Blog
SMB
SAQ B: What Your Business Needs to Do

SAQ B: What Your Business Needs to Do

PCI
Scoping
SAQ B: What Your Business Needs to Do

Learn who qualifies for the SAQ B, and tips to filling it out

SAQ B was developed to address requirements for merchants who process cardholder data through imprint machines or standalone, dial-out terminals. SAQ B merchants can either be card-present, or card-not-present merchants, but they do not store cardholder data on any computer system.

Who is required to fill out SAQ B?

Here's what qualifies your business to fill out SAQ B:

  • Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;
  • The standalone, dial-out terminals are not connected to any other systems within your environment;
  • The standalone, dial-out terminals are not connected to the Internet;
  • Your company does not transmit cardholder data over a network (either an internal network or the Internet);
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
  • Your company does not store cardholder data in electronic format.

See also: SAQ B-IP: Protecting Your Card Data

Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format.

See also: PCI Standards: Which PCI SAQ is Right for My Business?

What PCI Requirements are included in SAQ B?

Here are the requirements included in this SAQ:

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Note: While you only attest to five of the 12 sections of PCI-DSS for the SAQ B, you are still required to adhere to all applicable PCI-DSS requirements.

See also: Free SecurityMetrics PCI Guide

See also: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Example questions to address

Here are just a few questions you’ll answer as part of this SAQ:

  • Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
  • Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies?
  • The personal identification number or the encrypted PIN block isn’t stored after authorization?
  • Is access to system components and cardholder data limited to only individuals whose jobs require access?
  • Is media sent by secured courier or other delivery methods that can be accurately tracked?
  • Are hardcopy materials cross-cut shredded, incinerated or pulped?
  • Is a list of service providers maintained?

Additional tips

Here are a few more things to remember when filling out SAQ B

  • Update security policies: Make sure all your policies are updated and accessible to your employees.
  • Boost your physical security: Protect areas of your business that process or store sensitive data, by limited access
  • Train employees: Make sure your employees understand your security policies and implement them

Need help getting PCI compliant? Talk to us!

Related Posts
Budgeting for PCI Compliance: Essential Software Costs for SMBs in 2025
PCI Standards: Which PCI SAQ is Right for My Business?
Further Clarification on SAQ A Updates: Requirements 6.4.3 and 11.6.1
Join thousands of security professionals.
Subscribe Now
Get the Guide To PCI Compliance
Download
Get Started on PCI
Get Started
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2001–2025 SecurityMetrics, Inc.
All rights reserved.
Privacy Policy
|
Terms and ConditionsAbout us
|
Your IP Address is:
000.000.000.000