SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.
SAQ B merchants are defined here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines. SAQ B merchants process cardholder data only via imprint machines or via standalone, dial-out terminals, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. These merchants validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
- Your company uses only imprint machines and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;
- The standalone, dial-out terminals are not connected to any other systems within your environment;
- The standalone, dial-out terminals are not connected to the Internet;
- Your company does not transmit cardholder data over a network (either an internal network or the Internet);
- Your company retains only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically; and
- Your company does not store cardholder data in electronic format.
Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI DSS Requirements and Security Assessment Procedures. This shortened version of the SAQ includes questions which apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment which are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
Have more questions? Submit a request