Payment Card Industry Data Security Standard Self Assessment Questionnaire (PCI DSS SAQ) may be a long and complex phrase to remember but for merchants and service providers it is a vital tool in validating in PCI compliance.

The SAQs that Payment Card Industry Security Standards Council (SSC) provide are designed to aid merchants and service providers in self-evaluating their compliance with PCI Data Security Standard and in doing so they can not only identify and assess their own security practices but it can help them plan further actions in becoming PCI compliant too. The SAQ may also be shown to the merchant or service providers' acquiring bank in order to prove to them that they were PCI compliant in a particular moment in time.

We have already discussed SAQ A and SAQ A-EP in our previous posts. We will continue exploring all the questionnaires during the coming weeks. The one that we are discuss today is Self-Assessment Questionnaire B (SAQ B).

Who should fill out the SAQ B?

The Self-Assessment Questionnaire B should be filled out by businesses that only process credit card data via imprint machines or via a standalone dial-out terminal.

Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipts, which are then stored by the business. Dial-out terminals, on the other hand, are electronic machines where you can use Chip & PIN, swipe cards or manually key transactions but in order to be eligible for questionnaire B your standalone dial-out terminal can only be connected to a phone line and nothing else.

You can fill out this questionnaire if you run a brick-and-mortar business (card-present) or if you run a mail/telephone order (card-not-present) business as long as you don’t store card data on any computer system. If you are an eCommerce business or if you enter customer card data into a computer or database then you shouldn’t fill it out.

The criteria for taking Self-Assessment Questionnaire B is as follows:

  • Your organisation only uses an imprint machine or a standalone dial-out terminal (which is only connected to a phone line) to take card payments from customers
  • Where standalone dial-out terminals are used they must not be connected to any other system within your environment and they must not be connected to the Internet.
  • Your organisation must not transmit any payment card data over a network, including internal networks or the Internet.
  • Your organisation only stores paper reports, paper copies or paper receipts of customer data and these documents can't be received electronically either.
  • Your organisation doesn't store payment card data electronically.

What sort of questions are in SAQ B?

There are several different versions of the PCI DSS SAQ (Questionnaire B being one of them), which apply to different types of businesses that offer different things. However, all self-assessment questionnaires are the same in that they all consist of 'yes' or 'no' questions and they all include an Attestation of Compliance which certifies that you are eligible to perform the SAQ and that you have chosen the right one for your business.

The PCI Council explains:

"If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment"

and that

“you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant"

For this reason, it's probably a good idea to take a look at what sort of questions are in SAQ B, so that you can ensure that this really is the right SAQ type for your business.

The questions in SAQ B relate to section 3 (protecting cardholder data), section 4 (the encryption of cardholder data during transmission over open, public networks), section 7 (restricted access to cardholder data by business need to know), section 9 (restriction of physical access to cardholder data) and section 12 (policies that address information security for all personnel). The following questions are taken from the questionnaire and are listed alongside the section that they relate to:

  • The Card Verification Code or Value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? (Section 3)
  • The full contents of any Track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored after authorization? (Section 3)
  • Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies, such as SMS or email? (Section 4)
  • Are access assigned based on individual personnel’s job classification and function? (Section 7)
  • Are all media physically secured (including but not limited to paper receipts, paper reports, and faxes)? (Section 9)
  • Is strict control maintained over the storage and accessibility of media? (Section 9)
  • Is all media destroyed when it is no longer needed for business or legal reasons? (Section 9)
  • Is the security policy reviewed at least annually and updated when the environment changes? (Section 12)
  • Is a list of service providers maintained? (Section 12)

These questions also come with a list of expected testing which may be something like 'observe processes', 'review policies and procedures' or 'examine data sources'. It is important to pay attention to these as if you do not meet the criteria for a question or do not understand it, the expected testing list provides you with actions that you can do in order to answer the questions appropriately.

How can you get up to speed filling out SAQ B?

Advantio are PCI Compliance experts and can aid your company in achieving compliance.

As a trusted advisor, our QSAs (Quality Security Assessors) can support an organisation in understanding the requirements, verify eligibility and can help with the completion of any SAQ. We can guide your company on the path to compliance, supporting you every step of the way.

Achieve and maintain PCI Compliance continually, keep your business safe and healthy by making sure that you retain your customer’s trust.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA