Guide · PCI DSS v4.0 · SAQ B

SAQ B: who qualifies, what it covers, and how to confirm it

SAQ B is one of the shortest paths through PCI DSS validation, written for merchants that take cards only on imprint machines or standalone terminals that dial out over a telephone line, and that store no cardholder data electronically. Here’s who qualifies, the details that quietly disqualify merchants, and how to confirm the call before you sign it.

Plain-English · SAQ B eligibility · Free 2-minute check

If your whole card setup is a terminal on a phone line, or a manual imprint machine and a locked drawer of paper slips, PCI DSS asks far less of you than it asks of a merchant running networked payment software. SAQ B exists for exactly that environment. The two words that decide it: only and dial-out.

Who SAQ B fits

SAQ B is one of the eight PCI DSS Self-Assessment Questionnaires, the validation documents the PCI Security Standards Council (PCI SSC) publishes for merchants that qualify to self-assess. Completing one ends in a signed Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands. SAQ B is the version written for the smallest of card setups: paper imprints and standalone terminals on telephone lines. It tends to sound like this:

The common thread: cardholder data moves from the customer’s card to a standalone device to the processor over a telephone line, or onto a paper imprint. It never enters your computers, your network, or a website you run. That is precisely the environment SAQ B was written for, and it’s why the questionnaire can stay short. If none of these sound like you, the guide to all 8 SAQ types maps every acceptance pattern to its questionnaire.

The exact eligibility criteria

Per the PCI SSC’s SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ B is for merchants that use only imprint machines or standalone dial-out terminals, with no electronic storage of cardholder data. It’s a short sentence, and every word in it is doing work:

The SAQ B document itself opens with an eligibility checklist you attest to, item by item. If any item doesn’t describe your setup, the right move is to find the SAQ that does, not to stretch this one, because your signature on the Attestation of Compliance says the checklist is true.

Find your SAQ free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it gives you a defensible starting point before you talk to your bank.

What disqualifies you: the adjacent-SAQ traps

Most wrong SAQ B submissions aren’t dishonesty. They’re a setup that changed, or a boundary nobody flagged. Four things to check before you attest:

Your terminal connects over the internet: that’s SAQ B-IP

The boundary between SAQ B and SAQ B-IP is the connection type, nothing more. Dial-out means the transaction travels over a telephone line. If your terminal reaches the processor through your router, an Ethernet cable, or Wi-Fi, it has an IP connection, and SAQ B-IP is the questionnaire written for standalone, PTS-approved terminals with an IP connection to the processor. Same standalone idea, different transport, and the questionnaire adds network-facing content to match. The practical tell: if you swapped the old phone-line terminal for one that uses your internet connection, your SAQ changed with it.

The terminal is wired into anything else: not standalone anymore

A terminal integrated with POS software, a till system, or anything else in your environment is no longer standalone, and neither SAQ B nor SAQ B-IP describes it. Payment-application systems connected to the internet point to SAQ C, and environments that fit no reduced SAQ land in SAQ D.

You take cards any other way

The word only fails quietly. A checkout page on your website points to SAQ A or SAQ A-EP. Staff keying phone orders into a processor-hosted page points to SAQ C-VT. If you accept cards through more than one channel, your validation can span more than one SAQ, and your acquiring bank tells you how to submit the whole picture.

Anything stores card data electronically: the SAQ D override

This one overrides everything else on the page. If any system you control stores cardholder data electronically, a database, a spreadsheet, an app log, a call recording, a scanned imprint slip saved to a drive, the reduced SAQs are off the table and SAQ D generally applies, whatever hardware sits on the counter. The reduced SAQs exist because you hold no electronic card data. Keep it that way and SAQ B stays available.

What you answer, at a high level

Every SAQ draws from the same standard: the 12 PCI DSS requirements, organized under six goals (secure networks and systems, protect account data, vulnerability management, access control, monitoring and testing, and an information security policy). You’re validating against PCI DSS v4.0: v3.2.1 retired on March 31, 2024, and v4.0’s future-dated requirements became mandatory on March 31, 2025.

A reduced SAQ covers fewer requirements because most of the standard can’t apply to an environment with no network carrying card data. For SAQ B, expect the questions to concentrate on things you can physically point to:

We deliberately don’t quote a question count: the exact set varies by SAQ version, so any specific number you read online deserves suspicion. The honest summary is that SAQ B is among the shortest SAQs because so little of the standard applies to a paper-and-phone-line environment.

How to confirm SAQ B is yours

Eligibility is defined by the PCI SSC, but the confirmation isn’t yours to make alone. Your acquiring bank or the card brands assign your validation level from your annual card volume and confirm which questionnaire they’ll accept. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead.

If your setup has a genuinely ambiguous edge, a terminal you can’t identify, a channel you’re not sure counts, a Qualified Security Assessor can rule on it formally. And if you want a defensible starting point before either conversation, our free check asks how you accept cards and computes your likely SAQ on screen in about two minutes, no email needed to see the result. It’s indicative, not a QSA assessment, and it’s built to make the bank conversation shorter.

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee. The $1,495 also credits toward a first month of an Aegis AI subscription at ai4ciso.ai.

Frequently asked questions

What is SAQ B?

SAQ B is a PCI DSS Self-Assessment Questionnaire for merchants that accept cards only through imprint machines or standalone dial-out terminals and don’t store cardholder data electronically. Completing it ends in a signed Attestation of Compliance submitted to your acquiring bank or the card brands.

What is the difference between SAQ B and SAQ B-IP?

Connection type. SAQ B terminals dial out over a telephone line. SAQ B-IP is for standalone, PTS-approved terminals that connect to the processor over an IP network. Same standalone-terminal setup, different transport, different questionnaire.

My terminal uses the internet. Can I still use SAQ B?

Generally no. A terminal that reaches the processor over the internet or your network has an IP connection, which points to SAQ B-IP rather than SAQ B. Confirm the right questionnaire with your acquiring bank.

Do paper receipts and imprint slips disqualify me from SAQ B?

No. SAQ B assumes paper exists and asks how you protect, retain, and destroy it. The disqualifier is electronic storage of cardholder data, not paper.

What if I store card numbers in a spreadsheet or scanned file?

Electronic storage of cardholder data generally moves you to SAQ D, the full requirement set. That includes databases, spreadsheets, app logs, call recordings, and scanned slips saved electronically.

Who confirms which SAQ I complete?

Eligibility is defined by the PCI Security Standards Council, and your acquiring bank or card brand confirms which questionnaire to submit and your validation level. Our free check shows your likely SAQ on screen in about two minutes; it’s indicative, not a QSA assessment.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. SAQ eligibility is defined by the PCI SSC and confirmed by your acquiring bank or a Qualified Security Assessor. Our free check is indicative, not a QSA assessment.