Before You Begin
SAQ B has been developed to address requirements applicable to merchants who process cardholder data only via imprint machines or standalone, dial-out terminals. SAQ B merchants may be either brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants, and do not store cardholder data on any computer system.
SAQ B merchants confirm that, for this payment channel:
This SAQ is not applicable to e-commerce channels.
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
The questions contained in the “PCI DSS Question” column in this self-assessment questionnaire are based on the requirements in the PCI DSS.
Additional resources that provide guidance on PCI DSS requirements and how to complete the self-assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:
(PCI Data Security Standard Requirements and Security Assessment Procedures)
SAQ Instructions and Guidelines documents
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.
A description of the meaning for each response is provided in the table below:
When to use this response:
The expected testing has been performed, and all elements of the requirement have been met as stated.
Yes with CCW
(Compensating Control Worksheet)
The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.)
All responses in this column require a supporting explanation in Appendix C of the SAQ.
If any requirements are deemed not applicable to your environment, select the “N/A” option for that specific requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.
If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Section 1: Assessment Information
Instructions for Submission
This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Part 1a. Merchant Organization Information
Part 1b. Qualified Security Assessor Company Information (if applicable)
Part 2. Executive Summary
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Part 2. Executive Summary (continued)
Part 2b. Description of Payment Card Business
Part 2f. Third-Party Service Providers
Part 2g. Eligibility to Complete SAQ B
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and
contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment
Monday To Saturday
9:00 A.M. To 5:00 P.M. EST
Copyright © 2021 GAM Payments. All Rights Reserved.
GAM Payments, LLC is a registered ISO of Wells Fargo Bank, N.A., Concord, CA. GAM Payments, LLC is a registered ISO of Synovus Bank Columbus, GA.
GAM Payments, LLC is a registered ISO of Chesapeake Bank, Kilmarnock, VA.