What types of terminals qualify for SAQ B?

SAQ B applies to standalone, dial-out payment terminals that connect to the payment processor via a traditional analog phone line (POTS — Plain Old Telephone Service). These terminals must not be connected to the internet or any IP-based network. The terminal dials the processor directly over the phone line for each transaction authorization. Common examples include older countertop terminals from manufacturers like Verifone or Ingenico that use a built-in modem to place a phone call for each transaction.

What is the difference between SAQ B and SAQ B-IP?

The key difference is the network connection method. SAQ B covers terminals that dial out over a traditional phone line (analog/POTS), while SAQ B-IP covers terminals that connect to the payment processor over an IP-based network (internet, Ethernet, or Wi-Fi). Because IP-connected terminals introduce network security risks that phone lines do not, SAQ B-IP has approximately twice as many requirements as SAQ B — roughly 82 compared to SAQ B's 41. SAQ B-IP includes additional requirements for firewalls, network segmentation, encryption, and vulnerability management.

Can I use SAQ B if my terminal connects via VoIP?

No. If your terminal uses Voice over IP (VoIP) rather than a traditional analog phone line, it is transmitting cardholder data over an IP-based network. This means you would need to complete SAQ B-IP or potentially SAQ C, depending on your configuration. SAQ B strictly requires a traditional analog telephone line connection. If your business has migrated from copper phone lines to a VoIP system, your terminal is no longer eligible for SAQ B even if the terminal hardware itself has not changed.

Does SAQ B require vulnerability scans or penetration testing?

No. SAQ B does not require external vulnerability scans (ASV scans), internal vulnerability scans, or penetration testing. Because the terminal uses a dial-out phone line and is not connected to any IP network, the network-based security testing requirements of PCI DSS do not apply. However, if your environment changes — for example, if you connect the terminal to an IP network — you would no longer qualify for SAQ B and would need to meet the scanning requirements of the applicable SAQ type.

What physical security measures does SAQ B require?

SAQ B includes Requirement 9, which mandates restricting physical access to cardholder data and systems. For SAQ B merchants this means: protecting payment terminals from tampering and unauthorized substitution by regularly inspecting devices; training staff to detect suspicious device modifications or replacement; securing any paper receipts or reports containing cardholder data (such as transaction logs or settlement reports); and implementing procedures for visitors and controlling physical access to areas where terminals are located.

← All SAQ Types

SAQ B — Card-Present Terminals

PCI DSS SAQ B Compliance Guide

The PCI DSS self-assessment for brick-and-mortar merchants using standalone dial-out payment terminals over traditional phone lines.

Understand SAQ B eligibility, requirements, common pitfalls, and how GRCTrack streamlines your compliance journey.

Start Your SAQ B Assessment Talk to a PCI Expert

What Is SAQ B?

SAQ B is a PCI DSS Self-Assessment Questionnaire designed for merchants who process card payments using standalone, dial-out terminals connected via traditional analog phone lines. These terminals dial the payment processor directly for each transaction and do not store cardholder data electronically.

SAQ B applies to brick-and-mortar merchants whose only payment channel is a standalone payment terminal with a dial-out connection over a phone line (POTS). The terminal must not be connected to any IP-based network, and the merchant must not store cardholder data in any electronic format. Paper-based records such as terminal receipts and settlement reports are permitted but must be physically secured.

With approximately 41 requirements, SAQ B has a relatively light compliance burden compared to SAQ C or SAQ D, but it is more extensive than SAQ A because the merchant physically handles payment cards. The requirements focus on physical security, access controls, secure configurations, and maintaining an information security policy. SAQ B does not include requirements for firewalls, encryption, vulnerability scanning, or penetration testing because the dial-out phone line connection does not traverse IP networks.

Who Qualifies for SAQ B?

