Guide · PCI DSS v4.0 · SAQ B-IP

SAQ B-IP: who qualifies, what it covers, and how to confirm it

SAQ B-IP sits one step up from SAQ B: same standalone terminals, different connection. It’s written for merchants whose only card acceptance runs on standalone, PTS-approved terminals with an IP connection to the processor, and who store no cardholder data electronically. Here’s who fits, the boundaries with SAQ B on one side and SAQ C on the other, and how to confirm it.

Plain-English · SAQ B-IP eligibility · Free 2-minute check

Most merchants land in SAQ B-IP the ordinary way: the old dial-up terminal got replaced with one that uses the store’s internet connection, and nobody mentioned that the questionnaire changed too. The setup still feels simple, a box on the counter that takes cards, but the transaction now rides your network, and PCI DSS accounts for that.

Who SAQ B-IP fits

SAQ B-IP is one of the eight PCI DSS Self-Assessment Questionnaires published by the PCI Security Standards Council (PCI SSC). Completing one ends in a signed Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands. B-IP is the version for merchants whose entire card operation is standalone payment hardware talking to the processor over a network. It tends to sound like this:

The common thread: cardholder data moves from the customer’s card to a PTS-approved standalone device to the processor over an IP connection. Your computers never see it, no payment software runs in your environment, and nothing stores card numbers electronically. If that’s not quite your picture, the guide to all 8 SAQ types maps every acceptance pattern to its questionnaire.

The exact eligibility criteria

Per the PCI SSC’s SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ B-IP is for merchants using only standalone, PTS-approved terminals with an IP connection to the payment processor, with no electronic storage of cardholder data. Each term earns its place:

The SAQ B-IP document opens with an eligibility checklist you attest to item by item, including how the terminals are set up and connected. Answer it against how things actually are, because your signature on the AOC says the checklist is true.

Find your SAQ free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it gives you a defensible starting point before you talk to your bank.

What disqualifies you: the adjacent-SAQ traps

SAQ B-IP has neighbors on both sides, and the differences are specific. Five things to check before you attest:

The terminal dials out over a phone line: that’s SAQ B

The boundary between SAQ B and SAQ B-IP is the connection type, nothing more. If the terminal reaches the processor over a telephone line rather than your network, SAQ B is the questionnaire written for it, and it carries less network-facing content because there’s no network in the card’s path. Mixed fleet? A dial-out terminal at one counter and an IP terminal at another is a multi-SAQ conversation for your acquiring bank.

Payment software in the path: that’s SAQ C territory

SAQ B-IP is hardware talking to the processor. The moment card processing runs through a payment-application system connected to the internet, POS software on a till, a checkout app on a tablet or PC, you’re describing SAQ C, not B-IP. Integration is the tell: a terminal wired into your POS is no longer standalone, and “standalone” is the load-bearing word in B-IP’s eligibility.

The device isn’t PTS-approved, or you can’t show that it is

B-IP’s eligibility is written around PTS-approved hardware. If the model can’t be matched to the PCI SSC’s approved-devices list, ask your processor before attesting. An aging or unbranded device is exactly the case to confirm rather than assume.

Your terminals are part of a P2PE solution: different door

If your terminals belong to a point-to-point encryption solution listed by the PCI SSC and you have no access to clear-text cardholder data, SAQ P2PE is the questionnaire written for that arrangement. It’s less a trap than an adjacent door: listed P2PE solution, P2PE questionnaire.

Other channels, or anything stored electronically

A checkout page on your website points to SAQ A or SAQ A-EP; keyed phone orders point to SAQ C-VT; more than one channel can mean your validation spans more than one SAQ. And the override that outranks all of it: if any system you control stores cardholder data electronically, a database, a spreadsheet, an app log, a call recording, the reduced SAQs are off the table and SAQ D generally applies.

What you answer, at a high level

Every SAQ draws from the same standard: the 12 PCI DSS requirements, organized under six goals (secure networks and systems, protect account data, vulnerability management, access control, monitoring and testing, and an information security policy). You’re validating against PCI DSS v4.0: v3.2.1 retired on March 31, 2024, and v4.0’s future-dated requirements became mandatory on March 31, 2025.

Compared with SAQ B, expect more network-facing content, because your terminals live on a network: how they connect, how that connection is protected, and how the terminal environment is kept separate from everything else you run. Alongside it, the same physical-world material:

We don’t quote question counts, because the exact set varies by SAQ version. The honest summary: B-IP asks more than SAQ B because a network is involved, and far less than SAQ D, because you run no payment software and store nothing.

How to confirm SAQ B-IP is yours

Eligibility is defined by the PCI SSC, but the confirmation isn’t yours to make alone. Your acquiring bank or the card brands assign your validation level from your annual card volume and confirm which questionnaire they’ll accept. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead.

If your setup has an ambiguous edge, a terminal you can’t match to the approved list, a network you’re not sure counts as separate, a Qualified Security Assessor can rule on it formally. And if you want a defensible starting point before either conversation, our free check asks how you accept cards and computes your likely SAQ on screen in about two minutes, no email needed to see the result. It’s indicative, not a QSA assessment, and it’s built to make the bank conversation shorter.

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee. The $1,495 also credits toward a first month of an Aegis AI subscription at ai4ciso.ai.

Frequently asked questions

What is SAQ B-IP?

SAQ B-IP is a PCI DSS Self-Assessment Questionnaire for merchants that accept cards only through standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that don’t store cardholder data electronically. Completing it ends in a signed Attestation of Compliance submitted to your acquiring bank or the card brands.

What is the difference between SAQ B and SAQ B-IP?

Connection type. SAQ B covers standalone terminals that dial out over a telephone line. SAQ B-IP covers standalone, PTS-approved terminals that reach the processor over an IP network, so it adds network-facing content the dial-out questionnaire doesn’t need.

What is the difference between SAQ B-IP and SAQ C?

Hardware versus software. SAQ B-IP is for standalone terminals that talk straight to the processor with no payment software in the path. SAQ C is for payment-application systems connected to the internet. A terminal integrated with POS software is no longer standalone, which is usually where the SAQ C conversation starts.

What does PTS-approved mean?

PTS is the PCI Security Standards Council’s device security program (PIN Transaction Security). Approved terminal models appear on the Council’s list of approved devices. Your payment processor or terminal supplier can confirm whether your model is approved.

My terminals share the network with our office computers. Is that still SAQ B-IP?

SAQ B-IP is written for standalone terminals that aren’t connected to other systems in your environment. How your terminals are set apart on the network is exactly the kind of eligibility question the SAQ’s checklist raises, so put your actual setup in front of your acquiring bank or a QSA before attesting.

Does storing card numbers electronically change my SAQ?

Yes. If any system you control stores cardholder data electronically, in a database, spreadsheet, app log, or call recording, the reduced SAQs are off the table and SAQ D generally applies.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. SAQ eligibility is defined by the PCI SSC and confirmed by your acquiring bank or a Qualified Security Assessor. Our free check is indicative, not a QSA assessment.