What is the difference between SAQ B and SAQ B-IP?

SAQ B is for merchants using standalone terminals that dial out over a traditional analog phone line (POTS), while SAQ B-IP is for merchants using standalone PTS-approved terminals that connect to the payment processor over an IP-based network (Ethernet, Wi-Fi, or broadband). Because IP connections introduce network-level security risks, SAQ B-IP includes approximately 82 requirements compared to SAQ B's 41. The additional requirements cover firewall configuration, network segmentation, secure transmission of cardholder data, vulnerability management, and regular security testing.

What network security requirements does SAQ B-IP include?

SAQ B-IP includes PCI DSS Requirement 1 (install and maintain network security controls), which mandates properly configured firewalls between the terminal network and untrusted networks, Requirement 4 (protect cardholder data with strong cryptography during transmission over open public networks), Requirements 5 and 6 (protect systems and software against malware and manage security vulnerabilities), and Requirement 11 (regularly test security systems including quarterly ASV scans). These network-focused requirements are what distinguish SAQ B-IP from the simpler SAQ B.

Does my terminal need to be PTS-approved for SAQ B-IP?

Yes. SAQ B-IP requires that your payment terminal is a standalone, PTS-approved point-of-interaction (POI) device listed on the PCI SSC's list of approved PTS devices. PTS (PIN Transaction Security) approval means the terminal meets strict physical and logical security requirements for protecting PIN entry and cardholder data. You can verify your terminal's PTS approval status on the PCI Security Standards Council website. Using a non-PTS-approved terminal would disqualify you from SAQ B-IP and likely require SAQ C or SAQ D.

Do I need quarterly ASV scans for SAQ B-IP?

Yes. Unlike SAQ B, SAQ B-IP requires quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV) under Requirement 11.3.2. These scans must target all externally-facing IP addresses and domains associated with the cardholder data environment. The scans must achieve a passing result, meaning no vulnerabilities scored at CVSS 4.0 or higher. If a scan fails, you must remediate the identified vulnerabilities and rescan until a passing result is achieved.

Can I use SAQ B-IP if my terminal connects via Wi-Fi?

Yes, provided the terminal is a standalone PTS-approved device and connects to the payment processor over the IP network solely for transaction processing. However, Wi-Fi introduces additional security considerations. You must ensure the Wi-Fi network uses strong encryption (WPA2 or WPA3), the terminal network is segmented from your general business network, and the wireless access point is securely configured with default credentials changed. The Wi-Fi connection must not introduce any additional systems into the cardholder data environment.

← All SAQ Types

SAQ B-IP — IP-Connected Terminals

PCI DSS SAQ B-IP Compliance Guide

The PCI DSS self-assessment for merchants using standalone, PTS-approved payment terminals connected to the processor over an IP-based network.

Understand SAQ B-IP eligibility, requirements, common pitfalls, and how GRCTrack streamlines your compliance journey.

Start Your SAQ B-IP Assessment Talk to a PCI Expert

What Is SAQ B-IP?

SAQ B-IP is a PCI DSS Self-Assessment Questionnaire designed for merchants who process card payments using standalone, PTS-approved payment terminals that connect to the payment processor over an IP-based network. These terminals must not store cardholder data electronically, and the merchant must not have any e-commerce payment channels.

SAQ B-IP applies to brick-and-mortar merchants whose payment terminals use an internet, Ethernet, or Wi-Fi connection to communicate with the payment processor, rather than dialing out over a traditional phone line. The terminal must be a standalone device listed on the PCI SSC's approved PTS devices list and must be the only device in the merchant environment that processes, transmits, or stores cardholder data.

With approximately 82 requirements, SAQ B-IP is roughly twice the size of SAQ B because the IP network connection introduces security risks that require additional controls. Beyond the physical security and access control requirements shared with SAQ B, SAQ B-IP adds requirements for network security controls (firewalls), secure transmission of cardholder data, vulnerability management (anti-malware and patching), and regular security testing including quarterly ASV scans. This makes SAQ B-IP a substantially more rigorous assessment than SAQ B.

Who Qualifies for SAQ B-IP?

