Most merchants land in SAQ B-IP the ordinary way: the old dial-up terminal got replaced with one that uses the store’s internet connection, and nobody mentioned that the questionnaire changed too. The setup still feels simple, a box on the counter that takes cards, but the transaction now rides your network, and PCI DSS accounts for that.
Who SAQ B-IP fits
SAQ B-IP is one of the eight PCI DSS Self-Assessment Questionnaires published by the PCI Security Standards Council (PCI SSC). Completing one ends in a signed Attestation of Compliance (AOC) that goes to your acquiring bank or the card brands. B-IP is the version for merchants whose entire card operation is standalone payment hardware talking to the processor over a network. It tends to sound like this:
- “The terminals are on the broadband.” A café’s countertop terminal sends each transaction straight to the processor over the shop’s internet connection. No POS software ever touches the card.
- “We upgraded from dial-up years ago.” A hardware store swapped its phone-line terminals for Ethernet models and changed nothing else about how it takes cards.
- “Three lanes, three terminals, each on its own.” A grocer’s standalone terminals each talk to the processor directly; staff key the amount into the terminal itself.
- “Pay-at-table, same idea.” A restaurant’s wireless terminal rides the local network to the processor, standalone all the way.
The common thread: cardholder data moves from the customer’s card to a PTS-approved standalone device to the processor over an IP connection. Your computers never see it, no payment software runs in your environment, and nothing stores card numbers electronically. If that’s not quite your picture, the guide to all 8 SAQ types maps every acceptance pattern to its questionnaire.
The exact eligibility criteria
Per the PCI SSC’s SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ B-IP is for merchants using only standalone, PTS-approved terminals with an IP connection to the payment processor, with no electronic storage of cardholder data. Each term earns its place:
- Only. Every card channel you have, across every location. Add a website checkout or a keyed virtual-terminal payment and your environment spans more than this one questionnaire.
- Standalone. The terminal is not connected to any other system you run: no POS integration, no inventory link, no back-office software. It talks to the processor and to nothing else.
- PTS-approved. The terminal model is validated under the PCI SSC’s PTS program (PIN Transaction Security) and appears on the Council’s approved-devices list. Your processor or terminal supplier can confirm your model’s status, and it’s worth getting that in writing, because the questionnaire is written around approved hardware.
- IP connection. Transactions travel to the processor over a network connection rather than a dial-out telephone line. That transport difference is the entire boundary with SAQ B.
- No electronic storage of cardholder data. No database, no spreadsheet, no card numbers in files, logs, or recordings. Paper receipts are expected and must be protected, but paper isn’t electronic storage.
The SAQ B-IP document opens with an eligibility checklist you attest to item by item, including how the terminals are set up and connected. Answer it against how things actually are, because your signature on the AOC says the checklist is true.
Find your SAQ free, in about 2 minutes.
Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it gives you a defensible starting point before you talk to your bank.
What disqualifies you: the adjacent-SAQ traps
SAQ B-IP has neighbors on both sides, and the differences are specific. Five things to check before you attest:
The terminal dials out over a phone line: that’s SAQ B
The boundary between SAQ B and SAQ B-IP is the connection type, nothing more. If the terminal reaches the processor over a telephone line rather than your network, SAQ B is the questionnaire written for it, and it carries less network-facing content because there’s no network in the card’s path. Mixed fleet? A dial-out terminal at one counter and an IP terminal at another is a multi-SAQ conversation for your acquiring bank.
Payment software in the path: that’s SAQ C territory
SAQ B-IP is hardware talking to the processor. The moment card processing runs through a payment-application system connected to the internet, POS software on a till, a checkout app on a tablet or PC, you’re describing SAQ C, not B-IP. Integration is the tell: a terminal wired into your POS is no longer standalone, and “standalone” is the load-bearing word in B-IP’s eligibility.
The device isn’t PTS-approved, or you can’t show that it is
B-IP’s eligibility is written around PTS-approved hardware. If the model can’t be matched to the PCI SSC’s approved-devices list, ask your processor before attesting. An aging or unbranded device is exactly the case to confirm rather than assume.
Your terminals are part of a P2PE solution: different door
If your terminals belong to a point-to-point encryption solution listed by the PCI SSC and you have no access to clear-text cardholder data, SAQ P2PE is the questionnaire written for that arrangement. It’s less a trap than an adjacent door: listed P2PE solution, P2PE questionnaire.