Brick-and-mortar merchants using standalone dial-out payment terminals connected via traditional analog phone lines

Merchants whose terminals connect to the processor by dialing out over POTS (Plain Old Telephone Service) for each transaction

Merchants who do not store cardholder data in any electronic format on any system

Merchants whose standalone terminals are not connected to the internet or any IP-based network

Merchants who do not process payments through any e-commerce channel or online system

Merchants whose payment terminals are PTS-approved (PIN Transaction Security) devices from the PCI SSC approved list

Key SAQ B Requirements

Req 2: Secure Configurations

Apply secure configurations to all system components. Change vendor-supplied defaults on payment terminals, including default passwords and SNMP community strings. Ensure unnecessary services and protocols are disabled on terminal devices.

Req 7: Restrict Access

Restrict access to system components and cardholder data to only those individuals whose job requires such access. Implement role-based access controls and ensure access rights are granted on a need-to-know basis.

Req 8: Identify & Authenticate

Identify users and authenticate access to system components. Assign unique IDs to each person with access, enforce strong authentication for any administrative access to terminals, and maintain proper user account management procedures.

Req 9: Physical Security

Restrict physical access to cardholder data and payment terminals. Regularly inspect terminals for tampering or unauthorized substitution, train staff to detect skimming devices, and secure any paper records containing cardholder data.

Req 12: Security Policies

Establish, publish, maintain, and disseminate a security policy. Implement a risk assessment process, maintain a security awareness program, and establish procedures for managing service providers and incident response.

Req 3: Protect Stored Data

Protect stored account data. While SAQ B merchants should not store electronic cardholder data, this requirement ensures any retained data (such as on paper receipts) is protected and that data retention policies are implemented and followed.

Common SAQ B Mistakes

Assuming IP-Connected Terminals Qualify

One of the most common errors is completing SAQ B when the payment terminal connects to the processor via an IP network (Ethernet, Wi-Fi, or broadband) rather than a traditional analog phone line. IP-connected terminals require SAQ B-IP at minimum, which includes significantly more requirements around network security, encryption, and vulnerability management. If your business has migrated to VoIP phone service, your terminal may no longer be using a true dial-out connection.

Not Securing Paper Receipts and Reports

Many SAQ B merchants overlook the physical security requirements for paper-based cardholder data. Terminal receipts, settlement reports, and chargeback documentation often contain full or partial card numbers. PCI DSS Requirement 9 mandates that these records be stored in a secure location with restricted access, and that they be destroyed securely (cross-cut shredding) when no longer needed for business or legal purposes.

Ignoring Terminal Physical Security

PCI DSS Requirement 9.9 requires merchants to protect payment terminals against tampering and unauthorized substitution. This includes maintaining an up-to-date inventory of all terminals, regularly inspecting devices for evidence of tampering (extra wiring, labels removed, broken seals), and training staff to recognize suspicious behavior around payment terminals such as attempted device swaps by unauthorized individuals.

Neglecting Staff Security Awareness Training

SAQ B requires a formal security awareness program under Requirement 12.6. Staff who handle payment terminals and paper-based cardholder data must be trained to understand their security responsibilities, including how to recognize terminal tampering, social engineering attempts, and proper procedures for handling sensitive materials. Many small merchants skip this requirement, leaving them non-compliant and vulnerable to attacks.

How GRCTrack Helps with SAQ B Compliance

SAQ type selection wizard that evaluates your terminal type and connection method to confirm SAQ B eligibility

Pre-built SAQ B control library with all 41 applicable requirements mapped and guided step-by-step

Terminal inventory management with inspection scheduling and tamper-check documentation workflows

Physical security assessment templates for Requirement 9 covering device inspection and access controls

Evidence collection templates designed specifically for SAQ B documentation including staff training records

AI-powered compliance guidance built by certified QSAs to answer SAQ B-specific questions

SAQ B Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide PCI DSS FAQ SAQ B-IP Guide SAQ A Guide

Ready to Complete Your SAQ B Assessment?

GRCTrack guides you through every SAQ B requirement with step-by-step compliance workflows.

Start Your SAQ B Assessment Compare SAQ Types