Self-Assessment Questionnaire B is probably the most popular of all the SAQ types provided by the PCI SSC. SAQ B applies to the majority of small business retail stores. SAQ B applies to the most basic and traditional methods of processing credit card payments. It basically addresses the simplest processing methods, from old style card imprint machines to the basic telephone dial-up card terminals. With only a few more requirements over what is needed for SAQ A, SAQ B is a simple and straight forward questionnaire for reporting your PCI compliance.
Who it applies to:
The first rule for SAQ B qualification is that you must not digitally store any credit card data. Just for reference, this rule applies to all SAQ forms except SAQ D. If you store any card data, you automatically fill out SAQ D, which is the entire PCI DSS.
For SAQ B there are 2 groups that merchants will fall into. First are the merchants that use the credit card imprint machines. This style of credit card processing is old, but there are still merchants out there who use the knuckle-buster devices. For merchants using the imprint machines, special care will be needed to protect the physical access to the receipts. Because the these receipts contain the entire card number along with the expiration date for the card, this information is very sensitive. You will need to restrict access to only those employees who have a need for it. These receipts are your biggest security risk.
The second group that qualify for SAQ B are those merchants who use the simple dial-up card terminals. These terminals must be the standalone, dial-out type which connect directly to the phone line. Each time you process a card the terminal makes a call to your processor and transmits the information. There isn't a constant connection with these types of terminals. The easiest way to tell if you use a dial-up POS is to check if it plugs into the phone line, instead of a computer network cable.
Because of the qualifications for SAQ B, it usually applies to merchants with a physical store front and processes all transactions in person. These store owners are usually smaller merchants, due to the slower processing times for the dial-up terminals. Many of these shops will also only have one or two registers as well.
Even though the majority of SAQ B merchants are brick and mortar establishments, SAQ B can also apply to mail/telephone order operations. For mail/telephone order businesses the requirements for processing technology are the same as outlined above. The only thing to keep in mind for mail/telephone orders is that the card information can not be received electronically. For phone orders this isn't a problem. But for mail, the information must actually come in paper form, through the mail. It can't be emailed or digital fax, as that would violate the requirement of not receiving any card data electronically. As long as credit card numbers never touch a computer and you use the POS devices explained above, you are good to use SAQ B for PCI compliance reporting.
In summary, here are the bullet points to using SAQ B:
- Only us imprint machines and/or standalone, dial-out terminals with phone line connection to processor
- Dial-out terminals are not connected to any other computer, network, or the Internet
- N- o card data is ever stored or transmitted in electronic format (no email, digital fax, instant messaging, etc). Only paper copies or receipts
- You don't store any cardholder data in electronic format
How to become Compliant:
Becoming PCI compliant for SAQ B merchants is much the same as that for SAQ A. Because you don't store any electronic credit card data, and your card processing systems aren't connected to the Internet, you don't have to conduct any vulnerability scans. The real task is in complying with the requirements listed in SAQ B.
SAQ B covers 5 of the 12 PCI DSS sections. Only a portion of each section applies so the total number of requirements is small. The main requirement for SAQ B ensure that the card data is protected and also that policies are in place to prohibit the insecure transmitting of card data through services like instant messaging. SAQ B merchants must also develop policy and procedures for controlling access to physical copies of card data that might exist. Only employees that need to, should have access to the data.
Because of the limited exposure SAQ B merchants have to potential threats, their PCI requirements are small. With a little effort most of the requirements could be put into place in a very short time. With training and education, employees can be taught what they need to know and do in order to keep you secure and compliant with the PCI security standards.
As with all SAQ types, reporting compliance for SAQ B needs to be done each year. Before your compliance deadline each year review the SAQ B and audit your implementation for each DSS point. The current SAQ for can be found here.
As the SAQ form moves from the most basic processing methods to the more complex the security requires become more in-depth and require frequent attention.