PCI Compliance – Completing an SAQ B-IP

As we continue discussing the different SAQs that organizations complete, we’re going to cover another very specific merchant SAQ today. Merchants that use (point-of-interaction) POI terminals connected directly to the Internet and their payment processor can complete an SAQ B-IP, as of PCI DSS version 3.0 (February 2014). We’ll cover which merchants can use this SAQ and what details need to be in place to ensure an organization stays within this category of SAQ.

What Organizations Can Use This SAQ

This SAQ is designed for merchants with payment channels that use only PIN Transaction Security (PTS) approved point-of-interaction devices that are connected via IP (e.g. an ethernet cable to the Internet) to their payment processor. This is distinctly different from the original SAQ B, as in that SAQ, terminals could only be connected to the payment processor via phone line, rather than any type of network connection. With an SAQ B-IP, merchants may accept card-present transactions (traditional brick-and-mortar locations) or card-not-present (mail order/telephone order), but they may not accept e-commerce payments or have any electronic cardholder data storage. This SAQ has significantly more requirements associated with it than the SAQ B, as the connection to the network and associated segmentation have to be properly controlled. But it is still advantageous to complete this SAQ if it applies, as it still has much fewer requirements than an SAQ C or D.

What Does it Take to Complete an SAQ B-IP?

For your company to complete an SAQ B-IP, you’ve got to confirm for the applicable payment channel that:

  • You only use standalone, PTS-approved point-of-interaction (POI) devices connected via IP to your payment processor.
  • The terminals you use are validated to the PTS POI program (listed on the PCI SSC website).
  • You are using network segmentation (or similar) to isolate the IP-connected POI devices.
  • The only transmission of cardholder data in your environment is from the POI devices to your payment processor.
  • The POI device doesn’t rely on any other device to connect to the payment processor, i.e. it connects directly and not through a computer workstation or phone.
  • Any retention of cardholder data is only on paper and that data is never received electronically.
  • There is no electronic storage of cardholder data.