Other channels, or anything stored electronically
A checkout page on your website points to SAQ A or SAQ A-EP; keyed phone orders point to SAQ C-VT; more than one channel can mean your validation spans more than one SAQ. And the override that outranks all of it: if any system you control stores cardholder data electronically, a database, a spreadsheet, an app log, a call recording, the reduced SAQs are off the table and SAQ D generally applies.
What you answer, at a high level
Every SAQ draws from the same standard: the 12 PCI DSS requirements, organized under six goals (secure networks and systems, protect account data, vulnerability management, access control, monitoring and testing, and an information security policy). You’re validating against PCI DSS v4.0: v3.2.1 retired on March 31, 2024, and v4.0’s future-dated requirements became mandatory on March 31, 2025.
Compared with SAQ B, expect more network-facing content, because your terminals live on a network: how they connect, how that connection is protected, and how the terminal environment is kept separate from everything else you run. Alongside it, the same physical-world material:
- The terminals. Where the devices sit, and periodic checks that nobody has tampered with them or swapped one for a lookalike.
- The connection. How the terminals reach the processor and what keeps that traffic apart from your office computers, guest Wi-Fi, and everything else.
- The paper. Receipts with card data: where they live, who can reach them, how long you keep them, how they’re destroyed.
- The people. Who may use the terminals and handle card data, kept to those whose job needs it.
- The providers and the policy. Which third parties touch cardholder data on your behalf, with responsibilities in writing, and a security policy that matches what you actually do.
We don’t quote question counts, because the exact set varies by SAQ version. The honest summary: B-IP asks more than SAQ B because a network is involved, and far less than SAQ D, because you run no payment software and store nothing.
How to confirm SAQ B-IP is yours
Eligibility is defined by the PCI SSC, but the confirmation isn’t yours to make alone. Your acquiring bank or the card brands assign your validation level from your annual card volume and confirm which questionnaire they’ll accept. Most small and mid-size merchants validate with an SAQ; the highest-volume merchants go through a QSA-led Report on Compliance instead.
If your setup has an ambiguous edge, a terminal you can’t match to the approved list, a network you’re not sure counts as separate, a Qualified Security Assessor can rule on it formally. And if you want a defensible starting point before either conversation, our free check asks how you accept cards and computes your likely SAQ on screen in about two minutes, no email needed to see the result. It’s indicative, not a QSA assessment, and it’s built to make the bank conversation shorter.
Confirm your SAQ, then close the gaps.
The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee. The $1,495 also credits toward a first month of an Aegis AI subscription at ai4ciso.ai.
Frequently asked questions
What is SAQ B-IP?
SAQ B-IP is a PCI DSS Self-Assessment Questionnaire for merchants that accept cards only through standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that don’t store cardholder data electronically. Completing it ends in a signed Attestation of Compliance submitted to your acquiring bank or the card brands.
What is the difference between SAQ B and SAQ B-IP?
Connection type. SAQ B covers standalone terminals that dial out over a telephone line. SAQ B-IP covers standalone, PTS-approved terminals that reach the processor over an IP network, so it adds network-facing content the dial-out questionnaire doesn’t need.
What is the difference between SAQ B-IP and SAQ C?
Hardware versus software. SAQ B-IP is for standalone terminals that talk straight to the processor with no payment software in the path. SAQ C is for payment-application systems connected to the internet. A terminal integrated with POS software is no longer standalone, which is usually where the SAQ C conversation starts.
What does PTS-approved mean?
PTS is the PCI Security Standards Council’s device security program (PIN Transaction Security). Approved terminal models appear on the Council’s list of approved devices. Your payment processor or terminal supplier can confirm whether your model is approved.
My terminals share the network with our office computers. Is that still SAQ B-IP?
SAQ B-IP is written for standalone terminals that aren’t connected to other systems in your environment. How your terminals are set apart on the network is exactly the kind of eligibility question the SAQ’s checklist raises, so put your actual setup in front of your acquiring bank or a QSA before attesting.
Does storing card numbers electronically change my SAQ?
Yes. If any system you control stores cardholder data electronically, in a database, spreadsheet, app log, or call recording, the reduced SAQs are off the table and SAQ D generally applies.
Related guides
This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. SAQ eligibility is defined by the PCI SSC and confirmed by your acquiring bank or a Qualified Security Assessor. Our free check is indicative, not a QSA assessment.