How to complete SAQ B

SAQ B is a PCI compliance questionnaire designed for merchants who process card transactions using standalone, dial-out terminals that connect via a phone line.

How do I start? 

Paystri has partnered with SecureTrust to provide you with the tools to complete the SAQ online, as well as schedule any necessary scans. You should receive an email when it's time to attest to your annual compliance.  You will need to log in to the SecureTrust Portal.

If this is your first time completing your PCI SAQ, you will need to complete your business profile. You will only need to do this once, the information will be saved for you next year, and you can simply update it if something has changed. 

 

Select Manage on the business profile section to begin. 

 

 

You will be taken to a page detailing the next steps. Click Next until you are asked to pick an assessment method. Choose Expert then click Next.

 

 

You will need to select your PCI DSS compliance assessment type. For CCI merchants, choose type B-IP for card-present using stand alone terminals that fully outsource all cardholder data functions to a PCI DSS validated third-party service.

 

 

 

 

 

 

Third Party payment service providers

When asked if your company shares cardholder data with third-party providers or uses more than one acquirer, Answer "No.".

Next, it will ask if you enforce a minimum password length of seven characters. Answer "Yes."

 

 

 

 

Third Party Managed System Service Providers

When asked if your company has relationships with one or more third party service providers that manage system components, Answer "NO". 

 

Other Third Party Service Providers that may impact card data security.

When asked if your company has relationships with other third party service providers, Answer "NO"

When you arrive at the summary page, hover over the orange question marks for additional details on each description box. See below for some examples of what information to include.

 

 

 

Your next steps

Once you've completed the above steps, your next step is to complete your PCI compliance questionnaire.

 

 

 

 

 

Completing your Security Assessment Questionnaire

The answers you provide on the business profile will determine which Self Assessment Questionnaire (SAQ) you need to complete. The answers you have already provided are used to fill out the SAQ as thoroughly as possible, though there are likely to still be a handful of questions you will need to answer.

 

On your dashboard, under the Complete security assessment section, select Manage, then choose Answer Now. 

                                                                                     

 

 

 

The rest of the questions will will be about your specific business practices, computer use and security, and physical security. If you need clarification on a question, there will be a blue information box with additional details. You can also call Secure Trust at 1-800-363-1621 for assistance.

 

 

 



 

 

What to Expect When Completing PCI SAQ B

Questions are divided into seven sections. The SAQ B is designed for merchants using stand alone terminals who have outsourced all cardholder data functions to third-party service providers. You should be answering "yes," to most if not all questions indicating compliance with the PCI DSS requirements. Below is a guide on how to approach the questions, and why you should answer yes to each question.

This is what the opening dashboard looks like, and you will notice it lists the number of questions in each section. As you go through each section it is a good practice to check that all questions have been answered in each section before moving to the next section.

 

Protect Account Data

 

 

Question 3.1.1

Why You Should Answer "Yes"

 

  • Documented: To ensure everyone understands what the policies and procedures are.
  • Kept up to date: Policies and procedures change over time so they must be kept up to date.
  • In use: The required policies and procedures must be followed at all times.
  • Known to all affected parties: This is to ensure everyone is on the same page so to speak.

Properly securing offline backups ensures data safety and PCI DSS compliance.

 

Question 3.3.1

Why You Should Answer "Yes"

 

  • SAD is not retained after authorization: All SAD is stored at the network so there is no reason to retain it after the authorization.

These practices enhance data protection and ensure PCI DSS compliance.

 

 

Question 3.3.1.1

Why You Should Answer "Yes"

 

  • The full contents of any track are not retained upon completion of the authorization process: All track data is stored at the network so there is no reason to retain it after the authorization.

These practices enhance data protection and ensure PCI DSS compliance.

 

Question 3.3.1.2

Why You Should Answer "Yes"

 

  • The card verification code is not retained after the authorization process: The card verification code is part of the SAD so it is never retained.

These practices protect cardholder data during transit and ensure PCI DSS compliance.

 

Question 3.3.1.3

Why You Should Answer "Yes"

  • The personal identification number (PIN) and PIN block are not retained after authorization: The PIN and PIN block are also parts of the SAD and are never retained.
    .

These practices ensure oversight and security, maintaining PCI DSS compliance.

 

Question 3.4.1

Why You Should Answer "Yes"

  • PAN is masked when displayed (The BIN and last 4 digits are the only things allowed to be displayed) such that only personnel with a legitimate business need can see more than the BIN and last 4: By limiting the number of people with access to SAD, we are minimizing the risks of a breach.

These practices ensure data is irrecoverable and maintain PCI DSS compliance.

 

Implement Strong Access Control Measures

 

 

Question 7.2.2

 

 

 

Question 9.4.1

Why You Should Answer "Yes"

  • All media with cardholder data is physically secured: Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.1.1

Why You Should Answer "Yes"

  • Offline media backups with cardholder data are stored in a secure location: For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.2

Why You Should Answer "Yes"

  • All media with cardholder data is classified in accordance with the sensitivity of the data: Media not identified as confidential may not be adequately protected or may be lost or stolen.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.3

Why You Should Answer "Yes"

  • Media is sent by secured courier or other delivery method that can be accurately tracked: The use of secure couriers to deliver any media that contains cardholder data allows organizations to use their tracking systems to maintain inventory and location of shipments.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.4

Why You Should Answer "Yes"

  • Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals): Without a firm process for ensuring that all media movements are approved before the media is removed from secure areas, the media would not be tracked or appropriately protected, and its location would be unknown, leading to lost or stolen media.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.4.6

Why You Should Answer "Yes"

