SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or stand-alone dial-up terminals.
These merchants are defined as SAQ Validation Types 2 and 3, here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines. SAQ Validation Type 2 merchants process cardholder data only via imprint machines. SAQ Validation Type 3 merchants process cardholder data only via stand-alone, dial-out terminals. Both of these merchant types may be either brick-and-mortar (card-present) or e-commerce or mail/telephone order (card-not-present) merchants. These merchants must validate compliance by completing SAQ B and the associated Attestation of Compliance, confirming that:
For Validation Type 2:
- Your company uses only imprint machines;
- Your company does not transmit cardholder data over either a phone line or the Internet;
- Your company retains only paper reports or paper copies of receipts; and
- Your company does not store cardholder data in electronic format
For Validation Type 3:
- Your company uses only standalone, dial-out terminals (connected via a phone line to your processor);
- Your stand-alone dial-out terminals are not connected to any other systems or to the Internet;
- Your company retains only paper reports or paper copies of receipts; and
- Your company does not store cardholder data in electronic format.
Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.