Brick-and-mortar merchants using standalone, PTS-approved payment terminals connected to the processor via an IP-based network

Merchants whose PTS-approved POI terminals are the only systems that store, process, or transmit cardholder data

Merchants who do not store cardholder data in any electronic format beyond what the terminal requires for a single transaction

Merchants whose payment terminals are not connected to any other systems within the merchant environment

Merchants who do not process payments through any e-commerce channel or online system

Merchants whose terminal vendor has confirmed the device does not rely on any other systems in the merchant network for payment processing

Key SAQ B-IP Requirements

Req 1: Network Security Controls

Install and maintain network security controls (firewalls) to protect the cardholder data environment. Segment the terminal network from general business traffic, restrict inbound and outbound connections, and maintain documented firewall rules.

Req 2: Secure Configurations

Apply secure configurations to all system components including payment terminals, routers, firewalls, and network switches. Change all vendor-supplied default passwords and settings, and disable unnecessary services and protocols.

Req 4: Secure Transmissions

Protect cardholder data with strong cryptography during transmission over open, public networks. Ensure the terminal uses encrypted connections (TLS 1.2 or higher) when communicating with the payment processor over the IP network.

Req 5-6: Vulnerability Management

Protect all systems against malware and regularly update anti-malware software. Develop and maintain secure systems by applying security patches promptly. Keep terminal firmware up to date with the latest security patches from the manufacturer.

Req 9: Physical Security

Restrict physical access to cardholder data and payment terminals. Maintain terminal inventories, regularly inspect devices for tampering or unauthorized substitution, and train staff to detect suspicious modifications to terminals.

Req 11: Security Testing

Regularly test security systems and processes. Perform quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), run internal vulnerability scans, and detect unauthorized wireless access points in the cardholder data environment.

Common SAQ B-IP Mistakes

Failing to Segment the Terminal Network

One of the most critical mistakes is connecting payment terminals to the same network as general business systems (computers, printers, Wi-Fi for customers). PCI DSS Requirement 1 mandates that the cardholder data environment be isolated from untrusted networks. Without proper network segmentation using firewalls or VLANs, the scope of your PCI assessment expands to include every system on the shared network, potentially requiring SAQ C or SAQ D instead.

Not Patching Terminal Firmware

Payment terminals run embedded software that requires regular security updates from the manufacturer. Many merchants treat terminals as set-and-forget devices, but PCI DSS Requirements 5 and 6 require that all system components — including payment terminals — are kept up to date with security patches. Outdated firmware can contain vulnerabilities that attackers exploit to intercept cardholder data. Establish a process to check for and apply terminal firmware updates at least quarterly.

Sharing Terminal Network with General Business Traffic

Allowing general internet traffic, email, web browsing, or other business applications to traverse the same network as payment terminals dramatically increases security risk and PCI DSS scope. The terminal network should only carry payment transaction traffic. Use a dedicated VLAN or physically separate network for payment terminals, with firewall rules that restrict traffic to only what is necessary for payment processing.

Skipping Quarterly ASV Scans

Unlike SAQ B, SAQ B-IP requires quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV). Many merchants transitioning from SAQ B to SAQ B-IP are unaware of this requirement. ASV scans must cover all externally accessible IP addresses associated with the cardholder data environment and must produce a passing result. Failing to complete these scans is a compliance gap that can result in non-compliance findings.

How GRCTrack Helps with SAQ B-IP Compliance

SAQ type selection wizard that evaluates your terminal type, connection method, and network architecture to confirm SAQ B-IP eligibility

Pre-built SAQ B-IP control library with all 82 applicable requirements mapped and guided step-by-step

Network segmentation validation checklists to ensure your terminal environment is properly isolated from business networks

Automated ASV scan scheduling and tracking with remediation workflows for quarterly vulnerability scanning compliance

Terminal firmware patch management tracking to ensure devices stay current with manufacturer security updates

AI-powered compliance guidance built by certified QSAs to answer SAQ B-IP-specific questions about network security and terminal requirements

SAQ B-IP Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide PCI DSS FAQ SAQ B Guide SAQ A Guide

Ready to Complete Your SAQ B-IP Assessment?

GRCTrack guides you through every SAQ B-IP requirement with step-by-step compliance workflows.

Start Your SAQ B-IP Assessment Compare SAQ Types