  • Materials are cross-cut shredded, incinerated, or pulped so cardholder data cannot be reconstructed: If steps are not taken to destroy information contained on hard-copy media before disposal, malicious individuals may retrieve information from the disposed media, leading to a data compromise.
  • Materials are stored in secure storage containers prior to destruction: Securing storage containers used for materials that are going to be destroyed prevents sensitive information from being captured while the materials are being collected.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1

Why You Should Answer "Yes"

  • Maintaining a list of POI devices: By maintaining a list of POI devices and you can clearly see if an unauthorized POI has been placed.
  • Periodically inspecting POI devices to look for tampering or unauthorized substitution: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
  • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution devices: By training personnel to be aware of suspicious behavior it is harder for malicious individuals to tamper with POI devices.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.1

Why You Should Answer "Yes"

  • Make and model of the device: The method for maintaining a list of devices may be automated (for example, a device management system) or manual (for example, documented in electronic or paper records).
  • Location of the device: Methods to maintain device locations include identifying the address of the site or facility where the device is located.
  • Device serial number or other methods of unique identification: Keeping a list of the device serial number and other unique identifiers allows you to determine if a device was switched out or has gone missing.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.2

Why You Should Answer "Yes"

  • POI device surfaces are periodically inspected to detect tampering or unauthorized substitution: Methods for periodic inspection include checking the serial number or other device characteristics and comparing the information to the list of POI devices to verify the device has not been swapped with a fraudulent device.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 9.5.1.3

Why You Should Answer "Yes"

  • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices: All third parties requesting access to devices should always be verified before being provided access—for example, by checking with management or phoning the POI maintenance company, such as the vendor or acquirer, for verification. 
  • Procedures to ensure devices are not installed, replaced, or returned without verification: Inspecting the POI devices can detect if they have been tampered with rendering them unsecured.
  • Being aware of suspicious behavior around devices: Suspicious behavior that personnel should be aware of includes attempts by unknown persons to unplug or open devices.
  • Reporting suspicious behavior and indications of tampering or substitution to appropriate personnel: Another trick that criminals use is to send a “new” POI device with instructions for swapping it with a legitimate device and “returning” the legitimate device. The criminals may even provide return postage to their specified address. Therefore, personnel should always verify with their manager or supplier that the device is legitimate and came from a trusted source before installing it or using it for business.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

 

 

Maintain an Information Security Policy

 

Question 12.1.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • Established: The security policy for the organization identifies the purpose, scope, accountability, and information that clearly defines the organization’s position regarding information security.
  • Published: The organizations security policies must be kept published to all affected parties both internally and externally.
  • Maintained: The security policy for the organization may change over time and must be updated in all published forms.
  • Disseminated to all relevant personnel, as well as to relevant vendors and business partners: It is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization’s information security policy and their responsibilities for protecting information assets.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

 

Question 12.1.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • Reviewed at least once every 12 months: The information security policy for the organization should be reviewed annually at a minimum.
  • Updated as needed to reflect to reflect changes to business objectives or risks to the environment: The organizations security policies must be updated to reflect changes in business objectives or risks to the environment.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

 

Question 12.1.3

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities: Without clearly defined security roles and responsibilities assigned, there could be misuse of the organization’s information assets or inconsistent interaction with information security personnel, leading to insecure implementation of technologies or use of outdated or insecure technologies.

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

 

 

Question 12.6.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data: If personnel are not educated about their company’s information security policies and procedures and their own security responsibilities, security safeguards and processes that have been implemented may become ineffective through unintentional errors or intentional actions.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided: Maintaining a list of all TPSPs identifies where potential risk extends outside the organization and defines the organization’s extended attack surface.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.2

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.: The written acknowledgment from a TPSP demonstrates its commitment to maintaining proper security of account data that it obtains from its customers and that the TPSP is fully aware of the assets that could be affected during the provisioning of the TPSP’s service.
  • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.: The extent to which a specific TPSP is responsible for the security of account data will depend on the service provided and the agreement between the provider and assessed entity (the customer). In conjunction with Requirement 12.9.1, this requirement is intended to promote a consistent level of understanding between parties about their applicable PCI DSS responsibilities. 

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.3

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement: Specific due-diligence processes and goals will vary for each organization. Elements that should be considered include the provider’s reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the TPSP validates their PCI DSS compliance and what evidence they provide.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.8.4

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months: All merchants need to confirm their PCI DSS compliance every 12 months to ensure the security of cardholder data.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

You will be asked to document when you last completed this task as noted in the screenshot below. Click on the calendar and select the 1st of the current month. Then select finish.

Question 12.8.5

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity: Entities can document these responsibilities via a matrix that identifies all applicable PCI DSS requirements and indicates for each requirement whether the entity or TPSP is responsible for meeting that requirement or whether it is a shared responsibility.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

Question 12.10.1

Why You Should Answer "Yes"

**This is managed by the Gateway and requires no action on your part. Please answer yes.**

  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.: It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. 
  • Incident response procedures with specific containment and mitigation activities for different types of incidents: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
  • Business recovery and continuity procedures: The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data.
  • Data backup processes: A formal data backup process approved by management should be in place at all times.
  • Analysis of legal requirements for reporting compromises: Entities should consider how to address all compromises of data within the CDE in their incident response plans, including to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.
  • Coverage and responses of all critical system components:  It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners.
  • Reference or inclusion of incident response procedures from the payment brands: A good practice is to always include incident response procedures from V/MC/Disc/Amex.

 

These practices ensure effective response to security incidents, maintaining compliance and minimizing impact.

 

 

 

 

Now that you have answered all of the questions you will need see the screen below. You will select next to move to the page where you confirm your compliance.

 

On this page you will fill in the areas you see highlighted and then scroll to the bottom of the page and select confirm your attestation.

You will then see the screen below showing you are now PCI compliant for the next 12 months. Congratulations!!!