PCI Compliance – Completing an SAQ B

One of the most common compliance standards we deal with as an organization is the Payment Card Industry Data Security Standard (PCI DSS). Reading through this standard can be complex however, and trying to figure out how it applies to your organization can be a daunting task. For most organizations that have to complete a Self-Assessment Questionnaire (SAQ), the most difficult part of the process is often just trying to understand which SAQ you should even be completing! So we’ll start with the more simple SAQs (SAQ B in this case) and try to help de-mystify the requirements for an organization to complete this level of self-assessment.

Why Should You Care?

First of all, it may help understanding a little bit about the different SAQs and why it’s so important to choose the right one. There are 9 different SAQs you could potentially complete as an organization. Some organizations complete multiple different SAQs, one per payment channel (this would be up to your acquiring bank). The difference between all these different levels are the number of requirements that you are responsible for complying with. That’s the primary reason you want to make sure you use the proper SAQ. This will make sure you are not unnecessarily complying with any requirements that should be N/A, not complying with overlying stringent requirements given the ways you process credit cards, and making sure you don’t have any unnecessary residual liability from not properly assessing your organization. Your SAQ selection and your scope have an immense impact on your level-of-effort associated with compliance.

What Does it Take to Complete an SAQ B?

For an SAQ B specifically, there are 4 requirements and your organization has to meet all of them:

  • You only use an imprint machine (aka knuckle-buster) to imprint credit card information and that data isn’t transmitted via phone/Internet OR you only use standalone, dial-out terminals that are connected via a phone line to your processor. These terminals cannot be connected to the Internet or any other system in the environment.
  • You DO NOT transmit cardholder data over a network (internal or Internet).
  • You DO NOT store cardholder data in an electronic format anywhere.
  • If any cardholder data is stored, it is only in paper reports or receipts. Never electronically.

So if you can answer “Yes” to each one of those bullets you are eligible. There are couple things to make sure you consider when you are answering these that can help prevent any “gotchas”. Are you sure you aren’t ever accepting credit card payments over the phone using VoIP? That could immediately bring your network in scope and depending on your network segmentation, bump you up to an SAQ C or D. Are you scanning in any payment information or receipts that would result in cardholder data being electronically stored? Are there any chargeback or reconciliation procedures that you’re not considering?

With all that in mind, you can see why it might be overwhelming for someone that doesn’t have a ton of experience with PCI to make these kinds of calls. Your acquiring bank may be able to help you through this process in some cases or we’d be more than happy to talk through which SAQ would be the best fit for you. An SAQ B has 41 individual requirements associated with it, which probably sounds much more appetizing than the over 250 associated with an SAQ D, for example. Choosing the right SAQ will give your organization the best overall fit for compliance and reduce the resources needed to achieve and maintain compliance.