAQ B form.
  5. Communicate the SAQ and Attestation of Compliance (AOC), along with any other requested documentation, to the recipient, your payment brand, or other requestors.

Additional tips for filling PCI SAQ B

There are a few more things to remember when filling out SAQ B:

Update Your Security Policies: Make sure all policies are updated and available to your staff.

Increase your physical security: Secure your company’s areas that process or store sensitive data, with limited access.

Educate employees: Make sure your staff understands and follows your security policies.

You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire B pdf form here.

Previous articlePCI SAQ A-EP
Next articlePCI SAQ B-IP
Surkay Baykara
Surkay Baykara
https://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

RELATED ARTICLES

© PCI DSS GUIDE